Initial revision

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/two-interfaces/common

@@ -0,0 +1,34 @@
+############################################################################
+# Shorewall 1.2 -- /etc/shorewall/common.def
+#
+# This file defines the rules that are applied before a policy of 
+# DROP or REJECT is applied. In addition to the rules defined in this file,
+# the firewall will also define a DROP rule for each subnet broadcast
+# address defined in /etc/shorewall/interfaces (including "detect").
+#
+# Do not modify this file -- if you wish to change these rules, copy this
+# file to /etc/shorewall/common and modify that file.
+#
+run_iptables -A common -p icmp -j icmpdef
+############################################################################
+# accept ACKs and RSTs that aren't related to any session so that the 
+# protocol stack can handle them
+#
+run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
+run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
+############################################################################
+# NETBIOS chatter
+#
+run_iptables -A common -p udp --dport 137:139     -j DROP
+run_iptables -A common -p udp --dport 445         -j DROP
+############################################################################
+# BROADCASTS
+#
+run_iptables -A common -d 255.255.255.255 -j DROP
+run_iptables -A common -d 224.0.0.0/4     -j DROP
+#
+# The following rule is non-standard and compensates for tardy
+# DNS replies
+#
+run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
+

Samples/two-interfaces/interfaces

@@ -0,0 +1,80 @@
+#
+# Shorewall 1.2 -- Interfaces File
+#
+# /etc/shorewall/interfaces
+#
+# Columns are:
+#
+#	ZONE		Zone for this interface. Much match the short name
+#			of a zone defined in /etc/shorewall/zones.
+#
+#			$<variable-name> is not allowed in this column.
+#
+#	INTERFACE	Name of interface
+#
+#	BROADCAST	The broadcast address for the subnetwork to which the
+#			interface belongs. For P-T-P interfaces, this
+#			column is left black.
+#
+#			If you use the special value "detect", the firewall
+#			will detect the broadcast address for you. If you
+#			select this option, the interface must be up before
+#			the firewall is started and you must have iproute
+#			installed.
+#			
+#			If you don't want to give a value for this column but
+#			you want to enter a value in the OPTIONS column, enter
+#			"-" in this column.
+#
+#	OPTIONS		A comma-separated list of options including the
+#			following:
+#
+#			dhcp	     - interface is managed by DHCP
+#			noping	     - icmp echo-request (ping) packets should
+#				       be ignored on this interface
+#			routestopped - When the firewall is stopped, allow
+#				       and route traffic to and from this
+#				       interface.
+#			norfc1918    - This interface should not receive
+#				       any packets whose source is in one
+#				       of the ranges reserved by RFC 1918
+#				       (i.e., private or "non-routable"
+#				       addresses.
+#			multi	     - This interface has multiple IP
+#				       addresses and you want to be able to
+#				       route between them.
+#			routefilter  - turn on kernel route filtering for this
+#				       interface (anti-spoofing measure).
+#
+#	Example 1:	Suppose you have eth0 connected to a DSL modem and
+#			eth1 connected to your local network and that your
+#			local subnet is 192.168.1.0/24. The interface gets
+#			it's IP address via DHCP from subnet
+#			206.191.149.192/27 and you want pings from the internet
+#			to be ignored. You interface a DMZ with subnet
+#			192.168.2.0/24 using eth2. You want to be able to
+#			access the firewall from the local network when the
+#			firewall is stopped.
+#
+#			Your entries for this setup would look like:
+#
+#			net	eth0	206.191.149.223	noping,dhcp
+#			local	eth1	192.168.1.255	routestopped
+#			dmz	eth2	192.168.2.255
+#
+#	Example 2:	The same configuration without specifying broadcast
+#			addresses is:
+#
+#			net	eth0	detect		noping,dhcp
+#			local	eth1	detect		routestopped
+#			dmz	eth2	detect
+#
+#	Example 3:	You have a simple dial-in system with no ethernet
+#			connections and you want to ignore ping requests.
+#
+#			net	ppp0	-		noping
+##############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+net     eth0		detect		dhcp,routefilter,norfc1918
+loc	eth1		detect		routestopped
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/two-interfaces/masq

@@ -0,0 +1,53 @@
+#
+# Shorewall 1.2 - Masquerade file
+#
+# /etc/shorewall/masq
+#
+# Use this file to define dynamic NAT (Masquerading)
+#
+# Columns are:
+#
+#	INTERFACE -- Outgoing interface. This is usually your internet
+#		     interface. This may be qualified by adding the character
+#                    ":" followed by a destination host or subnet.
+#
+#
+#	SUBNET -- Subnet that you wish to masquerade. You can specify this as
+#		  a subnet or as an interface. If you give the name of an
+#		  interface, you must have iproute installed and the interface
+#		  must be up before you start the firewall.
+#
+#	Example 1:
+#
+#		  You have a simple masquerading setup where eth0 connects to
+#		  a DSL or cable modem and eth1 connects to your local network
+#		  with subnet 192.168.0.0/24.
+#
+#		  Your entry in the file can be either:
+#
+#			eth0	eth1
+#
+#		  or
+#
+#			eth0	192.168.0.0/24
+#
+#	Example 2:
+#
+#		  You add a router to your local network to connect subnet
+#		  192.168.1.0/24 which you also want to masquerade. You then
+#		  add the following entry to this file:
+#
+#			eth0	192.168.1.0/24
+#
+#       Example 3:
+#
+#                 You have an IPSEC tunnel through ipsec0 and you want to
+#                 masquerade packets coming from 192.168.1.0/24 but only if
+#                 these packets are destined for hosts in 10.1.1.0/24:
+#
+#                       ipsec0:10.1.1.0/24      196.168.1.0/24
+#
+##############################################################################
+#INTERFACE	        SUBNET
+eth0			eth1
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/two-interfaces/policy

@@ -0,0 +1,45 @@
+#
+# Shorewall 1.2 -- Policy File
+#
+# /etc/shorewall/policy
+#
+#	This file determines what to do with a new connection request if we
+#	don't get a match from the /etc/seafall/rules file. For each
+#	client/server pair, the file is processed in order until a match is
+#	found ("all" will match any client or server).
+#
+#	$<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
+#
+# Columns are:
+#
+#	SOURCE		Location of client. Must be the name of a zone defined
+#			in /etc/shorewall/zones, "fw" or "all".
+#
+#	DESTINATION	Location of server. Must be the name of a zone defined
+#			in /etc/shorewall/zones, "fw" or "all"
+#
+#	POLICY		Policy if no match from the rules file is found. Must
+#			be "ACCEPT", "DENY", "REJECT"
+#
+#	LOG LEVEL	If supplied, each connection handled under the default
+#			POLICY is logged at that level. If not supplied, no
+#			log message is generated. See syslog.conf(5) for a
+#			description of log levels.
+#
+#	As shipped, the default policies are:
+#
+#	a) All connections from the local network to the internet are allowed
+#	b) All connections from the network are ignored but logged at syslog
+#	   level KERNEL.INFO.
+#	d) All other connection requests are rejected and logged at level
+#	   KERNEL.INFO.
+###############################################################################
+#SOURCE		DESTINATION	POLICY		LOG LEVEL
+loc		net		ACCEPT
+#
+# If you want open access to the internet from your firewall, uncomment the
+# following line
+#fw		net		ACCEPT
+net		all		DROP		info
+all		all		REJECT		info
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE	

Samples/two-interfaces/rules

@@ -0,0 +1,136 @@
+#
+# Shorewall version 1.2 - Rules File
+#
+# /etc/shorewall/rules 
+#
+#	Rules in this file govern connection establishment. Requests and
+#	responses are automatically allowed using connection tracking.
+#
+# Columns are:
+#
+#
+#	RESULT		ACCEPT, DROP or REJECT
+#
+#				ACCEPT -- allow the connection request
+#				DROP   -- ignore the request
+#				REJECT -- disallow the request and return an
+#					  icmp-unreachable packet.
+#
+#			The line may NOT start with $<variable-name>
+#
+#			May optionally be followed by ":" and a syslog log
+#			level (e.g, REJECT:info). This causes the packet to be
+#			logged at the specified level.
+#
+#	CLIENT(S)	Hosts permitted to be clients. May be a zone defined
+#			in /etc/shorewall/zones or "fw" to indicate the
+#			firewall itself.
+#
+#			Clients may be further restricted to a particular
+#			subnet or host by appending ":" and the subnet or host.
+#
+#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
+#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
+#						Internet
+#
+#			Alternatively, clients may be specified by interface
+#			by appending ":" followed by the interface name. For
+#			example, loc:eth1 specifies a client that
+#			communicates with the firewall system through eth1.
+#
+#	SERVER		Location of Server. May be a zone defined in
+#			/etc/shorewall/zones or "fw" to indicate the firewall
+#			itself.
+#
+#			The server may be further restricted to a particular
+#			subnet, host or interface by appending ":" and the
+#			subnet, host or interface. See above.
+#
+#			The port that the server is listening on may be
+#			included and separated from the server's IP address by
+#			":". If omitted, the firewall will not modifiy the
+#			destination port.
+#
+#			Example: loc:192.168.1.3:8080 specifies a local
+#			server at IP address 192.168.1.3 and listening on port
+#			8080. The port number MUST be specified as an integer
+#			and not as a name from /etc/services.
+#
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#			"all" or "related". If "related", the remainder of the
+#			entry must be omitted and connection requests that are
+#			related to existing requests will be accepted.
+#
+#	PORT(S)		Destination Port. A comma-separated list of Port names
+#			(from /etc/services), port numbers or port ranges;
+#			if the protocol is "icmp", this column is interpreted as
+#			the destination icmp-type. If this column contains the
+#			value "none", the rule is ignored.
+#
+#			This column is ignored if PROTOCOL = all but must be
+#			entered if any of the following fields are supplied.
+#			In that case, it is suggested that this field contain
+#			 "-"
+#
+#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#			any source port is acceptable.
+#
+#			If you don't want to restrict client ports but need to
+#			specify an ADDRESS in the next column, then place "-"
+#			in this column.
+#
+#	ADDRESS		(0ptional) If included and different from the IP
+#			address given in the SERVER column, this is an address
+#			on some interface on the firewall and connections to
+#			that address will be forwarded to the IP and port
+#			specified in the SERVER column.
+#
+#			If the special value "all" is used, then requests from
+#			the client zone given in the CLIENT(s) column with the
+#			destination port given in PORT(s) will be forwarded to
+#			the IP address given in SERVER.
+#
+#			The address (or "all") may optionally be followed by
+#			a colon (":") an an IP address. This causes Shorewall
+#			to use the specified IP address as the source address
+#			in forwarded packets. See the Shorewall documentation
+#			for restrictions concerning this feature. If no source
+#			IP address is given, the original source address is not
+#			altered.
+#
+#	Example: Forward all ssh and www connection requests from the internet to
+#		 local system 192.168.1.3
+#
+#	#RESULT CLIENTS	SERVER(S)	  PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#	ACCEPT	net	loc:192.168.1.3 tcp	ssh,www	-	       all
+#
+#	Example: Redirect all locally-originating www connection requests to
+#		 port 8080 on the firewall (Squid running on the firewall
+#		 system)
+#
+#	#RESULT CLIENTS	SERVER(S) PROTO	PORTS(S) CLIENT PORT(S)	ADDRESS
+#	ACCEPT	loc	fw::8080  tcp	www	 -		all
+##############################################################################
+#RESULT		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#
+#
+# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above
+#
+REJECT		net	  fw		tcp	113
+#
+# Accept DNS connections from the firewall to the network
+#
+ACCEPT		fw	  net		tcp	53
+ACCEPT		net	  net		udp	53
+#
+# Accept SSH connections from the local network for administration
+#
+ACCEPT		loc	  net		tcp	22
+#
+# Make ping work
+#
+ACCEPT		fw	  loc		icmp	8
+ACCEPT		loc	  fw		icmp	8
+ACCEPT		fw	  net		icmp	8
+
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/two-interfaces/zones

@@ -0,0 +1,15 @@
+#
+# Shorewall 1.2 /etc/shorewall/zones
+#
+# This file determines your network zones. Columns are:
+#
+#	ZONE		Short name of the zone
+#	DISPLAY		Display name of the zone
+#	COMMENTS	Comments about the zone
+#
+# $<variable-name> is not permitted in this file.
+#
+#ZONE	DISPLAY		COMMENTS
+net	Net		Internet
+loc	Local		Local networks
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE