extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Large cleanup patch from Tuomo Soini

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2449 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-02 16:46:30 +00:00
parent 21a7315717
commit ac1983a5da
85 changed files with 1382 additions and 1138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall/accounting
View File

@ -49,10 +49,11 @@
# PROTOCOL A protocol name (from /etc/protocols), a protocol
# number, or "ipp2p"
#
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
# this column must contain an ipp2p option ("iptables -m
# ipp2p --help") without the leading "--". If no option
# is given in this column, "ipp2p" is assumed.
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p"
# then this column must contain an ipp2p option
# ("iptables -m ipp2p --help") without the leading
# "--". If no option is given in this column, "ipp2p"
# is assumed.
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
@ -91,7 +92,7 @@
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#####################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT PORT GROUP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

26
Shorewall/action.Drop
View File

@ -1,20 +1,23 @@
#
# Shorewall 2.6 /usr/share/shorewall/action.Drop
# Shorewall version 2.6 - Drop Action
#
# /usr/share/shorewall/action.Drop
#
# The default DROP common rules
#
# This action is invoked before a DROP policy is enforced. The purpose of the action
# is:
# This action is invoked before a DROP policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
# Otherwise, you may experience problems establishing connections with
# servers that use auth.
# b) Ensure that 'auth' requests are rejected, even if the policy is
# DROP. Otherwise, you may experience problems establishing
# connections with servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
#
###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Reject 'auth'
@ -29,8 +32,8 @@ dropBcast
#
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
# confuse people when they appear in the log.
# Drop packets that in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid
#
@ -43,7 +46,8 @@ DropUPnP
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

23
Shorewall/action.Reject
View File

@ -1,24 +1,27 @@
#
# Shorewall 2.6 /usr/share/shorewall/action.Reject
# Shorewall version 2.6 - Reject Action
#
# /usr/share/shorewall/action.Reject
#
# The default REJECT action common rules
#
# This action is invoked before a REJECT policy is enforced. The purpose of the action
# is:
# This action is invoked before a REJECT policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###############################################################################
#TARGET SOURCE DEST PROTO
#
# Don't log 'auth' REJECT
#
Auth/REJECT
#
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
#
@ -26,8 +29,9 @@ dropBcast
#
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
# confuse people when they appear in the log (these ICMPs cannot be rejected).
# Drop packets that in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid
#
@ -40,7 +44,8 @@ DropUPnP
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

24
Shorewall/action.template
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 /etc/shorewall/action.template
# Shorewall version 2.6 - Template Action
#
# /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
@ -31,9 +33,10 @@
# and return to the point where the
# action was invoked.
# <action> -- An <action> defined in
# /etc/shorewall/actions. The <action>
# must appear in that file BEFORE the
# one being defined in this file.
# /etc/shorewall/actions.
# The <action> must appear in that
# file BEFORE the one being defined
# in this file.
#
# The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
@ -95,9 +98,10 @@
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., eth1:192.168.1.5).
#
# DEST Location of destination host. Same as above with the exception that
# MAC addresses are not allowed and that you cannot specify
# an ipset name in both the SOURCE and DEST columns.
# DEST Location of destination host. Same as above with
# the exception that MAC addresses are not allowed and
# that you cannot specify an ipset name in both the
# SOURCE and DEST columns.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
@ -173,7 +177,7 @@
# #of the 'kids' group
# +upnpd #program named upnpd
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
Shorewall/actions
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 /etc/shorewall/actions
# Shorewall version 2.6 - Actions File
#
# /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
@ -24,9 +26,8 @@
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
# Please see http://shorewall.net/Actions.html for additional information.
#
###############################################################################
#ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

35
Shorewall/actions.std
View File

@ -1,27 +1,28 @@
#
# Shorewall 2.6 /usr/share/shorewall/actions.std
# Shorewall version 2.6 - Actions.std File
#
# /usr/share/shorewall/actions.std
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Builtin Actions are:
#
# allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast
# dropNotSyn #Silently Drop Non-syn TCP packets
# rejNotSyn #Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
# allowInvalid #Accept packets that are in the INVALID
# #conntrack state.
# allowoutUPnP #Allow traffic from local command 'upnpd'
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
# forwardUPnP #Allow traffic that upnpd has redirected from
# #'upnp' interfaces.
# allowBcast # Silently Allow Broadcast/multicast
# dropBcast # Silently Drop Broadcast/multicast
# dropNotSyn # Silently Drop Non-syn TCP packets
# rejNotSyn # Silently Reject Non-syn TCP packets
# dropInvalid # Silently Drop packets that are in the INVALID
# # conntrack state.
# allowInvalid # Accept packets that are in the INVALID
# # conntrack state.
# allowoutUPnP # Allow traffic from local command 'upnpd'
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
# forwardUPnP # Allow traffic that upnpd has redirected from
# # 'upnp' interfaces.
#
###############################################################################
#ACTION
Drop:DROP #Common Action for DROP policy
Reject:REJECT #Common Action for REJECT policy
Drop:DROP # Common Action for DROP policy
Reject:REJECT # Common Action for REJECT policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

14
Shorewall/blacklist
View File

@ -1,9 +1,10 @@
#
# Shorewall 2.6 -- Blacklist File
# Shorewall version 2.6 - Blacklist File
#
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
# This file contains a list of IP addresses, MAC addresses and/or
# subnetworks.
#
# Columns are:
#
@ -25,9 +26,10 @@
# of port numbers or service names from /etc/services.
#
# When a packet arrives on an interface that has the 'blacklist' option
# specified in /etc/shorewall/interfaces, its source IP address is checked
# against this file and disposed of according to the BLACKLIST_DISPOSITION and
# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
# specified in /etc/shorewall/interfaces, its source IP address is
# checked against this file and disposed of according to the
# BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
#
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
@ -52,5 +54,3 @@
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/continue
View File

@ -1,8 +1,14 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/continue
#
# Shorewall version 2.6 - Continue File
#
# /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.
# cleared any existing Netfilter rules and has enabled existing
# connections.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

7
Shorewall/ecn
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 - /etc/shorewall/ecn
# Shorewall version 2.6 - Ecn File
#
# /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.
@ -17,6 +19,7 @@
# are also permitted.
#
# For additional information, see http://shorewall.net/Documentation.htm#ECN
##############################################################################
#
###############################################################################
#INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

24
Shorewall/hosts
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 - /etc/shorewall/hosts
# Shorewall version 2.6 - Hosts file
#
# /etc/shorewall/hosts
#
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
@ -37,7 +39,8 @@
# be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a
# host or network IP or a range.
# See http://www.shorewall.net/Bridge.html for details.
# See http://www.shorewall.net/Bridge.html
# for details.
# e) The name of an ipset (preceded by "+").
#
# Examples:
@ -60,11 +63,12 @@
# an ethernet NIC and must be up before
# Shorewall is started.
#
# routeback - Shorewall should set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary if hosts in this group use the
# services of a transparent proxy that is
# routeback - Shorewall should set up the
# infrastructure to pass packets
# from this/these address(es) back
# to themselves. This is necessary if
# hosts in this group use the services
# of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
@ -124,10 +128,12 @@
# kernel 2.6 ipsec SA. Note that if the
# zone named in the ZONE column is
# specified as an IPSEC zone in the
# /etc/shorewall/zones file then you do NOT
# need to specify the 'ipsec' option here.
# /etc/shorewall/zones file then you
# do NOT need to specify the 'ipsec'
# option here.
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
###############################################################################
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

11
Shorewall/init
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/init
#
# Shorewall version 2.4 - Init File
#
# /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/initdone
View File

@ -1,9 +1,14 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/initdone
#
# Shorewall version 2.6 - Initdone File
#
# /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
Shorewall/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.6 -- Interfaces File
# Shorewall version 2.6 - Interfaces File
#
# /etc/shorewall/interfaces
#
@ -118,9 +118,10 @@
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface
# are processed as if NEWNOTSYN=Yes had been
# specified in /etc/shorewall/shorewall.conf.
# words, packets coming in on this
# interface are processed as if
# NEWNOTSYN=Yes had been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
@ -133,9 +134,9 @@
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow filtering
# traffic arriving on this interface back
# out that same interface.
# should include rules that allow
# filtering traffic arriving on this
# interface back out that same interface.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
@ -190,8 +191,8 @@
# in the ZONE column to include only those
# hosts routed through the interface.
#
# upnp - Incoming requests from this interface may
# be remapped via UPNP (upnpd).
# upnp - Incoming requests from this interface
# may be remapped via UPNP (upnpd).
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
@ -231,9 +232,9 @@
#
# net ppp0 -
#
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
##############################################################################
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/ipsec
View File

@ -4,4 +4,4 @@
# /etc/shorewall/zones file.
#
# See the IPSECFILE option in shorewall.conf for further information.
#

8
Shorewall/maclist
View File

@ -1,13 +1,13 @@
#
# Shorewall 2.6 - MAC list file
# Shorewall version 2.6 - Maclist file
#
# /etc/shorewall/maclist
#
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.
# The feature is enabled by using the maclist option in the interfaces
# or hosts configuration file.
#
# /etc/shorewall/maclist
#
# Columns are:
#
# INTERFACE Network interface to a host. If the interface
@ -26,6 +26,6 @@
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
##############################################################################
###############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

12
Shorewall/macro.AllowICMPs
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.AllowICMPs
# Shorewall version 2.6 - AllowICMPs Macro
#
# /usr/share/shorewall/macro.AllowICMPs
#
# ACCEPT needed ICMP types
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Amanda
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.Amanda
# Shorewall version 2.6 - Amanda Macro
#
# /usr/share/shorewall/macro.Amanda
#
# This macro handles connections to the AMANDA backup system.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 10080
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Auth
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Auth
# Shorewall version 2.6 - Auth Macro
#
# /usr/share/shorewall/macro.Auth
#
# This macro handles Auth (identd) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.BitTorrent
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.BitTorrent
# Shorewall version 2.6 - BitTorrent Macro
#
# /usr/share/shorewall/macro.BitTorrent
#
# This macro handles BitTorrent traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 6881:6889
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.CVS
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.CVS
# Shorewall version 2.6 - CVS Macro
#
# /usr/share/shorewall/macro.CVS
#
# This macro handles connections to the CVS pserver.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 2401
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.DNS
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.DNS
# Shorewall version 2.6 - DNS Macro
#
# /usr/share/shorewall/macro.DNS
#
# This macro handles DNS traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 53
PARAM - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Distcc
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.Distcc
# Shorewall version 2.6 - Distoc Macro
#
# /usr/share/shorewall/macro.Distcc
#
# This macro handles connections to the Distributed Compiler
# service.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3632
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.DropDNSrep
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.DropDNSrep
# Shorewall version 2.6 - DropDNSrep Macro
#
# /usr/share/shorewall/macro.DropDNSrep
#
# This macro silently drops DNS UDP replies
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.DropUPnP
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.DropUPnP
# Shorewall version 2.6 - DropUPnP Macro
#
# /usr/share/shorewall/macro.DropUPnP
#
# This macro silently drops UPnP probes on UDP port 1900
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
DROP - - udp 1900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

46
Shorewall/macro.Edonkey
View File

@ -1,31 +1,35 @@
#
# Shorewall macro.Edonkey
# Shorewall version 2.6 - Edonkey Macro
#
# /usr/share/shorewall/macro.Edonkey
#
# This macro handles Edonkey traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 4662
PARAM - - udp 4665
#
# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
# says to use udp 5737 rather than 4665
# says to use udp 5737 rather than 4665.
#
# http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
# 4661 TCP (outgoing)
# Port, on which a server listens for connection (defined by server).
#4665 UDP (outgoing)
# used for global server searches and global source queries. This is
#always Server TCP port (in this case 4661) + 4.
#4662 TCP (outgoing and incoming)
# Client to client transfers.
#4672 UDP (outgoing and incoming)
# Extended eMule protocol, Queue Rating, File Reask Ping
#4711 TCP
# WebServer listening port.
#4712 TCP
# External Connection port. Used to communicate aMule with other
#applications such as aMule WebServer or aMuleCMD.
#
# 4661 TCP (outgoing) Port, on which a server listens for connection
# (defined by server).
#
# 4665 UDP (outgoing) used for global server searches and global source
# queries. This is always Server TCP port (in this case 4661) + 4.
#
# 4662 TCP (outgoing and incoming) Client to client transfers.
#
# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
# Rating, File Reask Ping
#
# 4711 TCP WebServer listening port.
#
# 4712 TCP External Connection port. Used to communicate aMule with other
# applications such as aMule WebServer or aMuleCMD.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 4662
PARAM - - udp 4665
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.FTP
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.FTP
# Shorewall version 2.6 - FTP Macro
#
# /usr/share/shorewall/macro.FTP
#
# This macro handles FTP traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Gnutella
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.Gnutella
# Shorewall version 2.6 - Gnutella Macro
#
# /usr/share/shorewall/macro.Gnutella
#
# This macro handles gnutella traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 6346
PARAM - - udp 6346
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.ICQ
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.ICQ
# Shorewall version 2.6 - ICQ Macro
#
# /usr/share/shorewall/macro.ICQ
#
# This macro handles ICQ traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5190
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.IMAP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.IMAP
# Shorewall version 2.6 - IMAP Macro
#
# /usr/share/shorewall/macro.IMAP
#
# This macro handles IMAP traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 143 #Unsecure IMAP
PARAM - - tcp 993 #Secure IMAP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 143 # Unsecure IMAP
PARAM - - tcp 993 # Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.LDAP
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.LDAP
# Shorewall version 2.6 - LDAP Macro
#
# /usr/share/shorewall/macro.LDAP
#
# This macro handles LDAP traffic (secure and insecure)
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 389
PARAM - - tcp 636
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.MySQL
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.MySQL
# Shorewall version 2.6 - MySQL Macro
#
# /usr/share/shorewall/macro.MySQL
#
# This action macro.handles connections to the MySQL server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3306
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.NNTP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.NNTP
# Shorewall version 2.6 NNTP Macro
#
# /usr/share/shorewall/macro.NNTP
#
# This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 119
PARAM - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.NTP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.NTP
# Shorewall version 2.6 - NTP Macro
#
# /usr/share/shorewall/macro.NTP
#
# This macro handles NTP traffic (ntpd).
# For broadcast NTP traffic, use NTPbrd Macro.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 123
PARAM - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

18
Shorewall/macro.NTPbrd Normal file
View File

@ -0,0 +1,18 @@
#
# Shorewall version 2.6 - NTPbrd Macro
#
# /usr/share/shorewall/macro.NTPbrd
#
# This macro handles NTP traffic (ntpd) including replies to Broadcast
# NTP traffic.
#
# It is recommended only to use this where the source host is trusted -
# otherwise it opens up a large hole in your firewall because
# Netfilter doesn't track connections for broadcast traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 123
PARAM - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.PCA
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.PCA
# Shorewall version 2.6 - PCA Macro
#
# /usr/share/shorewall/macro.PCA
#
# This macro handles PCAnywere (tm)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 5632
PARAM - - tcp 5631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.POP3
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.POP3
# Shorewall version 2.6 - POP3 Macro
#
# /usr/share/shorewall/macro.POP3
#
# This macro handles POP3 traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
PARAM - - tcp 110 #Unsecure POP3
PARAM - - tcp 995 #Secure POP3
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 110 # Unsecure POP3
PARAM - - tcp 995 # Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Ping
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Ping
# Shorewall version 2.6 - Ping Macro
#
# /usr/share/shorewall/macro.Ping
#
# This macro handles 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.PostgreSQL
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.PostgreSQL
# Shorewall version 2.6 - PostgreSQL Macro
#
# /usr/share/shorewall/macro.PostgreSQL
#
# This macro handles connections to the PostgreSQL server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5432
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Rdate
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Rdate
# Shorewall version 2.6 - Rdate Macro
#
# /usr/share/shorewall/macro.Rdate
#
# This macro handles remote time retrieval (rdate).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Rsync
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.Rsync
# Shorewall version 2.6 - Rsync Macro
#
# /usr/share/shorewall/macro.Rsync
#
# This macro handles connections to the rsync server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.SMB
View File

@ -1,12 +1,14 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SMB
# Shorewall version 2.6 - SMB Macro
#
# /usr/share/shorewall/macro.SMB
#
# Handle Microsoft SMB traffic. You need to invoke this macro in
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137

10
Shorewall/macro.SMBswat
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.SMBswat
# Shorewall version 2.6 - SMBswat Macro
#
# /usr/share/shorewall/macro.SMBswat
#
# This macro handles connections to the Samba Web Administration
# Tool (SWAT).
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 901
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.SMTP
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SMTP
# Shorewall version 2.6 - SMTP Macro
#
# /usr/share/shorewall/macro.SMTP
#
# This macro handles SMTP (email) traffic.
#
@ -8,8 +10,8 @@
# reading of email via POP3 or IMAP. For those you need to use
# the POP3 or IMAP macros.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.SNMP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SNMP
# Shorewall version 2.6 - SNMP Macro
#
# /usr/share/shorewall/macro.SNMP
#
# This macro accepts SNMP traffic (including traps):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 161:162
PARAM - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.SPAMD
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.SPAMD
# Shorewall version 2.6 - SPAMD Macro
#
# /usr/share/shorewall/macro.SPAMD
#
# This macro handles Spam Assassin SPAMD traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 783
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.SSH
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SSH
# Shorewall version 2.6 - SSH Macro
#
# /usr/share/shorewall/macro.SSH
#
# This macro handles secure shell (SSH) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SVN
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.SVN
# Shorewall version 2.6 - SVN Macro
#
# This macro handles connections to the Subversion server.
# /usr/share/shorewall/macro.SVN
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
# This macro handles connections to the Subversion (SVN) server.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3690
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Submission Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 2.6 - Submission Macro
#
# /usr/share/shorewall/macro.Submission
#
# This macro handles mail message submission traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 587
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Syslog
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.Syslog
# Shorewall version 2.6 - Syslog Macro
#
# /usr/share/shorewall/macro.Syslog
#
# This macro handles syslog UDP traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 514
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Telnet
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Telnet
# Shorewall version 2.6 - Telnet Macro
#
# /usr/share/shorewall/macro.Telnet
#
# This macro handles Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 23
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.Trcrt
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Trcrt
# Shorewall version 2.6 -Trcrt Macro
#
# /usr/share/shorewall/macro.Trcrt
#
# This macro handles Traceroute (for up to 30 hops):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 33434:33524 #UDP Traceroute
PARAM - - icmp 8 #ICMP Traceroute
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 33434:33524 # UDP Traceroute
PARAM - - icmp 8 # ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.VNC
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.VNC
# Shorewall version 2.6 - VNC Macro
#
# /usr/share/shorewall/macro.VNC
#
# This macro handles VNC traffic for VNC display's 0 - 9.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

13
Shorewall/macro.VNCL
View File

@ -1,10 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.VNCL
# Shorewall version 2.6 -VNCL Macro
#
# This macro handles VNC traffic from Vncservers to Vncviewers in listen mode.
# /usr/share/shorewall/macro.VNCL
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
# This macro handles VNC traffic from Vncservers to Vncviewers in listen
# mode.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

10
Shorewall/macro.Web
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Web
# Shorewall version 2.6 - Web Macro
#
# /usr/share/shorewall/macro.Web
#
# This macro handles WWW traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 80
PARAM - - tcp 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

63
Shorewall/macro.template
View File

@ -1,21 +1,24 @@
#
# Shorewall version 2.6 - Macro Template File
# Shorewall version 2.6 - Template Macro
#
# /usr/share/shorewall/macro.template
#
# Macro files are similar to template files with the following exceptions:
#
# - A macro file is not processed unless the marcro that it defines is referenced in the
# /etc/shorewall/rules file or in an action definition file.
# - A macro file is not processed unless the marcro that it defines is
# referenced in the /etc/shorewall/rules file or in an action
# definition file.
#
# - Macros are translated directly into one or more rules whereas actions become their own
# chain.
# - Macros are translated directly into one or more rules whereas
# actions become their own chain.
#
# - All entries in a macro undergo substitution when the macro is invoked in the rules file.
# - All entries in a macro undergo substitution when the macro is
# invoked in the rules file.
#
# - Macros may not invoke other macros.
#
# The columns in a macro definition are the same as those in the action.template file.
# The columns in a macro definition are the same as those in the
# action.template file.
# A few examples should help show how Macros work.
#
# /etc/shorewall/macro.FwdFTP:
@ -38,32 +41,40 @@
#
# The substitution rules are as follows:
#
# ACTION column If in the invocation of the macro, the macro name is followed by
# slash ("/") and a second name, the second name is substituted for
# each entry in the macro whose ACTION is PARAM
# ACTION column If in the invocation of the macro, the macro
# name is followed by slash ("/") and a second
# name, the second name is substituted for each
# entry in the macro whose ACTION is PARAM
#
# For example, if macro FOO is invoked as FOO/ACCEPT then when
# expanding macro.FOO, Shorewall will substitute ACCEPT in each
# entry in macro.FOO whose ACTION column contains PARAM. PARAM may
# be optionally followed by a colon and a log level.
# For example, if macro FOO is invoked as
# FOO/ACCEPT then when expanding macro.FOO,
# Shorewall will substitute ACCEPT in each
# entry in macro.FOO whose ACTION column
# contains PARAM. PARAM may be optionally
# followed by a colon and a log level.
#
# Any logging specified when the macro is invoked is applied to each
# entry in the macros.
# Any logging specified when the macro is
# invoked is applied to each entry in the macros.
#
# SOURCE and DEST If the column in the macro is empty then the value in the rules
# columns file is used. If the column in the macro is non-empty then any
# value in the rules file is appended with a ":" separator.
# SOURCE and DEST If the column in the macro is empty then the
# columns value in the rules file is used. If the column
# in the macro is non-empty then any value in
# the rules file is appended with a ":"
# separator.
#
# Example: Macro File DNAT net loc tcp 21
#
# Example: ###############################################
# #ACTION SOURCE DEST PROTO DEST
# # PORT
# Macro File DNAT net loc tcp 21
# rules File FwdFTP - 192.168.1.5
# Result DNAT net loc:192.168.1.5 tcp 21
#
# Remaining Any value in the rules file REPLACES the value given in the macro
# columns file.
# Remaining Any value in the rules file REPLACES the value
# columns given in the macro file.
#
#
#
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

54
Shorewall/masq
View File

@ -1,10 +1,10 @@
#
# Shorewall 2.6 - Masquerade file
# Shorewall version 2.6 - Masq file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
# Use this file to define dynamic NAT (Masquerading) and to define
# Source NAT (SNAT).
#
# Columns are:
#
@ -93,12 +93,15 @@
#
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that the
# same local IP address is assigned to each connection
# from a local address to a given remote address. If
# the 'nodst:' option is included, then the same source
# address is used for a given internal system regardless
# of which remote system is involved.
# SAME works like SNAT with the exception that
# the same local IP address is assigned to each
# connection from a local address to a given
# remote address.
#
# If the 'nodst:' option is included, then the
# same source address is used for a given
# internal system regardless of which remote
# system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
@ -125,21 +128,22 @@
# your kernel and iptables must include policy
# match support.
#
# Comma-separated list of options from the following.
# Only packets that will be encrypted via an SA that
# matches these options will have their source address
# changed.
# Comma-separated list of options from the
# following. Only packets that will be encrypted
# via an SA that matches these options will have
# their source address changed.
#
# Yes or yes -- must be the only option listed
# and matches all outbound traffic that will be
# encrypted.
# Yes or yes -- must be the only option
# listed and matches all outbound
# traffic that will be encrypted.
#
# reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
# reqid=<number> where <number> is
# specified using setkey(8) using the
# 'unique:<number> option for the SPD
# level.
#
# spi=<number> where <number> is the SPI of
# the SA.
# spi=<number> where <number> is the
# SPI of the SA.
#
# proto=ah|esp|ipcomp
#
@ -151,11 +155,11 @@
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all
# rules.
# strict Means that packets must match
# all rules.
#
# next Separates rules; can only be used
# with strict..
# next Separates rules; can only be
# used with strict..
#
# Example 1:
#

48
Shorewall/modules
View File

@ -1,27 +1,31 @@
##############################################################################
# Shorewall 2.6 /etc/shorewall/modules
#
# Shorewall version 2.6 - Modules File
#
# /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
# dependency order. i.e., if M2 depends on M1 then you must load M1
# before you load M2.
#
# For additional information, see http://shorewall.net/Documentation.htm#modules
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
# For additional information, see
# http://shorewall.net/Documentation.htm#modules
#
###############################################################################
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
Shorewall/nat
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Network Address Translation Table
# Shorewall version 2.6 - Nat File
#
# /etc/shorewall/nat
#
@ -11,7 +10,7 @@
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# cases, Proxy ARP is a better solution that one-to-one NAT.
#
# Columns must be separated by white space and are:
# Columns are:
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
@ -40,8 +39,8 @@
# system
#
# For additional information, see http://shorewall.net/NAT.htm
##############################################################################
#
###############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

8
Shorewall/netmap
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Network Mapping Table
# Shorewall version 2.6 - Netmap File
#
# /etc/shorewall/netmap
#
@ -10,7 +9,7 @@
# WARNING: To use this file, your kernel and iptables must have
# NETMAP support included.
#
# Columns must be separated by white space and are:
# Columns are:
#
# TYPE Must be DNAT or SNAT.
#
@ -32,7 +31,6 @@
# See http://shorewall.net/netmap.html for an example and usage
# information.
#
##############################################################################
###############################################################################
#TYPE NET1 INTERFACE NET2
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

6
Shorewall/params
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 /etc/shorewall/params
# Shorewall version 2.4 - Params File
#
# /etc/shorewall/params
#
# Assign any variables that you need here.
#
@ -21,5 +23,5 @@
#
# net eth0 130.252.100.255 routefilter,norfc1918
#
##############################################################################
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

51
Shorewall/policy
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.6 -- Policy File
# Shorewall version 2.6 - Policy File
#
# /etc/shorewall/policy
#
@ -23,39 +23,43 @@
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# REJECT - For TCP, send RST. For all other,
# send "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or destination
# zone in those rules is a superset of
# the SOURCE or DEST in this policy).
# match (where the source or
# destination zone in those rules is
# a superset of the SOURCE or DEST
# in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set up
# any infrastructure to handle such
# packets and you may not have any rules
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined. NONE may not be used if the
# SOURCE or DEST columns contain the
# firewall zone ($FW) or "all".
# to this DEST. Shorewall will not set
# up any infrastructure to handle such
# packets and you may not have any
# rules with this SOURCE and DEST in
# the /etc/shorewall/rules file. If
# such a packet _is_ received, the
# result is undefined. NONE may not be
# used if the SOURCE or DEST columns
# contain the firewall zone ($FW) or
# "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
# then that action will be invoked before the policy named in
# this column is inforced.
# /etc/shorewall/actions (or
# /usr/share/shorewall/actions.std) then that action
# will be invoked before the policy named in this column
# is inforced.
#
# The policy determined the default treatment of new
# connection requests and may optionally be followed by ":"
# and an ESTABLISHED policy which determines what
# is to be done with packets that are part of an established
# connection. The choices are ACCEPT (the default) and QUEUE
# (to queue the packet to a user-space filter like Snort Inline).
# connection requests and may optionally be followed by
# ":" and an ESTABLISHED policy which determines what
# is to be done with packets that are part of an
# established connection. The choices are ACCEPT (the
# default) and QUEUE (to queue the packet to a
# user-space filter like Snort Inline).
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
@ -93,6 +97,7 @@
# all all REJECT info
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL

11
Shorewall/providers
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Internet Service Providers
# Shorewall version 2.6 - Providers File
#
# /etc/shorewall/providers
#
@ -15,7 +14,7 @@
#
# To omit a column, enter "-".
#
# Columns must be separated by white space and are:
# Columns are:
#
# NAME The provider name.
#
@ -80,7 +79,9 @@
# ISP1 1 1 main eth0 206.124.146.254 track,balance
# ISP2 2 2 main eth1 130.252.99.254 track,balance
#
# For additional information, see http://shorewall.net/Shorewall_and_Routing.html
##############################################################################################
# For additional information, see
# http://shorewall.net/Shorewall_and_Routing.html
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

8
Shorewall/proxyarp
View File

@ -1,12 +1,11 @@
##############################################################################
#
# Shorewall 2.6 -- Proxy ARP
# Shorewall version 2.6 - Proxyarp File
#
# /etc/shorewall/proxyarp
#
# This file is used to define Proxy ARP.
#
# Columns must be separated by white space and are:
# Columns are:
#
# ADDRESS IP Address
#
@ -41,6 +40,7 @@
# 155.186.235.6 eth1 eth0
#
# See http://shorewall.net/ProxyARP.htm for additional information.
##############################################################################
#
###############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

22
Shorewall/rfc1918
View File

@ -1,9 +1,10 @@
#
# Shorewall 2.6 -- RFC1918 File
# Shorewall version 2.6 - Rfc1918 File
#
# /etc/shorewall/rfc1918
#
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
# Lists the subnetworks that are blocked by the 'norfc1918' interface
# option.
#
# The default list includes those IP addresses listed in RFC 1918.
#
@ -21,23 +22,24 @@
# DROP - silently drop the packet
# logdrop - log then drop
#
# By default, the RETURN target causes 'norfc1918' processing to cease for a
# packet if the packet's source IP address matches the rule. Thus, if you have:
# By default, the RETURN target causes 'norfc1918' processing to cease
# for a packet if the packet's source IP address matches the rule. Thus,
# if you have:
#
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
#
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# also have:
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though
# you also have:
#
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
#
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be
# logged and dropped since while the packet's source matches the RETURN rule,
# the packet's destination matches the 'logdrop' rule.
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic
# to be logged and dropped since while the packet's source matches the
# RETURN rule, the packet's destination matches the 'logdrop' rule.
#
################################################################################
###############################################################################
#SUBNETS TARGET
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918

8
Shorewall/routestopped
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Hosts Accessible when the Firewall is Stopped
# Shorewall version 2.6 - Routestopped File
#
# /etc/shorewall/routestopped
#
@ -8,7 +7,7 @@
# firewall is stopped or when it is in the process of being
# [re]started.
#
# Columns must be separated by white space and are:
# Columns are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
@ -55,6 +54,7 @@
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
##############################################################################
#
###############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

63
Shorewall/rules
View File

@ -18,7 +18,7 @@
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#-------------------------------------------------------------------------------#
#------------------------------------------------------------------------------
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
@ -112,13 +112,13 @@
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all" or "none" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# firewall itself, "all" or "none" If the ACTION is DNAT
# or REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
@ -134,11 +134,12 @@
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support then
# you may give the name of an ipset prefaced by "+". The
# ipset name may be optionally followed by a number from
# 1 to 6 enclosed in square brackets ([]) to indicate the
# number of levels of source bindings to be matched.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of source bindings to be
# matched.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
@ -167,8 +168,8 @@
# /etc/shorewall/zones, $FW to indicate the firewall
# itself, "all" or "none".
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
@ -194,13 +195,13 @@
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# If you kernel and iptables have ipset match support then
# you may give the name of an ipset prefaced by "+". The
# ipset name may be optionally followed by a number from
# 1 to 6 enclosed in square brackets ([]) to indicate the
# number of levels of destination bindings to be matched.
# Only one of the SOURCE and DEST columns may specify an
# ipset name.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of destination bindings
# to be matched. Only one of the SOURCE and DEST columns
# may specify an ipset name.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
@ -246,8 +247,8 @@
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then place
# "-" in this column.
# specify an ORIGINAL DEST in the next column, then
# place "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
@ -257,8 +258,8 @@
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then
# if included and different from the IP
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# then if included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
@ -278,11 +279,11 @@
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address matches
# one of the listed addresses. This feature is most useful when
# you want to generate a filter rule that corresponds to a
# DNAT- or REDIRECT- rule. In this usage, the list of
# addresses should not begin with "!".
# that require that the original destination address
# matches one of the listed addresses. This feature is
# most useful when you want to generate a filter rule
# that corresponds to a DNAT- or REDIRECT- rule. In this
# usage, the list of addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
@ -328,8 +329,8 @@
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
# Example: Forward all ssh and http connection requests from the
# internet to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
@ -365,7 +366,7 @@
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
####################################################################################################
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

92
Shorewall/shorewall.conf
View File

@ -1,4 +1,4 @@
##############################################################################
###############################################################################
# /etc/shorewall/shorewall.conf V2.6 - Change the following variables to
# match your setup
#
@ -7,17 +7,19 @@
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
##############################################################################
###############################################################################
# S T A R T U P E N A B L E D
##############################################################################
###############################################################################
#
# Once you have configured Shorewall, you may change the setting of
# this variable to 'Yes'
#
STARTUP_ENABLED=No
##############################################################################
###############################################################################
# L O G G I N G
##############################################################################
###############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
@ -53,7 +55,7 @@ STARTUP_ENABLED=No
# installed by default). Ulogd is also available from
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
# Shorewall message to their own log file
################################################################################
###############################################################################
#
# LOG FILE LOCATION
#
@ -66,6 +68,7 @@ STARTUP_ENABLED=No
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
#
LOGFILE=/var/log/messages
@ -77,8 +80,8 @@ LOGFILE=/var/log/messages
# template is expected to accept either two or three arguments; the first is
# the chain name, the second (optional) is the logging rule number within that
# chain and the third is the ACTION specifying the disposition of the packet
# being logged. You must use the %d formatting type for the rule number; if your
# template does not contain %d then the rule number will not be included.
# being logged. You must use the %d formatting type for the rule number; if
# your template does not contain %d then the rule number will not be included.
#
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
#
@ -92,6 +95,7 @@ LOGFILE=/var/log/messages
# 'status' and 'hits' commands. This part should not be omitted (the
# LOGFORMAT should not begin with "%") and the leading part should be
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
#
LOGFORMAT="Shorewall:%s:%s:"
@ -174,6 +178,7 @@ BLACKLIST_LOGLEVEL=
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
#
LOGNEWNOTSYN=info
@ -220,7 +225,6 @@ RFC1918_LOG_LEVEL=info
#'nosmurfs' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
# ) then dropped smurfs are not logged.
#
# See the comment at the top of this section for a description of log levels
#
@ -238,9 +242,9 @@ SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
################################################################################
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
###############################################################################
#
# IPTABLES
#
@ -263,6 +267,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# The firewall script is normally interpreted by /bin/sh. If you wish to change
# the shell used to interpret that script, specify the shell here.
#
SHOREWALL_SHELL=/bin/sh
@ -281,6 +286,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
# If your netfilter kernel modules are in a directory other than
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
#
MODULESDIR=
@ -296,6 +302,7 @@ MODULESDIR=
#
# If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
#
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
@ -314,6 +321,7 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
#
RESTOREFILE=
@ -323,14 +331,16 @@ RESTOREFILE=
# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file.
# Beginning with 2.5.0, those files were combined. For users who haven't
# converted, we offer this variable that sets the name of the file for ipsec
# information. This option must take the value "zones" or "ipsec". If the option
# is not set or is set to the empty value (IPSECFILE="") then "ipsec" is assumed.
# information. This option must take the value "zones" or "ipsec". If the
# option is not set or is set to the empty value (IPSECFILE="") then "ipsec"
# is assumed.
#
IPSECFILE=zones
################################################################################
###############################################################################
# F I R E W A L L O P T I O N S
################################################################################
###############################################################################
# NAME OF THE FIREWALL ZONE
#
@ -369,9 +379,9 @@ ADD_IP_ALIASES=Yes
# AUTOMATICALLY ADD SNAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
# you are sure that you need it -- most people don't!!!
# for each SNAT external address that you give in /etc/shorewall/masq. If you
# say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No"
# unless you are sure that you need it -- most people don't!!!
#
ADD_SNAT_ALIASES=No
@ -395,8 +405,9 @@ RETAIN_ALIASES=No
#
# ENABLE TRAFFIC SHAPING
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled.
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall.
# If you say "No" or "no" then traffic shaping is not enabled.
#
TC_ENABLED=No
@ -413,6 +424,7 @@ TC_ENABLED=No
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
#
CLEAR_TC=Yes
@ -425,14 +437,15 @@ CLEAR_TC=Yes
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
# packets destined for Masqueraded/SNATed local hosts have had their
# destination address rewritten so they can be marked based on their
# destination. When packets are marked in the PREROUTING chain, packets
# destined for Masqueraded/SNATed local hosts still have a destination address
# corresponding to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
#
MARK_IN_FORWARD_CHAIN=No
@ -481,12 +494,14 @@ CLAMPMSS=No
# interfaces started while Shorewall is started (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
# on individual interfaces using the 'routefilter' option in the
# Regardless of the setting of ROUTE_FILTER, you can still enable route
# filtering on individual interfaces using the 'routefilter' option in the
# /etc/shorewall/interfaces file.
#
ROUTE_FILTER=No
#
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
@ -515,6 +530,7 @@ ROUTE_FILTER=No
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started.
#
DETECT_DNAT_IPADDRS=No
@ -530,6 +546,7 @@ DETECT_DNAT_IPADDRS=No
#
# An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart" command.
#
MUTEX_TIMEOUT=60
@ -575,6 +592,7 @@ MUTEX_TIMEOUT=60
# connection from the conntrack table but the end-points haven't
# completed shutting down the connection). I therefore have chosen
# NEWNOTSYN=Yes as the default value.
#
NEWNOTSYN=Yes
@ -595,8 +613,8 @@ NEWNOTSYN=Yes
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this
# setting, when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
@ -613,8 +631,8 @@ ADMINISABSENTMINDED=Yes
#
# Shorewall offers two types of blacklisting:
#
# - static blacklisting through the /etc/shorewall/blacklist file together
# with the 'blacklist' interface option.
# - static blacklisting through the /etc/shorewall/blacklist file
# together with the 'blacklist' interface option.
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
#
# The following variable determines whether the blacklist is checked for each
@ -636,6 +654,7 @@ BLACKLISTNEWONLY=Yes
# time and that new connections are disabled during that time. By setting
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
# before loading the blacklist.
#
DELAYBLACKLISTLOAD=No
@ -700,6 +719,7 @@ DYNAMIC_ZONES=No
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
# will use IP addresses to detect broadcasts rather than pkttype. If not given
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
#
PKTTYPE=Yes
@ -728,6 +748,7 @@ PKTTYPE=Yes
#
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
# 'conntrack state' match.
#
RFC1918_STRICT=No
@ -751,6 +772,7 @@ RFC1918_STRICT=No
# If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached.
#
MACLIST_TTL=
@ -765,6 +787,7 @@ MACLIST_TTL=
# Regardless of the setting of SAVE_IPSETS, if ipset contents were
# saved during a "shorewall save" then they will be restored during
# a subsequent "shorewall restore".
#
SAVE_IPSETS=No
@ -776,12 +799,13 @@ SAVE_IPSETS=No
# compatibility, Shorewall can map the old names into invocations of the new
# macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to
# the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed
#
MAPOLDACTIONS=No
################################################################################
###############################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
###############################################################################
#
# BLACKLIST DISPOSITION
#
@ -800,6 +824,7 @@ BLACKLIST_DISPOSITION=DROP
# that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
#
MACLIST_DISPOSITION=REJECT
@ -811,6 +836,7 @@ MACLIST_DISPOSITION=REJECT
# 'tcpflags' option specified in /etc/shorewall/interfaces or in
# /etc/shorewall/hosts. If not specified or specified as empty
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
#
TCP_FLAGS_DISPOSITION=DROP

9
Shorewall/start
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/start
#
# Shorewall version 2.4 - Start File
#
# /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

14
Shorewall/started
View File

@ -1,5 +1,7 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/started
#
# Shorewall version 2.6 - Started File
#
# /etc/shorewall/started
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this
@ -8,10 +10,14 @@
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up.
#
# This script should not change the firewall configuration directly but may
# do so indirectly by running /sbin/shorewall with the 'nolock' option.
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock'
# option.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. Note though that the "ensure_and_save_command" function
# should not be used in this script because Shorewall is already running
# when this function is called.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

9
Shorewall/stop
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/stop
#
# Shorewall version 2.6 - Stop File
#
# /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

9
Shorewall/stopped
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/stopped
#
# Shorewall version 2.4 - Stopped File
#
# /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

43
Shorewall/tcrules
View File

@ -1,5 +1,5 @@
#
# Shorewall version 2.6 - Traffic Control Rules File
# Shorewall version 2.6 - Tcrules File
#
# /etc/shorewall/tcrules
#
@ -29,8 +29,9 @@
# where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the chain is
# determined by the setting of MARK_IN_FORWARD_CHAIN in
# ":P" nor ":F" follow the mark value then the chain
# is determined by the setting of
# MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf.
#
# If your kernel and iptables include CONNMARK support
@ -47,7 +48,8 @@
#
# CF: Mark the connection in the FORWARD chain
#
# CP: Mark the connection in the PREROUTING chain.
# CP: Mark the connection in the PREROUTING
# chain.
#
# b) A classification of the form <major>:<minor> where
# <major> and <minor> are integers. Corresponds to
@ -65,17 +67,22 @@
#
# c) RESTORE[/mask] -- restore the packet's mark from the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# Your kernel and iptables must include CONNMARK
# support.
#
# As in a) above, may be followed by ":P" or ":F
#
# c) SAVE[/mask] -- save the packet's mark to the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# Your kernel and iptables must include CONNMARK
# support.
#
# As in a) above, may be followed by ":P" or ":F
#
# d) CONTINUE -- don't process any more marking rules in
# the table. As in a) above, may be followed by ":P" or
# ":F".
# the table.
#
# As in a) above, may be followed by ":P" or ":F".
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses
@ -111,8 +118,8 @@
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no PORT is given, "ipp2p" is
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no PORT is given, "ipp2p" is
# assumed.
#
# This column is ignored if PROTOCOL = all but must be
@ -138,11 +145,12 @@
#
# The colon is optionnal when specifying only a user
# or a program name.
# Examples : john: , john , :users , john:users , +mozilla-bin
# Examples : john: , john , :users , john:users ,
# +mozilla-bin
#
# TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests
# have the format [!]<value>[/<mask>][:C]
# TEST Defines a test on the existing packet or connection
# mark. The rule will match only if the test returns
# true. Tests have the format [!]<value>[/<mask>][:C]
#
# Where:
#
@ -150,11 +158,12 @@
# <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
# :C Designates a connection mark. If
# omitted, the packet mark's value is
# tested.
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
##############################################################################
###############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
Shorewall/tos
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 -- /etc/shorewall/tos
# Shorewall version 2.6 - Tos File
#
# /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
@ -41,6 +43,7 @@
# Minimize-Cost (2)
# Normal-Service (0)
#
##############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
###############################################################################
#SOURCE DEST PROTOCOL SOURCE DEST TOS
# PORTS PORTS
#LAST LINE -- Add your entries above -- DO NOT REMOVE

29
Shorewall/tunnels
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.4 - /etc/shorewall/tunnels
# Shorewall version 2.6 - Tunnels File
#
# /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
@ -9,13 +11,13 @@
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip"
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat",
# "ipip", "gre", "6to4", "pptpclient", "pptpserver",
# "openvpn" or "generic"
#
# If the type is "ipsec" or "ipsecnat", it may be followed
# by ":noah" to indicate that the Authentication Header
# protocol (51) is not used by the tunnel.
# If the type is "ipsec" or "ipsecnat", it may be
# followed by ":noah" to indicate that the Authentication
# Header protocol (51) is not used by the tunnel.
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
@ -102,16 +104,17 @@
#
# Example 8:
#
# You have a tunnel that is not one of the supported types.
# Your tunnel uses UDP port 4444. The other end of the
# tunnel is 4.3.99.124.
# You have a tunnel that is not one of the supported
# types. Your tunnel uses UDP port 4444. The other end
# of the tunnel is 4.3.99.124.
#
# generic:udp:4444 net 4.3.99.124
#
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
# See http://shorewall.net/Documentation.htm#Tunnels for additional
# information.
#
# TYPE ZONE GATEWAY GATEWAY
###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/zones
View File

@ -1,7 +1,11 @@
#
# Shorewall 2.6 /etc/shorewall/zones
# Shorewall version 2.6 - Zones File
#
# This file determines your network zones. Columns are:
# /etc/shorewall/zones
#
# This file determines your network zones.
#
# Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
@ -55,16 +59,18 @@
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#--------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Example zones:
#
# You have a three interface firewall with internet, local and DMZ interfaces.
# You have a three interface firewall with internet, local and DMZ
# interfaces.
#
# #ZONE IPSEC OPTIONS IN OUT
# net
# loc
# dmz
#
###############################################################################
#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE