Initial revision

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/common

@@ -0,0 +1,34 @@
+############################################################################
+# Shorewall 1.2 -- /etc/shorewall/common.def
+#
+# This file defines the rules that are applied before a policy of 
+# DROP or REJECT is applied. In addition to the rules defined in this file,
+# the firewall will also define a DROP rule for each subnet broadcast
+# address defined in /etc/shorewall/interfaces (including "detect").
+#
+# Do not modify this file -- if you wish to change these rules, copy this
+# file to /etc/shorewall/common and modify that file.
+#
+run_iptables -A common -p icmp -j icmpdef
+############################################################################
+# accept ACKs and RSTs that aren't related to any session so that the 
+# protocol stack can handle them
+#
+run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
+run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
+############################################################################
+# NETBIOS chatter
+#
+run_iptables -A common -p udp --dport 137:139     -j DROP
+run_iptables -A common -p udp --dport 445         -j DROP
+############################################################################
+# BROADCASTS
+#
+run_iptables -A common -d 255.255.255.255 -j DROP
+run_iptables -A common -d 224.0.0.0/4     -j DROP
+#
+# The following rule is non-standard and compensates for tardy
+# DNS replies
+#
+run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
+

Samples/one-interface/interfaces

@@ -0,0 +1,79 @@
+#
+# Shorewall 1.2 -- Interfaces File
+#
+# /etc/shorewall/interfaces
+#
+# Columns are:
+#
+#	ZONE		Zone for this interface. Much match the short name
+#			of a zone defined in /etc/shorewall/zones.
+#
+#			$<variable-name> is not allowed in this column.
+#
+#	INTERFACE	Name of interface
+#
+#	BROADCAST	The broadcast address for the subnetwork to which the
+#			interface belongs. For P-T-P interfaces, this
+#			column is left black.
+#
+#			If you use the special value "detect", the firewall
+#			will detect the broadcast address for you. If you
+#			select this option, the interface must be up before
+#			the firewall is started and you must have iproute
+#			installed.
+#			
+#			If you don't want to give a value for this column but
+#			you want to enter a value in the OPTIONS column, enter
+#			"-" in this column.
+#
+#	OPTIONS		A comma-separated list of options including the
+#			following:
+#
+#			dhcp	     - interface is managed by DHCP
+#			noping	     - icmp echo-request (ping) packets should
+#				       be ignored on this interface
+#			routestopped - When the firewall is stopped, allow
+#				       and route traffic to and from this
+#				       interface.
+#			norfc1918    - This interface should not receive
+#				       any packets whose source is in one
+#				       of the ranges reserved by RFC 1918
+#				       (i.e., private or "non-routable"
+#				       addresses.
+#			multi	     - This interface has multiple IP
+#				       addresses and you want to be able to
+#				       route between them.
+#			routefilter  - turn on kernel route filtering for this
+#				       interface (anti-spoofing measure).
+#
+#	Example 1:	Suppose you have eth0 connected to a DSL modem and
+#			eth1 connected to your local network and that your
+#			local subnet is 192.168.1.0/24. The interface gets
+#			it's IP address via DHCP from subnet
+#			206.191.149.192/27 and you want pings from the internet
+#			to be ignored. You interface a DMZ with subnet
+#			192.168.2.0/24 using eth2. You want to be able to
+#			access the firewall from the local network when the
+#			firewall is stopped.
+#
+#			Your entries for this setup would look like:
+#
+#			net	eth0	206.191.149.223	noping,dhcp
+#			local	eth1	192.168.1.255	routestopped
+#			dmz	eth2	192.168.2.255
+#
+#	Example 2:	The same configuration without specifying broadcast
+#			addresses is:
+#
+#			net	eth0	detect		noping,dhcp
+#			local	eth1	detect		routestopped
+#			dmz	eth2	detect
+#
+#	Example 3:	You have a simple dial-in system with no ethernet
+#			connections and you want to ignore ping requests.
+#
+#			net	ppp0	-		noping
+##############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+net	eth0		detect		norfc1918,routefilter,dhcp
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/one-interface/policy

@@ -0,0 +1,39 @@
+#
+# Shorewall 1.2 -- Policy File
+#
+# /etc/shorewall/policy
+#
+#	This file determines what to do with a new connection request if we
+#	don't get a match from the /etc/shorewall/rules file. For each
+#	client/server pair, the file is processed in order until a match is
+#	found ("all" will match any client or server).
+#
+# Columns are:
+#
+#	CLIENT		Location of client. Must be the name of a zone defined
+#			in /etc/shorewall/zones, "fw" or "all".
+#
+#	SERVER		Location of server. Must be the name of a zone defined
+#			in /etc/shorewall/zones, "fw" or "all"
+#
+#	POLICY		Policy if no match from the rules file is found. Must
+#			be "ACCEPT", "DENY", "REJECT"
+#
+#	LOG LEVEL	If supplied, each connection handled under the default
+#			POLICY is logged at that level. If not supplied, no
+#			log message is generated. See syslog.conf(5) for a
+#			description of log levels.
+#
+#	As shipped, the default policies are:
+#
+#	a) All connections from the local network to the internet are allowed
+#	b) All connections from the network are ignored but logged at syslog
+#	   level KERNEL.INFO.
+#	d) All other connection requests are rejected and logged at level
+#	   KERNEL.INFO.
+###############################################################################
+#CLIENT		SERVER		POLICY		LOG LEVEL
+fw		net		ACCEPT
+net		all		DROP		info
+all		all		REJECT		info
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/one-interface/rules

@@ -0,0 +1,120 @@
+#
+# Shorewall version 1.2 - Rules File
+#
+# /etc/shorewall/rules 
+#
+#	Rules in this file govern connection establishment. Requests and
+#	responses are automatically allowed using connection tracking.
+#
+# Columns are:
+#
+#
+#	RESULT		ACCEPT, DROP or REJECT
+#
+#				ACCEPT -- allow the connection request
+#				DROP   -- ignore the request
+#				REJECT -- disallow the request and return an
+#					  icmp-unreachable packet.
+#
+#			The line may NOT start with $<variable-name>
+#
+#			May optionally be followed by ":" and a syslog log
+#			level (e.g, REJECT:info). This causes the packet to be
+#			logged at the specified level.
+#
+#	SOURCE		Hosts permitted to be clients. May be a zone defined
+#			in /etc/shorewall/zones or "fw" to indicate the
+#			firewall itself.
+#
+#			Clients may be further restricted to a particular
+#			subnet or host by appending ":" and the subnet or host.
+#
+#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
+#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
+#						Internet
+#
+#			Alternatively, clients may be specified by interface
+#			by appending ":" followed by the interface name. For
+#			example, loc:eth1 specifies a client that
+#			communicates with the firewall system through eth1.
+#
+#	DESTINATION	Location of Server. May be a zone defined in
+#			/etc/shorewall/zones or "fw" to indicate the firewall
+#			itself.
+#
+#			The server may be further restricted to a particular
+#			subnet, host or interface by appending ":" and the
+#			subnet, host or interface. See above.
+#
+#			The port that the server is listening on may be
+#			included and separated from the server's IP address by
+#			":". If omitted, the firewall will not modifiy the
+#			destination port.
+#
+#			Example: loc:192.168.1.3:8080 specifies a local
+#			server at IP address 192.168.1.3 and listening on port
+#			8080. The port number MUST be specified as an integer
+#			and not as a name from /etc/services.
+#
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#			"all" or "related". If "related", the remainder of the
+#			entry must be omitted and connection requests that are
+#			related to existing requests will be accepted.
+#
+#	PORT(S)		Destination Port. A comma-separated list of Port names
+#			(from /etc/services), port numbers or port ranges;
+#			if the protocol is "icmp", this column is interpreted as
+#			the destination icmp-type. If this column contains the
+#			value "none", the rule is ignored.
+#
+#			This column is ignored if PROTOCOL = all but must be
+#			entered if any of the following fields are supplied.
+#			In that case, it is suggested that this field contain
+#			 "-"
+#
+#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#			any source port is acceptable.
+#
+#			If you don't want to restrict client ports but need to
+#			specify an ADDRESS in the next column, then place "-"
+#			in this column.
+#
+#	ADDRESS		(0ptional) If included and different from the IP
+#			address given in the SERVER column, this is an address
+#			on some interface on the firewall and connections to
+#			that address will be forwarded to the IP and port
+#			specified in the SERVER column.
+#
+#			If the special value "all" is used, then requests from
+#			the client zone given in the CLIENT(s) column with the
+#			destination port given in PORT(s) will be forwarded to
+#			the IP address given in SERVER.
+#
+#			The address (or "all") may optionally be followed by
+#			a colon (":") an an IP address. This causes Shorewall
+#			to use the specified IP address as the source address
+#			in forwarded packets. See the Shorewall documentation
+#			for restrictions concerning this feature. If no source
+#			IP address is given, the original source address is not
+#			altered.
+#
+#	Example: Forward all ssh and www connection requests from the internet to
+#		 local system 192.168.1.3
+#
+#	#RESULT SOURCE	DESTINATION	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#	ACCEPT	net	loc:192.168.1.3 tcp	ssh,www	-	       all
+#
+#	Example: Redirect all locally-originating www connection requests to
+#		 port 8080 on the firewall (Squid running on the firewall
+#		 system)
+#
+#	#RESULT SOURCE	DESTINATION PROTO  PORTS(S) CLIENT PORT(S)     ADDRESS
+#	ACCEPT	loc	fw::8080     tcp   www	 -	       all
+##############################################################################
+#RESULT		SOURCE 	  DESTINATION	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#
+# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above
+#
+REJECT		net	  fw		tcp	113
+
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/one-interface/shorewall.conf

