Initial revision

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@86 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp/etc/shorewall/shorewall.conf

@@ -0,0 +1,231 @@
+##############################################################################
+#  /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
+#  match your setup
+#
+#  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]         
+#
+#  This file should be placed in /etc/shorewall
+#
+#  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
+##############################################################################
+#
+# Name of the firewall zone -- if not set or if set to an empty string, "fw"
+# is assumed.
+#
+FW=fw
+
+
+# Set this to the name of the lock file expected by your init scripts. For
+# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
+# should be /var/state/shorewall. If your init scripts don't use lock files,
+# set -this to "".
+#
+
+SUBSYSLOCK=/var/run/shorewall
+
+# This is the directory where the firewall maintains state information while
+# it is running
+#
+
+STATEDIR=/tmp/shorewall
+
+#
+# Set this to "yes" or "Yes" if you want to accept all connection requests
+# that are related to already established connections. For example, you want
+# to accept FTP data connections. If you say "no" here, then to accept
+# these connections between particular zones or hosts, you must include
+# explicit "related" rules in /etc/shorewall/rules.
+#
+
+ALLOWRELATED=yes
+
+#
+# If your netfilter kernel modules are in a directory other than
+# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
+# directory in this variable. Example: MODULESDIR=/etc/modules.
+
+MODULESDIR=
+
+#
+# The next two variables can be used to control the amount of log output
+# generated. LOGRATE is expressed as a number followed by an optional
+# `/second',  `/minute', `/hour', or `/day' suffix and specifies the maximum
+# rate at which a particular message will occur. LOGBURST determines the
+# maximum initial burst size that will be logged. If set empty, the default
+# value of 5 will be used.
+#
+# If BOTH variables are set empty then logging will not be rate-limited.
+#
+
+LOGRATE=
+LOGBURST=
+
+
+#
+# This variable determines the level at which Mangled/Invalid packets are logged
+# under the 'dropunclean' interface option. If you set this variable to an
+# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
+# silently.
+#
+
+LOGUNCLEAN=info
+
+# This variable tells the /sbin/shorewall program where to look for Shorewall
+# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
+# /var/log/messages is assumed.
+#
+# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
+#          look for Shorewall messages.It does NOT control the destination for
+#          these messages. For information about how to do that, see
+#
+#              http://www.shorewall.net/FAQ.htm#faq6
+
+LOGFILE=/var/log/messages
+
+#
+# Enable nat support.
+#
+# You probally want yes here. Only gateways not doing NAT in any form, like
+# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
+#
+NAT_ENABLED=Yes
+
+#
+# Enable mangle support.
+#
+# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
+# and will not initialize the mangle table when starting or stopping
+# your firewall. You must enable mangling if you want Traffic Shaping
+# (see TC_ENABLED below).
+#
+MANGLE_ENABLED=Yes
+
+#
+# Enable IP Forwarding
+#
+# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
+# say "Off" or "off", packet forwarding will be disabled. You would only want
+# to disable packet forwarding if you are installing Shorewall on a
+# standalone system or if you want all traffic through the Shorewall system
+# to be handled by proxies.
+#
+# If you set this variable to "Keep" or "keep", Shorewall will neither
+# enable nor disable packet forwarding.
+#
+IP_FORWARDING=On
+#
+# Automatically add IP Aliases
+#
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
+# for each NAT external address that you give in /etc/shorewall/nat. If you say
+# "No" or "no", you must add these aliases youself.
+#
+ADD_IP_ALIASES=Yes
+
+#
+# Automatically add SNAT Aliases
+#
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
+# for each SNAT external address that you give in /etc/shorewall/masq. If you say
+# "No" or "no", you must add these aliases youself.
+#
+ADD_SNAT_ALIASES=No
+
+#
+# Enable Traffic Shaping
+#
+# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
+# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
+# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
+# you must enable packet mangling above.
+#
+TC_ENABLED=No
+
+#
+# Blacklisting
+#
+# Set this variable to the action that you want to perform on packets from
+# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
+# DROP is assumed.
+#
+BLACKLIST_DISPOSITION=DROP
+
+#
+# Blacklist Logging
+#
+# Set this variable to the syslogd level that you want blacklist packets logged
+# (beward of DOS attacks resulting from such logging). If not set, no logging
+# of blacklist packets occurs.
+#
+BLACKLIST_LOGLEVEL=
+
+#
+# MSS Clamping
+#
+# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
+# option. This option is most commonly required when your internet
+# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
+# have CONFIG_IP_NF_TARGET_TCPMSS set.
+#
+# [From the kernel help:
+#
+#    This option adds a `TCPMSS' target, which allows you to alter the
+#    MSS value of TCP SYN packets, to control the maximum size for that
+#    connection (usually limiting it to your outgoing interface's MTU
+#    minus 40).
+#
+#    This is used to overcome criminally braindead ISPs or servers which
+#    block ICMP Fragmentation Needed packets.  The symptoms of this
+#    problem are that everything works fine from your Linux
+#    firewall/router, but machines behind it can never exchange large
+#    packets:
+#        1) Web browsers connect, then hang with no data received.
+#	 2) Small mail works fine, but large emails hang.
+#	 3) ssh works fine, but scp hangs after initial handshaking.
+# ]
+#
+# If left blank, or set to "No" or "no", the option is not enabled.
+#
+CLAMPMSS=No
+
+#
+# Route Filtering
+#
+# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
+# interfaces (anti-spoofing measure).
+#
+# If this variable is not set or is set to the empty value, "No" is assumed.
+
+ROUTE_FILTER=No
+
+#
+# NAT before RULES
+#
+# Shorewall has traditionally processed static NAT rules before port forwarding
+# rules. If you would like to reverse the order, set this variable to "No".
+#
+# If this variable is not set or is set to the empty value, "Yes" is assumed.
+
+NAT_BEFORE_RULES=Yes
+
+# MULTIPORT
+#
+# If your kernel includes the multiport match option
+# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
+# option is enabled by setting it's value to "Yes" or "yes":
+#
+#	1) If you list more that 15 ports in a comma-seperated list in
+#	   /etc/shorewall/rules, Shorewall will not use the multiport option
+#	   but will generate a separate rule for each element of each port
+#	   list.
+#	2) If you include a port range (<low port>:<high port>) in the
+#	   rule, Shorewall will not use the multiport option but will generate
+#	   a separate rule for each element of each port list.
+#
+# See the /etc/shorewall/rules file for additional information on this option.
+#
+# if this variable is not set or is set to the empty value, "No" is assumed.
+
+MULTIPORT=No
+
+#LAST LINE -- DO NOT REMOVE

Lrp/var/lib/lrpkg/shorwall.list

@@ -0,0 +1,5 @@
+etc/init.d/shorewall
+etc/shorewall
+sbin/shorewall
+var/lib/shorewall
+var/lib/lrpkg/shorwall.*