mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 07:38:57 +01:00
Initial revision
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
b935b216c5
commit
af87d30b67
34
Samples/one-interface/common
Normal file
34
Samples/one-interface/common
Normal file
@ -0,0 +1,34 @@
|
||||
############################################################################
|
||||
# Shorewall 1.2 -- /etc/shorewall/common.def
|
||||
#
|
||||
# This file defines the rules that are applied before a policy of
|
||||
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
||||
# the firewall will also define a DROP rule for each subnet broadcast
|
||||
# address defined in /etc/shorewall/interfaces (including "detect").
|
||||
#
|
||||
# Do not modify this file -- if you wish to change these rules, copy this
|
||||
# file to /etc/shorewall/common and modify that file.
|
||||
#
|
||||
run_iptables -A common -p icmp -j icmpdef
|
||||
############################################################################
|
||||
# accept ACKs and RSTs that aren't related to any session so that the
|
||||
# protocol stack can handle them
|
||||
#
|
||||
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||||
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
|
||||
############################################################################
|
||||
# NETBIOS chatter
|
||||
#
|
||||
run_iptables -A common -p udp --dport 137:139 -j DROP
|
||||
run_iptables -A common -p udp --dport 445 -j DROP
|
||||
############################################################################
|
||||
# BROADCASTS
|
||||
#
|
||||
run_iptables -A common -d 255.255.255.255 -j DROP
|
||||
run_iptables -A common -d 224.0.0.0/4 -j DROP
|
||||
#
|
||||
# The following rule is non-standard and compensates for tardy
|
||||
# DNS replies
|
||||
#
|
||||
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
|
||||
|
79
Samples/one-interface/interfaces
Executable file
79
Samples/one-interface/interfaces
Executable file
@ -0,0 +1,79 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ZONE Zone for this interface. Much match the short name
|
||||
# of a zone defined in /etc/shorewall/zones.
|
||||
#
|
||||
# $<variable-name> is not allowed in this column.
|
||||
#
|
||||
# INTERFACE Name of interface
|
||||
#
|
||||
# BROADCAST The broadcast address for the subnetwork to which the
|
||||
# interface belongs. For P-T-P interfaces, this
|
||||
# column is left black.
|
||||
#
|
||||
# If you use the special value "detect", the firewall
|
||||
# will detect the broadcast address for you. If you
|
||||
# select this option, the interface must be up before
|
||||
# the firewall is started and you must have iproute
|
||||
# installed.
|
||||
#
|
||||
# If you don't want to give a value for this column but
|
||||
# you want to enter a value in the OPTIONS column, enter
|
||||
# "-" in this column.
|
||||
#
|
||||
# OPTIONS A comma-separated list of options including the
|
||||
# following:
|
||||
#
|
||||
# dhcp - interface is managed by DHCP
|
||||
# noping - icmp echo-request (ping) packets should
|
||||
# be ignored on this interface
|
||||
# routestopped - When the firewall is stopped, allow
|
||||
# and route traffic to and from this
|
||||
# interface.
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
# (i.e., private or "non-routable"
|
||||
# addresses.
|
||||
# multi - This interface has multiple IP
|
||||
# addresses and you want to be able to
|
||||
# route between them.
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure).
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
# local subnet is 192.168.1.0/24. The interface gets
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27 and you want pings from the internet
|
||||
# to be ignored. You interface a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2. You want to be able to
|
||||
# access the firewall from the local network when the
|
||||
# firewall is stopped.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# net eth0 206.191.149.223 noping,dhcp
|
||||
# local eth1 192.168.1.255 routestopped
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
# Example 2: The same configuration without specifying broadcast
|
||||
# addresses is:
|
||||
#
|
||||
# net eth0 detect noping,dhcp
|
||||
# local eth1 detect routestopped
|
||||
# dmz eth2 detect
|
||||
#
|
||||
# Example 3: You have a simple dial-in system with no ethernet
|
||||
# connections and you want to ignore ping requests.
|
||||
#
|
||||
# net ppp0 - noping
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect norfc1918,routefilter,dhcp
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
39
Samples/one-interface/policy
Normal file
39
Samples/one-interface/policy
Normal file
@ -0,0 +1,39 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
# This file determines what to do with a new connection request if we
|
||||
# don't get a match from the /etc/shorewall/rules file. For each
|
||||
# client/server pair, the file is processed in order until a match is
|
||||
# found ("all" will match any client or server).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# CLIENT Location of client. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, "fw" or "all".
|
||||
#
|
||||
# SERVER Location of server. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, "fw" or "all"
|
||||
#
|
||||
# POLICY Policy if no match from the rules file is found. Must
|
||||
# be "ACCEPT", "DENY", "REJECT"
|
||||
#
|
||||
# LOG LEVEL If supplied, each connection handled under the default
|
||||
# POLICY is logged at that level. If not supplied, no
|
||||
# log message is generated. See syslog.conf(5) for a
|
||||
# description of log levels.
|
||||
#
|
||||
# As shipped, the default policies are:
|
||||
#
|
||||
# a) All connections from the local network to the internet are allowed
|
||||
# b) All connections from the network are ignored but logged at syslog
|
||||
# level KERNEL.INFO.
|
||||
# d) All other connection requests are rejected and logged at level
|
||||
# KERNEL.INFO.
|
||||
###############################################################################
|
||||
#CLIENT SERVER POLICY LOG LEVEL
|
||||
fw net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
120
Samples/one-interface/rules
Executable file
120
Samples/one-interface/rules
Executable file
@ -0,0 +1,120 @@
|
||||
#
|
||||
# Shorewall version 1.2 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# Rules in this file govern connection establishment. Requests and
|
||||
# responses are automatically allowed using connection tracking.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# RESULT ACCEPT, DROP or REJECT
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable packet.
|
||||
#
|
||||
# The line may NOT start with $<variable-name>
|
||||
#
|
||||
# May optionally be followed by ":" and a syslog log
|
||||
# level (e.g, REJECT:info). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# SOURCE Hosts permitted to be clients. May be a zone defined
|
||||
# in /etc/shorewall/zones or "fw" to indicate the
|
||||
# firewall itself.
|
||||
#
|
||||
# Clients may be further restricted to a particular
|
||||
# subnet or host by appending ":" and the subnet or host.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||
# Internet
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" followed by the interface name. For
|
||||
# example, loc:eth1 specifies a client that
|
||||
# communicates with the firewall system through eth1.
|
||||
#
|
||||
# DESTINATION Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones or "fw" to indicate the firewall
|
||||
# itself.
|
||||
#
|
||||
# The server may be further restricted to a particular
|
||||
# subnet, host or interface by appending ":" and the
|
||||
# subnet, host or interface. See above.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port.
|
||||
#
|
||||
# Example: loc:192.168.1.3:8080 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 8080. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# "all" or "related". If "related", the remainder of the
|
||||
# entry must be omitted and connection requests that are
|
||||
# related to existing requests will be accepted.
|
||||
#
|
||||
# PORT(S) Destination Port. A comma-separated list of Port names
|
||||
# (from /etc/services), port numbers or port ranges;
|
||||
# if the protocol is "icmp", this column is interpreted as
|
||||
# the destination icmp-type. If this column contains the
|
||||
# value "none", the rule is ignored.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following fields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# ADDRESS (0ptional) If included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
# that address will be forwarded to the IP and port
|
||||
# specified in the SERVER column.
|
||||
#
|
||||
# If the special value "all" is used, then requests from
|
||||
# the client zone given in the CLIENT(s) column with the
|
||||
# destination port given in PORT(s) will be forwarded to
|
||||
# the IP address given in SERVER.
|
||||
#
|
||||
# The address (or "all") may optionally be followed by
|
||||
# a colon (":") an an IP address. This causes Shorewall
|
||||
# to use the specified IP address as the source address
|
||||
# in forwarded packets. See the Shorewall documentation
|
||||
# for restrictions concerning this feature. If no source
|
||||
# IP address is given, the original source address is not
|
||||
# altered.
|
||||
#
|
||||
# Example: Forward all ssh and www connection requests from the internet to
|
||||
# local system 192.168.1.3
|
||||
#
|
||||
# #RESULT SOURCE DESTINATION PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
# ACCEPT net loc:192.168.1.3 tcp ssh,www - all
|
||||
#
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 8080 on the firewall (Squid running on the firewall
|
||||
# system)
|
||||
#
|
||||
# #RESULT SOURCE DESTINATION PROTO PORTS(S) CLIENT PORT(S) ADDRESS
|
||||
# ACCEPT loc fw::8080 tcp www - all
|
||||
##############################################################################
|
||||
#RESULT SOURCE DESTINATION PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
#
|
||||
# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above
|
||||
#
|
||||
REJECT net fw tcp 113
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
153
Samples/one-interface/shorewall.conf
Normal file
153
Samples/one-interface/shorewall.conf
Normal file
@ -0,0 +1,153 @@
|
||||
##############################################################################
|
||||
# /etc/shorewall/shorewall.conf V1.2 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999, 2000, 2001 - Tom Eastep (teastep@evergo.net)
|
||||
##############################################################################
|
||||
# Set this to the name of the lock file expected by your init scripts. For
|
||||
# RedHat, this should be /var/lock/subsys/firewall. On Debian, it
|
||||
# should be /var/state/shorewall. If your init scripts don't use lock files,
|
||||
# set -this to "".
|
||||
#
|
||||
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
|
||||
# This is the directory where the firewall maintains state information while
|
||||
# it is running
|
||||
#
|
||||
|
||||
STATEDIR=/var/lib/firewall
|
||||
|
||||
#
|
||||
# Set this to "yes" or "Yes" if you want to accept all connection requests
|
||||
# that are related to already established connections. For example, you want
|
||||
# to accept FTP data connections. If you say "no" here, then to accept
|
||||
# these connections between particular zones or hosts, you must include
|
||||
# explicit "related" rules in /etc/shorewall/rules.
|
||||
#
|
||||
|
||||
ALLOWRELATED="yes"
|
||||
|
||||
#
|
||||
# If your netfilter kernel modules are in a directory other than
|
||||
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
|
||||
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
||||
|
||||
MODULESDIR=""
|
||||
|
||||
#
|
||||
# The next two variables can be used to control the amount of log output
|
||||
# generated. LOGRATE is expressed as a number followed by an optional
|
||||
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
|
||||
# rate at which a particular message will occur. LOGBURST determines the
|
||||
# maximum initial burst size that will be logged. If set empty, the default
|
||||
# value of 5 will be used.
|
||||
#
|
||||
# If BOTH variables are set empty then the rate of logging will not be
|
||||
# rate-limited.
|
||||
#
|
||||
|
||||
LOGRATE="10/hour"
|
||||
LOGBURST=5
|
||||
|
||||
#
|
||||
# Enable nat support.
|
||||
#
|
||||
# You probally want yes here. Only gateways not doing NAT in any form, like
|
||||
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
|
||||
#
|
||||
NAT_ENABLED="No"
|
||||
|
||||
#
|
||||
# Enable mangle support.
|
||||
#
|
||||
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
|
||||
# and will not initialize the mangle table when starting or stopping
|
||||
# your firewall.
|
||||
#
|
||||
MANGLE_ENABLED="Yes"
|
||||
|
||||
#
|
||||
# Enable IP Forwarding
|
||||
#
|
||||
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
|
||||
# say "Off" or "off", packet forwarding will be disabled. You would only want
|
||||
# to disable packet forwarding if you are installing Shorewall on a
|
||||
# standalone system or if you want all traffic through the Shorewall system
|
||||
# to be handled by proxies.
|
||||
#
|
||||
# If you set this variable to "Keep" or "keep", Shorewall will neither
|
||||
# enable nor disable packet forwarding.
|
||||
#
|
||||
IP_FORWARDING="Off"
|
||||
|
||||
#
|
||||
# Automatically add IP Aliases
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
|
||||
# for each NAT external address that you give in /etc/shorewall/nat. If you say
|
||||
# "No" or "no", you must add these aliases youself.
|
||||
#
|
||||
ADD_IP_ALIASES="Yes"
|
||||
|
||||
#
|
||||
# Automatically add SNAT Aliases
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
|
||||
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
|
||||
# "No" or "no", you must add these aliases youself.
|
||||
#
|
||||
ADD_SNAT_ALIASES="No"
|
||||
|
||||
#
|
||||
# Enable Traffic Shaping
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
||||
# you must enable packet mangling above.
|
||||
#
|
||||
TC_ENABLED="No"
|
||||
|
||||
#
|
||||
# Blacklisting
|
||||
#
|
||||
# Set this variable to the action that you want to perform on packets from
|
||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
||||
# DROP is assumed.
|
||||
#
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
|
||||
#
|
||||
# Blacklist Logging
|
||||
#
|
||||
# Set this variable to the syslogd level that you want blacklist packets logged
|
||||
# (beward of DOS attacks resulting from such logging). If not set, no logging
|
||||
# of blacklist packets occurs.
|
||||
#
|
||||
BLACKLIST_LOGLEVEL=
|
||||
|
||||
#
|
||||
# MSS Clamping
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
|
||||
# option. This option is most commonly required when your internet
|
||||
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
|
||||
#
|
||||
# If left blank, or set to "No" or "no", the option is not enabled.
|
||||
#
|
||||
CLAMPMSS="No"
|
||||
|
||||
#
|
||||
# Route Filtering
|
||||
#
|
||||
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
||||
# interfaces.
|
||||
#
|
||||
ROUTE_FILTER="No"
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
14
Samples/one-interface/zones
Normal file
14
Samples/one-interface/zones
Normal file
@ -0,0 +1,14 @@
|
||||
#
|
||||
# Shorewall 1.2 /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
# $<variable-name> is not permitted in this file.
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
34
Samples/three-interfaces/common
Normal file
34
Samples/three-interfaces/common
Normal file
@ -0,0 +1,34 @@
|
||||
############################################################################
|
||||
# Shorewall 1.2 -- /etc/shorewall/common.def
|
||||
#
|
||||
# This file defines the rules that are applied before a policy of
|
||||
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
||||
# the firewall will also define a DROP rule for each subnet broadcast
|
||||
# address defined in /etc/shorewall/interfaces (including "detect").
|
||||
#
|
||||
# Do not modify this file -- if you wish to change these rules, copy this
|
||||
# file to /etc/shorewall/common and modify that file.
|
||||
#
|
||||
run_iptables -A common -p icmp -j icmpdef
|
||||
############################################################################
|
||||
# accept ACKs and RSTs that aren't related to any session so that the
|
||||
# protocol stack can handle them
|
||||
#
|
||||
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||||
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
|
||||
############################################################################
|
||||
# NETBIOS chatter
|
||||
#
|
||||
run_iptables -A common -p udp --dport 137:139 -j DROP
|
||||
run_iptables -A common -p udp --dport 445 -j DROP
|
||||
############################################################################
|
||||
# BROADCASTS
|
||||
#
|
||||
run_iptables -A common -d 255.255.255.255 -j DROP
|
||||
run_iptables -A common -d 224.0.0.0/4 -j DROP
|
||||
#
|
||||
# The following rule is non-standard and compensates for tardy
|
||||
# DNS replies
|
||||
#
|
||||
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
|
||||
|
81
Samples/three-interfaces/interfaces
Executable file
81
Samples/three-interfaces/interfaces
Executable file
@ -0,0 +1,81 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ZONE Zone for this interface. Much match the short name
|
||||
# of a zone defined in /etc/shorewall/zones.
|
||||
#
|
||||
# $<variable-name> is not allowed in this column.
|
||||
#
|
||||
# INTERFACE Name of interface
|
||||
#
|
||||
# BROADCAST The broadcast address for the subnetwork to which the
|
||||
# interface belongs. For P-T-P interfaces, this
|
||||
# column is left black.
|
||||
#
|
||||
# If you use the special value "detect", the firewall
|
||||
# will detect the broadcast address for you. If you
|
||||
# select this option, the interface must be up before
|
||||
# the firewall is started and you must have iproute
|
||||
# installed.
|
||||
#
|
||||
# If you don't want to give a value for this column but
|
||||
# you want to enter a value in the OPTIONS column, enter
|
||||
# "-" in this column.
|
||||
#
|
||||
# OPTIONS A comma-separated list of options including the
|
||||
# following:
|
||||
#
|
||||
# dhcp - interface is managed by DHCP
|
||||
# noping - icmp echo-request (ping) packets should
|
||||
# be ignored on this interface
|
||||
# routestopped - When the firewall is stopped, allow
|
||||
# and route traffic to and from this
|
||||
# interface.
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
# (i.e., private or "non-routable"
|
||||
# addresses.
|
||||
# multi - This interface has multiple IP
|
||||
# addresses and you want to be able to
|
||||
# route between them.
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure).
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
# local subnet is 192.168.1.0/24. The interface gets
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27 and you want pings from the internet
|
||||
# to be ignored. You interface a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2. You want to be able to
|
||||
# access the firewall from the local network when the
|
||||
# firewall is stopped.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# net eth0 206.191.149.223 noping,dhcp
|
||||
# local eth1 192.168.1.255 routestopped
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
# Example 2: The same configuration without specifying broadcast
|
||||
# addresses is:
|
||||
#
|
||||
# net eth0 detect noping,dhcp
|
||||
# local eth1 detect routestopped
|
||||
# dmz eth2 detect
|
||||
#
|
||||
# Example 3: You have a simple dial-in system with no ethernet
|
||||
# connections and you want to ignore ping requests.
|
||||
#
|
||||
# net ppp0 - noping
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,norfc1918,dhcp
|
||||
loc eth1 detect routestopped
|
||||
dmz eth2 detect routestopped
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
54
Samples/three-interfaces/masq
Executable file
54
Samples/three-interfaces/masq
Executable file
@ -0,0 +1,54 @@
|
||||
#
|
||||
# Shorewall 1.2 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
# Use this file to define dynamic NAT (Masquerading)
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE -- Outgoing interface. This is usually your internet
|
||||
# interface. This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
# interface, you must have iproute installed and the interface
|
||||
# must be up before you start the firewall.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# You have a simple masquerading setup where eth0 connects to
|
||||
# a DSL or cable modem and eth1 connects to your local network
|
||||
# with subnet 192.168.0.0/24.
|
||||
#
|
||||
# Your entry in the file can be either:
|
||||
#
|
||||
# eth0 eth1
|
||||
#
|
||||
# or
|
||||
#
|
||||
# eth0 192.168.0.0/24
|
||||
#
|
||||
# Example 2:
|
||||
#
|
||||
# You add a router to your local network to connect subnet
|
||||
# 192.168.1.0/24 which you also want to masquerade. You then
|
||||
# add the following entry to this file:
|
||||
#
|
||||
# eth0 192.168.1.0/24
|
||||
#
|
||||
# Example 3:
|
||||
#
|
||||
# You have an IPSEC tunnel through ipsec0 and you want to
|
||||
# masquerade packets coming from 192.168.1.0/24 but only if
|
||||
# these packets are destined for hosts in 10.1.1.0/24:
|
||||
#
|
||||
# ipsec0:10.1.1.0/24 196.168.1.0/24
|
||||
#
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET
|
||||
eth0 eth1
|
||||
eth0 eth2
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
45
Samples/three-interfaces/policy
Normal file
45
Samples/three-interfaces/policy
Normal file
@ -0,0 +1,45 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
# This file determines what to do with a new connection request if we
|
||||
# don't get a match from the /etc/seafall/rules file. For each
|
||||
# client/server pair, the file is processed in order until a match is
|
||||
# found ("all" will match any client or server).
|
||||
#
|
||||
# $<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SOURCE Location of client. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, "fw" or "all".
|
||||
#
|
||||
# DESTINATION Location of server. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, "fw" or "all"
|
||||
#
|
||||
# POLICY Policy if no match from the rules file is found. Must
|
||||
# be "ACCEPT", "DENY", "REJECT"
|
||||
#
|
||||
# LOG LEVEL If supplied, each connection handled under the default
|
||||
# POLICY is logged at that level. If not supplied, no
|
||||
# log message is generated. See syslog.conf(5) for a
|
||||
# description of log levels.
|
||||
#
|
||||
# As shipped, the default policies are:
|
||||
#
|
||||
# a) All connections from the local network to the internet are allowed
|
||||
# b) All connections from the network are ignored but logged at syslog
|
||||
# level KERNEL.INFO.
|
||||
# d) All other connection requests are rejected and logged at level
|
||||
# KERNEL.INFO.
|
||||
###############################################################################
|
||||
#SOURCE DESTINATION POLICY LOG LEVEL
|
||||
loc net ACCEPT
|
||||
#
|
||||
# If you want open access to the internet from your firewall, uncomment the
|
||||
# following line
|
||||
#fw net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
|
145
Samples/three-interfaces/rules
Executable file
145
Samples/three-interfaces/rules
Executable file
@ -0,0 +1,145 @@
|
||||
#
|
||||
# Shorewall version 1.2 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# Rules in this file govern connection establishment. Requests and
|
||||
# responses are automatically allowed using connection tracking.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# RESULT ACCEPT, DROP or REJECT
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable packet.
|
||||
#
|
||||
# The line may NOT start with $<variable-name>
|
||||
#
|
||||
# May optionally be followed by ":" and a syslog log
|
||||
# level (e.g, REJECT:info). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# SOURCE Hosts permitted to be clients. May be a zone defined
|
||||
# in /etc/shorewall/zones or "fw" to indicate the
|
||||
# firewall itself.
|
||||
#
|
||||
# Clients may be further restricted to a particular
|
||||
# subnet or host by appending ":" and the subnet or host.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||
# Internet
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" followed by the interface name. For
|
||||
# example, loc:eth1 specifies a client that
|
||||
# communicates with the firewall system through eth1.
|
||||
#
|
||||
# DESTINATION Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones or "fw" to indicate the firewall
|
||||
# itself.
|
||||
#
|
||||
# The server may be further restricted to a particular
|
||||
# subnet, host or interface by appending ":" and the
|
||||
# subnet, host or interface. See above.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port.
|
||||
#
|
||||
# Example: loc:192.168.1.3:8080 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 8080. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# "all" or "related". If "related", the remainder of the
|
||||
# entry must be omitted and connection requests that are
|
||||
# related to existing requests will be accepted.
|
||||
#
|
||||
# PORT(S) Destination Port. A comma-separated list of Port names
|
||||
# (from /etc/services), port numbers or port ranges;
|
||||
# if the protocol is "icmp", this column is interpreted as
|
||||
# the destination icmp-type. If this column contains the
|
||||
# value "none", the rule is ignored.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following fields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# ADDRESS (0ptional) If included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
# that address will be forwarded to the IP and port
|
||||
# specified in the SERVER column.
|
||||
#
|
||||
# If the special value "all" is used, then requests from
|
||||
# the client zone given in the CLIENT(s) column with the
|
||||
# destination port given in PORT(s) will be forwarded to
|
||||
# the IP address given in SERVER.
|
||||
#
|
||||
# The address (or "all") may optionally be followed by
|
||||
# a colon (":") an an IP address. This causes Shorewall
|
||||
# to use the specified IP address as the source address
|
||||
# in forwarded packets. See the Shorewall documentation
|
||||
# for restrictions concerning this feature. If no source
|
||||
# IP address is given, the original source address is not
|
||||
# altered.
|
||||
#
|
||||
# Example: Forward all ssh and www connection requests from the internet to
|
||||
# local system 192.168.1.3
|
||||
#
|
||||
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
# ACCEPT net loc:192.168.1.3 tcp ssh,www - all
|
||||
#
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 8080 on the firewall (Squid running on the firewall
|
||||
# system)
|
||||
#
|
||||
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
|
||||
# ACCEPT loc fw::8080 tcp www - all
|
||||
##############################################################################
|
||||
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
#
|
||||
# Accept outgoing DNS connections from the firewall
|
||||
#
|
||||
ACCEPT fw net tcp 53
|
||||
ACCEPT fw net udp 53
|
||||
#
|
||||
# To avoid connection delays, reject AUTH
|
||||
#
|
||||
REJECT net fw tcp 113
|
||||
#
|
||||
# Accept SSH connections from the local network to the firewall and DMZ
|
||||
#
|
||||
ACCEPT loc fw tcp 22
|
||||
ACCEPT loc dmz tcp 22
|
||||
#
|
||||
# DMZ DNS access to the internet
|
||||
#
|
||||
ACCEPT dmz net tcp 53
|
||||
ACCEPT dmz net udp 53
|
||||
#
|
||||
# Make ping work
|
||||
#
|
||||
ACCEPT fw loc icmp 8
|
||||
ACCEPT loc fw icmp 8
|
||||
ACCEPT loc dmz icmp 8
|
||||
ACCEPT dmz loc icmp 8
|
||||
ACCEPT dmz fw icmp 8
|
||||
ACCEPT fw dmz icmp 8
|
||||
ACCEPT fw net icmp 8
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
16
Samples/three-interfaces/zones
Normal file
16
Samples/three-interfaces/zones
Normal file
@ -0,0 +1,16 @@
|
||||
#
|
||||
# Shorewall 1.2 /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
# $<variable-name> is not permitted in this file.
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
dmz DMZ Demilitarized Zone
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
34
Samples/two-interfaces/common
Normal file
34
Samples/two-interfaces/common
Normal file
@ -0,0 +1,34 @@
|
||||
############################################################################
|
||||
# Shorewall 1.2 -- /etc/shorewall/common.def
|
||||
#
|
||||
# This file defines the rules that are applied before a policy of
|
||||
# DROP or REJECT is applied. In addition to the rules defined in this file,
|
||||
# the firewall will also define a DROP rule for each subnet broadcast
|
||||
# address defined in /etc/shorewall/interfaces (including "detect").
|
||||
#
|
||||
# Do not modify this file -- if you wish to change these rules, copy this
|
||||
# file to /etc/shorewall/common and modify that file.
|
||||
#
|
||||
run_iptables -A common -p icmp -j icmpdef
|
||||
############################################################################
|
||||
# accept ACKs and RSTs that aren't related to any session so that the
|
||||
# protocol stack can handle them
|
||||
#
|
||||
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
|
||||
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
|
||||
############################################################################
|
||||
# NETBIOS chatter
|
||||
#
|
||||
run_iptables -A common -p udp --dport 137:139 -j DROP
|
||||
run_iptables -A common -p udp --dport 445 -j DROP
|
||||
############################################################################
|
||||
# BROADCASTS
|
||||
#
|
||||
run_iptables -A common -d 255.255.255.255 -j DROP
|
||||
run_iptables -A common -d 224.0.0.0/4 -j DROP
|
||||
#
|
||||
# The following rule is non-standard and compensates for tardy
|
||||
# DNS replies
|
||||
#
|
||||
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
|
||||
|
80
Samples/two-interfaces/interfaces
Executable file
80
Samples/two-interfaces/interfaces
Executable file
@ -0,0 +1,80 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ZONE Zone for this interface. Much match the short name
|
||||
# of a zone defined in /etc/shorewall/zones.
|
||||
#
|
||||
# $<variable-name> is not allowed in this column.
|
||||
#
|
||||
# INTERFACE Name of interface
|
||||
#
|
||||
# BROADCAST The broadcast address for the subnetwork to which the
|
||||
# interface belongs. For P-T-P interfaces, this
|
||||
# column is left black.
|
||||
#
|
||||
# If you use the special value "detect", the firewall
|
||||
# will detect the broadcast address for you. If you
|
||||
# select this option, the interface must be up before
|
||||
# the firewall is started and you must have iproute
|
||||
# installed.
|
||||
#
|
||||
# If you don't want to give a value for this column but
|
||||
# you want to enter a value in the OPTIONS column, enter
|
||||
# "-" in this column.
|
||||
#
|
||||
# OPTIONS A comma-separated list of options including the
|
||||
# following:
|
||||
#
|
||||
# dhcp - interface is managed by DHCP
|
||||
# noping - icmp echo-request (ping) packets should
|
||||
# be ignored on this interface
|
||||
# routestopped - When the firewall is stopped, allow
|
||||
# and route traffic to and from this
|
||||
# interface.
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
# (i.e., private or "non-routable"
|
||||
# addresses.
|
||||
# multi - This interface has multiple IP
|
||||
# addresses and you want to be able to
|
||||
# route between them.
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure).
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
# local subnet is 192.168.1.0/24. The interface gets
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27 and you want pings from the internet
|
||||
# to be ignored. You interface a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2. You want to be able to
|
||||
# access the firewall from the local network when the
|
||||
# firewall is stopped.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# net eth0 206.191.149.223 noping,dhcp
|
||||
# local eth1 192.168.1.255 routestopped
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
# Example 2: The same configuration without specifying broadcast
|
||||
# addresses is:
|
||||
#
|
||||
# net eth0 detect noping,dhcp
|
||||
# local eth1 detect routestopped
|
||||
# dmz eth2 detect
|
||||
#
|
||||
# Example 3: You have a simple dial-in system with no ethernet
|
||||
# connections and you want to ignore ping requests.
|
||||
#
|
||||
# net ppp0 - noping
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,routefilter,norfc1918
|
||||
loc eth1 detect routestopped
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
53
Samples/two-interfaces/masq
Executable file
53
Samples/two-interfaces/masq
Executable file
@ -0,0 +1,53 @@
|
||||
#
|
||||
# Shorewall 1.2 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
# Use this file to define dynamic NAT (Masquerading)
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE -- Outgoing interface. This is usually your internet
|
||||
# interface. This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
# interface, you must have iproute installed and the interface
|
||||
# must be up before you start the firewall.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
# You have a simple masquerading setup where eth0 connects to
|
||||
# a DSL or cable modem and eth1 connects to your local network
|
||||
# with subnet 192.168.0.0/24.
|
||||
#
|
||||
# Your entry in the file can be either:
|
||||
#
|
||||
# eth0 eth1
|
||||
#
|
||||
# or
|
||||
#
|
||||
# eth0 192.168.0.0/24
|
||||
#
|
||||
# Example 2:
|
||||
#
|
||||
# You add a router to your local network to connect subnet
|
||||
# 192.168.1.0/24 which you also want to masquerade. You then
|
||||
# add the following entry to this file:
|
||||
#
|
||||
# eth0 192.168.1.0/24
|
||||
#
|
||||
# Example 3:
|
||||
#
|
||||
# You have an IPSEC tunnel through ipsec0 and you want to
|
||||
# masquerade packets coming from 192.168.1.0/24 but only if
|
||||
# these packets are destined for hosts in 10.1.1.0/24:
|
||||
#
|
||||
# ipsec0:10.1.1.0/24 196.168.1.0/24
|
||||
#
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET
|
||||
eth0 eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
45
Samples/two-interfaces/policy
Normal file
45
Samples/two-interfaces/policy
Normal file
@ -0,0 +1,45 @@
|
||||
#
|
||||
# Shorewall 1.2 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
# This file determines what to do with a new connection request if we
|
||||
# don't get a match from the /etc/seafall/rules file. For each
|
||||
# client/server pair, the file is processed in order until a match is
|
||||
# found ("all" will match any client or server).
|
||||
#
|
||||
# $<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SOURCE Location of client. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, "fw" or "all".
|
||||
#
|
||||
# DESTINATION Location of server. Must be the name of a zone defined
|
||||
# in /etc/shorewall/zones, "fw" or "all"
|
||||
#
|
||||
# POLICY Policy if no match from the rules file is found. Must
|
||||
# be "ACCEPT", "DENY", "REJECT"
|
||||
#
|
||||
# LOG LEVEL If supplied, each connection handled under the default
|
||||
# POLICY is logged at that level. If not supplied, no
|
||||
# log message is generated. See syslog.conf(5) for a
|
||||
# description of log levels.
|
||||
#
|
||||
# As shipped, the default policies are:
|
||||
#
|
||||
# a) All connections from the local network to the internet are allowed
|
||||
# b) All connections from the network are ignored but logged at syslog
|
||||
# level KERNEL.INFO.
|
||||
# d) All other connection requests are rejected and logged at level
|
||||
# KERNEL.INFO.
|
||||
###############################################################################
|
||||
#SOURCE DESTINATION POLICY LOG LEVEL
|
||||
loc net ACCEPT
|
||||
#
|
||||
# If you want open access to the internet from your firewall, uncomment the
|
||||
# following line
|
||||
#fw net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
|
136
Samples/two-interfaces/rules
Executable file
136
Samples/two-interfaces/rules
Executable file
@ -0,0 +1,136 @@
|
||||
#
|
||||
# Shorewall version 1.2 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# Rules in this file govern connection establishment. Requests and
|
||||
# responses are automatically allowed using connection tracking.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# RESULT ACCEPT, DROP or REJECT
|
||||
#
|
||||
# ACCEPT -- allow the connection request
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable packet.
|
||||
#
|
||||
# The line may NOT start with $<variable-name>
|
||||
#
|
||||
# May optionally be followed by ":" and a syslog log
|
||||
# level (e.g, REJECT:info). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# CLIENT(S) Hosts permitted to be clients. May be a zone defined
|
||||
# in /etc/shorewall/zones or "fw" to indicate the
|
||||
# firewall itself.
|
||||
#
|
||||
# Clients may be further restricted to a particular
|
||||
# subnet or host by appending ":" and the subnet or host.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||
# Internet
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" followed by the interface name. For
|
||||
# example, loc:eth1 specifies a client that
|
||||
# communicates with the firewall system through eth1.
|
||||
#
|
||||
# SERVER Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones or "fw" to indicate the firewall
|
||||
# itself.
|
||||
#
|
||||
# The server may be further restricted to a particular
|
||||
# subnet, host or interface by appending ":" and the
|
||||
# subnet, host or interface. See above.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port.
|
||||
#
|
||||
# Example: loc:192.168.1.3:8080 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 8080. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# "all" or "related". If "related", the remainder of the
|
||||
# entry must be omitted and connection requests that are
|
||||
# related to existing requests will be accepted.
|
||||
#
|
||||
# PORT(S) Destination Port. A comma-separated list of Port names
|
||||
# (from /etc/services), port numbers or port ranges;
|
||||
# if the protocol is "icmp", this column is interpreted as
|
||||
# the destination icmp-type. If this column contains the
|
||||
# value "none", the rule is ignored.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following fields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# any source port is acceptable.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ADDRESS in the next column, then place "-"
|
||||
# in this column.
|
||||
#
|
||||
# ADDRESS (0ptional) If included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
# that address will be forwarded to the IP and port
|
||||
# specified in the SERVER column.
|
||||
#
|
||||
# If the special value "all" is used, then requests from
|
||||
# the client zone given in the CLIENT(s) column with the
|
||||
# destination port given in PORT(s) will be forwarded to
|
||||
# the IP address given in SERVER.
|
||||
#
|
||||
# The address (or "all") may optionally be followed by
|
||||
# a colon (":") an an IP address. This causes Shorewall
|
||||
# to use the specified IP address as the source address
|
||||
# in forwarded packets. See the Shorewall documentation
|
||||
# for restrictions concerning this feature. If no source
|
||||
# IP address is given, the original source address is not
|
||||
# altered.
|
||||
#
|
||||
# Example: Forward all ssh and www connection requests from the internet to
|
||||
# local system 192.168.1.3
|
||||
#
|
||||
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
# ACCEPT net loc:192.168.1.3 tcp ssh,www - all
|
||||
#
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 8080 on the firewall (Squid running on the firewall
|
||||
# system)
|
||||
#
|
||||
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
|
||||
# ACCEPT loc fw::8080 tcp www - all
|
||||
##############################################################################
|
||||
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
|
||||
#
|
||||
#
|
||||
# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above
|
||||
#
|
||||
REJECT net fw tcp 113
|
||||
#
|
||||
# Accept DNS connections from the firewall to the network
|
||||
#
|
||||
ACCEPT fw net tcp 53
|
||||
ACCEPT net net udp 53
|
||||
#
|
||||
# Accept SSH connections from the local network for administration
|
||||
#
|
||||
ACCEPT loc net tcp 22
|
||||
#
|
||||
# Make ping work
|
||||
#
|
||||
ACCEPT fw loc icmp 8
|
||||
ACCEPT loc fw icmp 8
|
||||
ACCEPT fw net icmp 8
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
15
Samples/two-interfaces/zones
Normal file
15
Samples/two-interfaces/zones
Normal file
@ -0,0 +1,15 @@
|
||||
#
|
||||
# Shorewall 1.2 /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
# $<variable-name> is not permitted in this file.
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local networks
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
Loading…
Reference in New Issue
Block a user