@@ -0,0 +1,153 @@
+##############################################################################
+#  /etc/shorewall/shorewall.conf V1.2 - Change the following variables to
+#  match your setup
+#
+#  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]         
+#
+#  This file should be placed in /etc/shorewall
+#
+#  (c) 1999, 2000, 2001 - Tom Eastep (teastep@evergo.net)  
+##############################################################################
+# Set this to the name of the lock file expected by your init scripts. For
+# RedHat, this should be /var/lock/subsys/firewall. On Debian, it
+# should be /var/state/shorewall. If your init scripts don't use lock files,
+# set -this to "".
+#
+
+SUBSYSLOCK=/var/lock/subsys/shorewall
+
+# This is the directory where the firewall maintains state information while
+# it is running
+#
+
+STATEDIR=/var/lib/firewall
+
+#
+# Set this to "yes" or "Yes" if you want to accept all connection requests
+# that are related to already established connections. For example, you want
+# to accept FTP data connections. If you say "no" here, then to accept
+# these connections between particular zones or hosts, you must include
+# explicit "related" rules in /etc/shorewall/rules.
+#
+
+ALLOWRELATED="yes"
+
+#
+# If your netfilter kernel modules are in a directory other than
+# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
+# directory in this variable. Example: MODULESDIR=/etc/modules.
+
+MODULESDIR=""
+
+#
+# The next two variables can be used to control the amount of log output
+# generated. LOGRATE is expressed as a number followed by an optional
+# `/second',  `/minute', `/hour', or `/day' suffix and specifies the maximum
+# rate at which a particular message will occur. LOGBURST determines the
+# maximum initial burst size that will be logged. If set empty, the default
+# value of 5 will be used.
+#
+# If BOTH variables are set empty then the rate of logging will not be
+# rate-limited.
+#
+
+LOGRATE="10/hour"
+LOGBURST=5
+
+#
+# Enable nat support.
+#
+# You probally want yes here. Only gateways not doing NAT in any form, like
+# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
+#
+NAT_ENABLED="No"
+
+#
+# Enable mangle support.
+#
+# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
+# and will not initialize the mangle table when starting or stopping
+# your firewall.
+#
+MANGLE_ENABLED="Yes"
+
+#
+# Enable IP Forwarding
+#
+# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
+# say "Off" or "off", packet forwarding will be disabled. You would only want
+# to disable packet forwarding if you are installing Shorewall on a
+# standalone system or if you want all traffic through the Shorewall system
+# to be handled by proxies.
+#
+# If you set this variable to "Keep" or "keep", Shorewall will neither
+# enable nor disable packet forwarding.
+#
+IP_FORWARDING="Off"
+
+#
+# Automatically add IP Aliases
+#
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
+# for each NAT external address that you give in /etc/shorewall/nat. If you say
+# "No" or "no", you must add these aliases youself.
+#
+ADD_IP_ALIASES="Yes"
+
+#
+# Automatically add SNAT Aliases
+#
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
+# for each SNAT external address that you give in /etc/shorewall/masq. If you say
+# "No" or "no", you must add these aliases youself.
+#
+ADD_SNAT_ALIASES="No"
+
+#
+# Enable Traffic Shaping
+#
+# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
+# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
+# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
+# you must enable packet mangling above.
+#
+TC_ENABLED="No"
+
+#
+# Blacklisting
+#
+# Set this variable to the action that you want to perform on packets from
+# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
+# DROP is assumed.
+#
+BLACKLIST_DISPOSITION=DROP
+
+#
+# Blacklist Logging
+#
+# Set this variable to the syslogd level that you want blacklist packets logged
+# (beward of DOS attacks resulting from such logging). If not set, no logging
+# of blacklist packets occurs.
+#
+BLACKLIST_LOGLEVEL=
+
+#
+# MSS Clamping
+#
+# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
+# option. This option is most commonly required when your internet
+# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
+#
+# If left blank, or set to "No" or "no", the option is not enabled.
+#
+CLAMPMSS="No"
+
+#
+# Route Filtering
+#
+# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
+# interfaces.
+#
+ROUTE_FILTER="No"
+
+#LAST LINE -- DO NOT REMOVE

Samples/one-interface/zones

@@ -0,0 +1,14 @@
+#
+# Shorewall 1.2 /etc/shorewall/zones
+#
+# This file determines your network zones. Columns are:
+#
+#	ZONE		Short name of the zone
+#	DISPLAY		Display name of the zone
+#	COMMENTS	Comments about the zone
+#
+# $<variable-name> is not permitted in this file.
+#
+#ZONE	DISPLAY		COMMENTS
+net	Net		Internet
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Samples/three-interfaces/common

@@ -0,0 +1,34 @@
+############################################################################
+# Shorewall 1.2 -- /etc/shorewall/common.def
+#
+# This file defines the rules that are applied before a policy of 
+# DROP or REJECT is applied. In addition to the rules defined in this file,
+# the firewall will also define a DROP rule for each subnet broadcast
+# address defined in /etc/shorewall/interfaces (including "detect").
+#
+# Do not modify this file -- if you wish to change these rules, copy this
+# file to /etc/shorewall/common and modify that file.
+#
+run_iptables -A common -p icmp -j icmpdef
+############################################################################
+# accept ACKs and RSTs that aren't related to any session so that the 
+# protocol stack can handle them
+#
+run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
+run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
+############################################################################
+# NETBIOS chatter
+#
+run_iptables -A common -p udp --dport 137:139     -j DROP
+run_iptables -A common -p udp --dport 445         -j DROP
+############################################################################
+# BROADCASTS
+#
+run_iptables -A common -d 255.255.255.255 -j DROP
+run_iptables -A common -d 224.0.0.0/4     -j DROP
+#
+# The following rule is non-standard and compensates for tardy
+# DNS replies
+#
+run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
+

Samples/three-interfaces/interfaces

@@ -0,0 +1,81 @@
+#
+# Shorewall 1.2 -- Interfaces File
+#
+# /etc/shorewall/interfaces
+#
+# Columns are:
+#
+#	ZONE		Zone for this interface. Much match the short name
+#			of a zone defined in /etc/shorewall/zones.
+#
+#			$<variable-name> is not allowed in this column.
+#
+#	INTERFACE	Name of interface
+#
+#	BROADCAST	The broadcast address for the subnetwork to which the
+#			interface belongs. For P-T-P interfaces, this
+#			column is left black.
+#
+#			If you use the special value "detect", the firewall
+#			will detect the broadcast address for you. If you
+#			select this option, the interface must be up before
+#			the firewall is started and you must have iproute
+#			installed.
+#			
+#			If you don't want to give a value for this column but
+#			you want to enter a value in the OPTIONS column, enter
+#			"-" in this column.
+#
+#	OPTIONS		A comma-separated list of options including the
+#			following:
+#
+#			dhcp	     - interface is managed by DHCP
+#			noping	     - icmp echo-request (ping) packets should
+#				       be ignored on this interface
+#			routestopped - When the firewall is stopped, allow
+#				       and route traffic to and from this
+#				       interface.
+#			norfc1918    - This interface should not receive
+#				       any packets whose source is in one
+#				       of the ranges reserved by RFC 1918
+#				       (i.e., private or "non-routable"
+#				       addresses.
+#			multi	     - This interface has multiple IP
+#				       addresses and you want to be able to
+#				       route between them.
+#			routefilter  - turn on kernel route filtering for this
+#				       interface (anti-spoofing measure).
+#
+#	Example 1:	Suppose you have eth0 connected to a DSL modem and
+#			eth1 connected to your local network and that your
+#			local subnet is 192.168.1.0/24. The interface gets
+#			it's IP address via DHCP from subnet
+#			206.191.149.192/27 and you want pings from the internet
+#			to be ignored. You interface a DMZ with subnet
+#			192.168.2.0/24 using eth2. You want to be able to
+#			access the firewall from the local network when the
+#			firewall is stopped.
+#
+#			Your entries for this setup would look like:
+#
+#			net	eth0	206.191.149.223	noping,dhcp
+#			local	eth1	192.168.1.255	routestopped
+#			dmz	eth2	192.168.2.255
+#
+#	Example 2:	The same configuration without specifying broadcast
+#			addresses is:
+#
+#			net	eth0	detect		noping,dhcp
+#			local	eth1	detect		routestopped
+#			dmz	eth2	detect
+#
+#	Example 3:	You have a simple dial-in system with no ethernet
+#			connections and you want to ignore ping requests.
+#
+#			net	ppp0	-		noping
+##############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+net     eth0		detect		dhcp,norfc1918,dhcp
+loc	eth1		detect		routestopped
+dmz	eth2		detect		routestopped
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/three-interfaces/masq

@@ -0,0 +1,54 @@
+#
+# Shorewall 1.2 - Masquerade file
+#
+# /etc/shorewall/masq
+#
+# Use this file to define dynamic NAT (Masquerading)
+#
+# Columns are:
+#
+#	INTERFACE -- Outgoing interface. This is usually your internet
+#		     interface. This may be qualified by adding the character
+#                    ":" followed by a destination host or subnet.
+#
+#
+#	SUBNET -- Subnet that you wish to masquerade. You can specify this as
+#		  a subnet or as an interface. If you give the name of an
+#		  interface, you must have iproute installed and the interface
+#		  must be up before you start the firewall.
+#
+#	Example 1:
+#
+#		  You have a simple masquerading setup where eth0 connects to
+#		  a DSL or cable modem and eth1 connects to your local network
+#		  with subnet 192.168.0.0/24.
+#
+#		  Your entry in the file can be either:
+#
+#			eth0	eth1
+#
+#		  or
+#
+#			eth0	192.168.0.0/24
+#
+#	Example 2:
+#
+#		  You add a router to your local network to connect subnet
+#		  192.168.1.0/24 which you also want to masquerade. You then
+#		  add the following entry to this file:
+#
+#			eth0	192.168.1.0/24
+#
+#       Example 3:
+#
+#                 You have an IPSEC tunnel through ipsec0 and you want to
+#                 masquerade packets coming from 192.168.1.0/24 but only if
+#                 these packets are destined for hosts in 10.1.1.0/24:
+#
+#                       ipsec0:10.1.1.0/24      196.168.1.0/24
+#
+##############################################################################
+#INTERFACE	        SUBNET
+eth0			eth1
+eth0			eth2
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/three-interfaces/policy

@@ -0,0 +1,45 @@
+#
+# Shorewall 1.2 -- Policy File
+#
+# /etc/shorewall/policy
+#
+#	This file determines what to do with a new connection request if we
+#	don't get a match from the /etc/seafall/rules file. For each
+#	client/server pair, the file is processed in order until a match is
+#	found ("all" will match any client or server).
+#
+#	$<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
+#
+# Columns are:
+#
+#	SOURCE		Location of client. Must be the name of a zone defined
+#			in /etc/shorewall/zones, "fw" or "all".
+#
+#	DESTINATION	Location of server. Must be the name of a zone defined
+#			in /etc/shorewall/zones, "fw" or "all"
+#
+#	POLICY		Policy if no match from the rules file is found. Must
+#			be "ACCEPT", "DENY", "REJECT"
+#
+#	LOG LEVEL	If supplied, each connection handled under the default
+#			POLICY is logged at that level. If not supplied, no
+#			log message is generated. See syslog.conf(5) for a
+#			description of log levels.
+#
+#	As shipped, the default policies are:
+#
+#	a) All connections from the local network to the internet are allowed
+#	b) All connections from the network are ignored but logged at syslog
+#	   level KERNEL.INFO.
+#	d) All other connection requests are rejected and logged at level
+#	   KERNEL.INFO.
+###############################################################################
+#SOURCE		DESTINATION	POLICY		LOG LEVEL
+loc		net		ACCEPT
+#
+# If you want open access to the internet from your firewall, uncomment the
+# following line
+#fw		net		ACCEPT
+net		all		DROP		info
+all		all		REJECT		info
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE	

Samples/three-interfaces/rules

@@ -0,0 +1,145 @@
+#
+# Shorewall version 1.2 - Rules File
+#
+# /etc/shorewall/rules 
+#
+#	Rules in this file govern connection establishment. Requests and
+#	responses are automatically allowed using connection tracking.
+#
+# Columns are:
+#
+#
+#	RESULT		ACCEPT, DROP or REJECT
+#
+#				ACCEPT -- allow the connection request
+#				DROP   -- ignore the request
+#				REJECT -- disallow the request and return an
+#					  icmp-unreachable packet.
+#
+#			The line may NOT start with $<variable-name>
+#
+#			May optionally be followed by ":" and a syslog log
+#			level (e.g, REJECT:info). This causes the packet to be
+#			logged at the specified level.
+#
+#	SOURCE		Hosts permitted to be clients. May be a zone defined
+#			in /etc/shorewall/zones or "fw" to indicate the
+#			firewall itself.
+#
+#			Clients may be further restricted to a particular
+#			subnet or host by appending ":" and the subnet or host.
+#
+#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
+#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
+#						Internet
+#
+#			Alternatively, clients may be specified by interface
+#			by appending ":" followed by the interface name. For
+#			example, loc:eth1 specifies a client that
+#			communicates with the firewall system through eth1.
+#
+#	DESTINATION	Location of Server. May be a zone defined in
+#			/etc/shorewall/zones or "fw" to indicate the firewall
+#			itself.
+#
+#			The server may be further restricted to a particular
+#			subnet, host or interface by appending ":" and the
+#			subnet, host or interface. See above.
+#
+#			The port that the server is listening on may be
+#			included and separated from the server's IP address by
+#			":". If omitted, the firewall will not modifiy the
+#			destination port.
+#
+#			Example: loc:192.168.1.3:8080 specifies a local
+#			server at IP address 192.168.1.3 and listening on port
+#			8080. The port number MUST be specified as an integer
+#			and not as a name from /etc/services.
+#
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#			"all" or "related". If "related", the remainder of the
+#			entry must be omitted and connection requests that are
+#			related to existing requests will be accepted.
+#
+#	PORT(S)		Destination Port. A comma-separated list of Port names
+#			(from /etc/services), port numbers or port ranges;
+#			if the protocol is "icmp", this column is interpreted as
+#			the destination icmp-type. If this column contains the
+#			value "none", the rule is ignored.
+#
+#			This column is ignored if PROTOCOL = all but must be
+#			entered if any of the following fields are supplied.
+#			In that case, it is suggested that this field contain
+#			 "-"
+#
+#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#			any source port is acceptable.
+#
+#			If you don't want to restrict client ports but need to
+#			specify an ADDRESS in the next column, then place "-"
+#			in this column.
+#
+#	ADDRESS		(0ptional) If included and different from the IP
+#			address given in the SERVER column, this is an address
+#			on some interface on the firewall and connections to
+#			that address will be forwarded to the IP and port
+#			specified in the SERVER column.
+#
+#			If the special value "all" is used, then requests from
+#			the client zone given in the CLIENT(s) column with the
+#			destination port given in PORT(s) will be forwarded to
+#			the IP address given in SERVER.
+#
+#			The address (or "all") may optionally be followed by
+#			a colon (":") an an IP address. This causes Shorewall
+#			to use the specified IP address as the source address
+#			in forwarded packets. See the Shorewall documentation
+#			for restrictions concerning this feature. If no source
+#			IP address is given, the original source address is not
+#			altered.
+#
+#	Example: Forward all ssh and www connection requests from the internet to
+#		 local system 192.168.1.3
+#
+#	#RESULT CLIENTS	SERVER(S)	  PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#	ACCEPT	net	loc:192.168.1.3 tcp	ssh,www	-	       all
+#
+#	Example: Redirect all locally-originating www connection requests to
+#		 port 8080 on the firewall (Squid running on the firewall
+#		 system)
+#
+#	#RESULT CLIENTS	SERVER(S) PROTO	PORTS(S) CLIENT PORT(S)	ADDRESS
+#	ACCEPT	loc	fw::8080  tcp	www	 -		all
+##############################################################################
+#RESULT	CLIENT(S) SERVER(S)		PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#
+# Accept outgoing DNS connections from the firewall
+#
+ACCEPT	fw	  net			tcp	53
+ACCEPT	fw	  net			udp	53
+#
+# To avoid connection delays, reject AUTH
+#
+REJECT		net	  fw		tcp	113
+#
+# Accept SSH connections from the local network to the firewall and DMZ
+#
+ACCEPT	loc	  fw			tcp	22
+ACCEPT	loc	  dmz			tcp	22
+#
+# DMZ DNS access to the internet
+#
+ACCEPT	dmz       net			tcp	53	
+ACCEPT	dmz	  net			udp	53
+#
+# Make ping work
+#
+ACCEPT		fw	  loc		icmp	8
+ACCEPT		loc	  fw		icmp	8
+ACCEPT		loc	  dmz           icmp    8
+ACCEPT		dmz	  loc		icmp	8
+ACCEPT		dmz	  fw		icmp	8
+ACCEPT		fw	  dmz		icmp	8
+ACCEPT		fw	  net		icmp	8
+
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/three-interfaces/zones

@@ -0,0 +1,16 @@
+#
+# Shorewall 1.2 /etc/shorewall/zones
+#
+# This file determines your network zones. Columns are:
+#
+#	ZONE		Short name of the zone
+#	DISPLAY		Display name of the zone
+#	COMMENTS	Comments about the zone
+#
+# $<variable-name> is not permitted in this file.
+#
+#ZONE	DISPLAY		COMMENTS
+net	Net		Internet
+loc	Local		Local networks
+dmz	DMZ		Demilitarized Zone
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Samples/two-interfaces/common

@@ -0,0 +1,34 @@
+############################################################################
+# Shorewall 1.2 -- /etc/shorewall/common.def
+#
+# This file defines the rules that are applied before a policy of 
+# DROP or REJECT is applied. In addition to the rules defined in this file,
+# the firewall will also define a DROP rule for each subnet broadcast
+# address defined in /etc/shorewall/interfaces (including "detect").
+#
+# Do not modify this file -- if you wish to change these rules, copy this
+# file to /etc/shorewall/common and modify that file.
+#
+run_iptables -A common -p icmp -j icmpdef
+############################################################################
+# accept ACKs and RSTs that aren't related to any session so that the 
+# protocol stack can handle them
+#
+run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
+run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
+############################################################################
+# NETBIOS chatter
+#
+run_iptables -A common -p udp --dport 137:139     -j DROP
+run_iptables -A common -p udp --dport 445         -j DROP
+############################################################################
+# BROADCASTS
+#
+run_iptables -A common -d 255.255.255.255 -j DROP
+run_iptables -A common -d 224.0.0.0/4     -j DROP
+#
+# The following rule is non-standard and compensates for tardy
+# DNS replies
+#
+run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
+

Samples/two-interfaces/interfaces

@@ -0,0 +1,80 @@
+#
+# Shorewall 1.2 -- Interfaces File
+#
+# /etc/shorewall/interfaces
+#
+# Columns are:
+#
+#	ZONE		Zone for this interface. Much match the short name
+#			of a zone defined in /etc/shorewall/zones.
+#
+#			$<variable-name> is not allowed in this column.
+#
+#	INTERFACE	Name of interface
+#
+#	BROADCAST	The broadcast address for the subnetwork to which the
+#			interface belongs. For P-T-P interfaces, this
+#			column is left black.
+#
+#			If you use the special value "detect", the firewall
+#			will detect the broadcast address for you. If you
+#			select this option, the interface must be up before
+#			the firewall is started and you must have iproute
+#			installed.
+#			
+#			If you don't want to give a value for this column but
+#			you want to enter a value in the OPTIONS column, enter
+#			"-" in this column.
+#
+#	OPTIONS		A comma-separated list of options including the
+#			following:
+#
+#			dhcp	     - interface is managed by DHCP
+#			noping	     - icmp echo-request (ping) packets should
+#				       be ignored on this interface
+#			routestopped - When the firewall is stopped, allow
+#				       and route traffic to and from this
+#				       interface.
+#			norfc1918    - This interface should not receive
+#				       any packets whose source is in one
+#				       of the ranges reserved by RFC 1918
+#				       (i.e., private or "non-routable"
+#				       addresses.
+#			multi	     - This interface has multiple IP
+#				       addresses and you want to be able to
+#				       route between them.
+#			routefilter  - turn on kernel route filtering for this
+#				       interface (anti-spoofing measure).
+#
+#	Example 1:	Suppose you have eth0 connected to a DSL modem and
+#			eth1 connected to your local network and that your
+#			local subnet is 192.168.1.0/24. The interface gets
+#			it's IP address via DHCP from subnet
+#			206.191.149.192/27 and you want pings from the internet
+#			to be ignored. You interface a DMZ with subnet
+#			192.168.2.0/24 using eth2. You want to be able to
+#			access the firewall from the local network when the
+#			firewall is stopped.
+#
+#			Your entries for this setup would look like:
+#
+#			net	eth0	206.191.149.223	noping,dhcp
+#			local	eth1	192.168.1.255	routestopped
+#			dmz	eth2	192.168.2.255
+#
+#	Example 2:	The same configuration without specifying broadcast
+#			addresses is:
+#
+#			net	eth0	detect		noping,dhcp
+#			local	eth1	detect		routestopped
+#			dmz	eth2	detect
+#
+#	Example 3:	You have a simple dial-in system with no ethernet
+#			connections and you want to ignore ping requests.
+#
+#			net	ppp0	-		noping
+##############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+net     eth0		detect		dhcp,routefilter,norfc1918
+loc	eth1		detect		routestopped
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/two-interfaces/masq

@@ -0,0 +1,53 @@
+#
+# Shorewall 1.2 - Masquerade file
+#
+# /etc/shorewall/masq
+#
+# Use this file to define dynamic NAT (Masquerading)
+#
+# Columns are:
+#
+#	INTERFACE -- Outgoing interface. This is usually your internet
+#		     interface. This may be qualified by adding the character
+#                    ":" followed by a destination host or subnet.
+#
+#
+#	SUBNET -- Subnet that you wish to masquerade. You can specify this as
+#		  a subnet or as an interface. If you give the name of an
+#		  interface, you must have iproute installed and the interface
+#		  must be up before you start the firewall.
+#
+#	Example 1:
+#
+#		  You have a simple masquerading setup where eth0 connects to
+#		  a DSL or cable modem and eth1 connects to your local network
+#		  with subnet 192.168.0.0/24.
+#
+#		  Your entry in the file can be either:
+#
+#			eth0	eth1
+#
+#		  or
+#
+#			eth0	192.168.0.0/24
+#
+#	Example 2:
+#
+#		  You add a router to your local network to connect subnet
+#		  192.168.1.0/24 which you also want to masquerade. You then
+#		  add the following entry to this file:
+#
+#			eth0	192.168.1.0/24
+#
+#       Example 3:
+#
+#                 You have an IPSEC tunnel through ipsec0 and you want to
+#                 masquerade packets coming from 192.168.1.0/24 but only if
+#                 these packets are destined for hosts in 10.1.1.0/24:
+#
+#                       ipsec0:10.1.1.0/24      196.168.1.0/24
+#
+##############################################################################
+#INTERFACE	        SUBNET
+eth0			eth1
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/two-interfaces/policy

@@ -0,0 +1,45 @@
+#
+# Shorewall 1.2 -- Policy File
+#
+# /etc/shorewall/policy
+#
+#	This file determines what to do with a new connection request if we
+#	don't get a match from the /etc/seafall/rules file. For each
+#	client/server pair, the file is processed in order until a match is
+#	found ("all" will match any client or server).
+#
+#	$<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
+#
+# Columns are:
+#
+#	SOURCE		Location of client. Must be the name of a zone defined
+#			in /etc/shorewall/zones, "fw" or "all".
+#
+#	DESTINATION	Location of server. Must be the name of a zone defined
+#			in /etc/shorewall/zones, "fw" or "all"
+#
+#	POLICY		Policy if no match from the rules file is found. Must
+#			be "ACCEPT", "DENY", "REJECT"
+#
+#	LOG LEVEL	If supplied, each connection handled under the default
+#			POLICY is logged at that level. If not supplied, no
+#			log message is generated. See syslog.conf(5) for a
+#			description of log levels.
+#
+#	As shipped, the default policies are:
+#
+#	a) All connections from the local network to the internet are allowed
+#	b) All connections from the network are ignored but logged at syslog
+#	   level KERNEL.INFO.
+#	d) All other connection requests are rejected and logged at level
+#	   KERNEL.INFO.
+###############################################################################
+#SOURCE		DESTINATION	POLICY		LOG LEVEL
+loc		net		ACCEPT
+#
+# If you want open access to the internet from your firewall, uncomment the
+# following line
+#fw		net		ACCEPT
+net		all		DROP		info
+all		all		REJECT		info
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE	

Samples/two-interfaces/rules

@@ -0,0 +1,136 @@
+#
+# Shorewall version 1.2 - Rules File
+#
+# /etc/shorewall/rules 
+#
+#	Rules in this file govern connection establishment. Requests and
+#	responses are automatically allowed using connection tracking.
+#
+# Columns are:
+#
+#
+#	RESULT		ACCEPT, DROP or REJECT
+#
+#				ACCEPT -- allow the connection request
+#				DROP   -- ignore the request
+#				REJECT -- disallow the request and return an
+#					  icmp-unreachable packet.
+#
+#			The line may NOT start with $<variable-name>
+#
+#			May optionally be followed by ":" and a syslog log
+#			level (e.g, REJECT:info). This causes the packet to be
+#			logged at the specified level.
+#
+#	CLIENT(S)	Hosts permitted to be clients. May be a zone defined
+#			in /etc/shorewall/zones or "fw" to indicate the
+#			firewall itself.
+#
+#			Clients may be further restricted to a particular
+#			subnet or host by appending ":" and the subnet or host.
+#
+#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
+#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
+#						Internet
+#
+#			Alternatively, clients may be specified by interface
+#			by appending ":" followed by the interface name. For
+#			example, loc:eth1 specifies a client that
+#			communicates with the firewall system through eth1.
+#
+#	SERVER		Location of Server. May be a zone defined in
+#			/etc/shorewall/zones or "fw" to indicate the firewall
+#			itself.
+#
+#			The server may be further restricted to a particular
+#			subnet, host or interface by appending ":" and the
+#			subnet, host or interface. See above.
+#
+#			The port that the server is listening on may be
+#			included and separated from the server's IP address by
+#			":". If omitted, the firewall will not modifiy the
+#			destination port.
+#
+#			Example: loc:192.168.1.3:8080 specifies a local
+#			server at IP address 192.168.1.3 and listening on port
+#			8080. The port number MUST be specified as an integer
+#			and not as a name from /etc/services.
+#
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#			"all" or "related". If "related", the remainder of the
+#			entry must be omitted and connection requests that are
+#			related to existing requests will be accepted.
+#
+#	PORT(S)		Destination Port. A comma-separated list of Port names
+#			(from /etc/services), port numbers or port ranges;
+#			if the protocol is "icmp", this column is interpreted as
+#			the destination icmp-type. If this column contains the
+#			value "none", the rule is ignored.
+#
+#			This column is ignored if PROTOCOL = all but must be
+#			entered if any of the following fields are supplied.
+#			In that case, it is suggested that this field contain
+#			 "-"
+#
+#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#			any source port is acceptable.
+#
+#			If you don't want to restrict client ports but need to
+#			specify an ADDRESS in the next column, then place "-"
+#			in this column.
+#
+#	ADDRESS		(0ptional) If included and different from the IP
+#			address given in the SERVER column, this is an address
+#			on some interface on the firewall and connections to
+#			that address will be forwarded to the IP and port
+#			specified in the SERVER column.
+#
+#			If the special value "all" is used, then requests from
+#			the client zone given in the CLIENT(s) column with the
+#			destination port given in PORT(s) will be forwarded to
+#			the IP address given in SERVER.
+#
+#			The address (or "all") may optionally be followed by
+#			a colon (":") an an IP address. This causes Shorewall
+#			to use the specified IP address as the source address
+#			in forwarded packets. See the Shorewall documentation
+#			for restrictions concerning this feature. If no source
+#			IP address is given, the original source address is not
+#			altered.
+#
+#	Example: Forward all ssh and www connection requests from the internet to
+#		 local system 192.168.1.3
+#
+#	#RESULT CLIENTS	SERVER(S)	  PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#	ACCEPT	net	loc:192.168.1.3 tcp	ssh,www	-	       all
+#
+#	Example: Redirect all locally-originating www connection requests to
+#		 port 8080 on the firewall (Squid running on the firewall
+#		 system)
+#
+#	#RESULT CLIENTS	SERVER(S) PROTO	PORTS(S) CLIENT PORT(S)	ADDRESS
+#	ACCEPT	loc	fw::8080  tcp	www	 -		all
+##############################################################################
+#RESULT		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#
+#
+# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above
+#
+REJECT		net	  fw		tcp	113
+#
+# Accept DNS connections from the firewall to the network
+#
+ACCEPT		fw	  net		tcp	53
+ACCEPT		net	  net		udp	53
+#
+# Accept SSH connections from the local network for administration
+#
+ACCEPT		loc	  net		tcp	22
+#
+# Make ping work
+#
+ACCEPT		fw	  loc		icmp	8
+ACCEPT		loc	  fw		icmp	8
+ACCEPT		fw	  net		icmp	8
+
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/two-interfaces/zones

@@ -0,0 +1,15 @@
+#
+# Shorewall 1.2 /etc/shorewall/zones
+#
+# This file determines your network zones. Columns are:
+#
+#	ZONE		Short name of the zone
+#	DISPLAY		Display name of the zone
+#	COMMENTS	Comments about the zone
+#
+# $<variable-name> is not permitted in this file.
+#
+#ZONE	DISPLAY		COMMENTS
+net	Net		Internet
+loc	Local		Local networks
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE