mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-26 17:43:15 +01:00
more samples...for 2.6..
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2533 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
756f156166
commit
c6b6864834
@ -1,32 +1,33 @@
|
||||
#
|
||||
# Shorewall 2.0 -- Sample Interface File For Three Interfaces
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
# Shorewall version 2.6 - Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
# You must add an entry in this file for each network interface on your
|
||||
# firewall system.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ZONE
|
||||
# Zone for this interface. Must match the short name
|
||||
# ZONE Zone for this interface. Must match the short name
|
||||
# of a zone defined in /etc/shorewall/zones.
|
||||
#
|
||||
# If the interface serves multiple zones that will be
|
||||
# defined in the /etc/shorewall/hosts file, you should
|
||||
# place "-" in this column.
|
||||
#
|
||||
# INTERFACE
|
||||
# Name of interface. Each interface may be listed only
|
||||
# INTERFACE Name of interface. Each interface may be listed only
|
||||
# once in this file. You may NOT specify the name of
|
||||
# an alias (e.g., eth0:0) here; see
|
||||
# http://www.shorewall.net/FAQ.htm#faq18
|
||||
#
|
||||
# There is no need to define the loopback interface (lo)
|
||||
# You may specify wildcards here. For example, if you
|
||||
# want to make an entry that applies to all PPP
|
||||
# interfaces, use 'ppp+'.
|
||||
#
|
||||
# There is no need to define the loopback interface (lo)
|
||||
# in this file.
|
||||
#
|
||||
# BROADCAST
|
||||
# The broadcast address for the subnetwork to which the
|
||||
# BROADCAST The broadcast address for the subnetwork to which the
|
||||
# interface belongs. For P-T-P interfaces, this
|
||||
# column is left blank.If the interface has multiple
|
||||
# addresses on multiple subnets then list the broadcast
|
||||
@ -36,156 +37,207 @@
|
||||
# will detect the broadcast address for you. If you
|
||||
# select this option, the interface must be up before
|
||||
# the firewall is started, you must have iproute
|
||||
# installed and the interface must only be associated
|
||||
# with a single subnet.
|
||||
#
|
||||
# installed.
|
||||
#
|
||||
# If you don't want to give a value for this column but
|
||||
# you want to enter a value in the OPTIONS column, enter
|
||||
# "-" in this column.
|
||||
#
|
||||
# OPTIONS
|
||||
# A comma-separated list of options including the
|
||||
# OPTIONS A comma-separated list of options including the
|
||||
# following:
|
||||
#
|
||||
# dhcp
|
||||
# Interface is managed by DHCP or used by
|
||||
# a DHCP server running on the firewall or
|
||||
# you have a static IP but are on a LAN
|
||||
# segment with lots of Laptop DHCP clients.
|
||||
# norfc1918
|
||||
# This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
# (i.e., private or "non-routable"
|
||||
# addresses. If packet mangling is
|
||||
# enabled in shorewall.conf, packets
|
||||
# whose destination addresses are
|
||||
# reserved by RFC 1918 are also rejected.
|
||||
# nobogons
|
||||
# This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by IANA (this
|
||||
# option does not cover those ranges
|
||||
# reserved by RFC 1918 -- see above).
|
||||
# dhcp - Specify this option when any of
|
||||
# the following are true:
|
||||
# 1. the interface gets its IP address
|
||||
# via DHCP
|
||||
# 2. the interface is used by
|
||||
# a DHCP server running on the firewall
|
||||
# 3. you have a static IP but are on a LAN
|
||||
# segment with lots of Laptop DHCP
|
||||
# clients.
|
||||
# 4. the interface is a bridge with
|
||||
# a DHCP server on one port and DHCP
|
||||
# clients on another port.
|
||||
#
|
||||
# I PERSONALLY RECOMMEND AGAINST USING
|
||||
# THE 'nobogons' OPTION.
|
||||
# routefilter
|
||||
# Turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure). This
|
||||
# option can also be enabled globally in
|
||||
# the /etc/shorewall/shorewall.conf file.
|
||||
# blacklist
|
||||
# Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
# logmartians
|
||||
# Turn on kernel martian logging (logging
|
||||
# of packets with impossible source
|
||||
# addresses. It is suggested that if you
|
||||
# set routefilter on an interface that
|
||||
# you also set logmartians. This option
|
||||
# may also be enabled globally in the
|
||||
# /etc/shorewall/shorewall.conf file.
|
||||
# maclist
|
||||
# Connection requests from this interface
|
||||
# are compared against the contents of
|
||||
# /etc/shorewall/maclist. If this option
|
||||
# is specified, the interface must be
|
||||
# an ethernet NIC and must be up before
|
||||
# Shorewall is started.
|
||||
# tcpflags
|
||||
# Packets arriving on this interface are
|
||||
# checked for certain illegal combinations
|
||||
# of TCP flags. Packets found to have
|
||||
# such a combination of flags are handled
|
||||
# according to the setting of
|
||||
# TCP_FLAGS_DISPOSITION after having been
|
||||
# logged according to the setting of
|
||||
# TCP_FLAGS_LOG_LEVEL.
|
||||
# proxyarp
|
||||
# Sets /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
# norfc1918 - This interface should not receive
|
||||
# any packets whose source is in one
|
||||
# of the ranges reserved by RFC 1918
|
||||
# (i.e., private or "non-routable"
|
||||
# addresses. If packet mangling or
|
||||
# connection-tracking match is enabled in
|
||||
# your kernel, packets whose destination
|
||||
# addresses are reserved by RFC 1918 are
|
||||
# also rejected.
|
||||
#
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure). This
|
||||
# option can also be enabled globally in
|
||||
# the /etc/shorewall/shorewall.conf file.
|
||||
#
|
||||
# logmartians - turn on kernel martian logging (logging
|
||||
# of packets with impossible source
|
||||
# addresses. It is suggested that if you
|
||||
# set routefilter on an interface that
|
||||
# you also set logmartians. This option
|
||||
# may also be enabled globally in the
|
||||
# /etc/shorewall/shorewall.conf file.
|
||||
#
|
||||
# blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
#
|
||||
# maclist - Connection requests from this interface
|
||||
# are compared against the contents of
|
||||
# /etc/shorewall/maclist. If this option
|
||||
# is specified, the interface must be
|
||||
# an ethernet NIC and must be up before
|
||||
# Shorewall is started.
|
||||
#
|
||||
# tcpflags - Packets arriving on this interface are
|
||||
# checked for certain illegal combinations
|
||||
# of TCP flags. Packets found to have
|
||||
# such a combination of flags are handled
|
||||
# according to the setting of
|
||||
# TCP_FLAGS_DISPOSITION after having been
|
||||
# logged according to the setting of
|
||||
# TCP_FLAGS_LOG_LEVEL.
|
||||
#
|
||||
# proxyarp -
|
||||
# Sets
|
||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
||||
# Do NOT use this option if you are
|
||||
# employing Proxy ARP through entries in
|
||||
# /etc/shorewall/proxyarp. This option is
|
||||
# intended soley for use with Proxy ARP
|
||||
# sub-networking as described at:
|
||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
||||
# netnotsyn
|
||||
# TCP packets that don't have the SYN flag set and
|
||||
# which are not part of an established connection
|
||||
# will be accepted from this interface, even if
|
||||
# NEWNOTSYN=No has been specified in
|
||||
# /etc/shorewall/shorewall.conf. In other
|
||||
# words, packets coming in on this interface
|
||||
# are processed as if NEWNOTSYN=Yes had been
|
||||
# specified in /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# This option has no effect if NEWNOTSYN=Yes.
|
||||
# newnotsyn - TCP packets that don't have the SYN
|
||||
# flag set and which are not part of an
|
||||
# established connection will be accepted
|
||||
# from this interface, even if
|
||||
# NEWNOTSYN=No has been specified in
|
||||
# /etc/shorewall/shorewall.conf. In other
|
||||
# words, packets coming in on this
|
||||
# interface are processed as if
|
||||
# NEWNOTSYN=Yes had been specified in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# It is the opinion of the author that
|
||||
# NEWNOTSYN=No creates more problems than
|
||||
# it solves and I recommend against using
|
||||
# that setting in shorewall.conf (hence
|
||||
# making the use of the 'newnotsyn'
|
||||
# interface option unnecessary).
|
||||
# routeback
|
||||
# If specified, indicates that Shorewall
|
||||
# should include rules that allow filtering
|
||||
# traffic arriving on this interface back
|
||||
# out that same interface.
|
||||
# arp_filter
|
||||
# If specified, this interface will only respond
|
||||
# to ARP who-has requests for IP addresses
|
||||
# configured on the interface. If not specified,
|
||||
# the interface can respond to ARP who-has requests
|
||||
# for IP addresses on any of the firewall's interface.
|
||||
# The interface must be up when shorewall is started.
|
||||
# nosmurfs
|
||||
# Filter packets for smurfs (packets with a broadcast
|
||||
# address as the source).
|
||||
# This option has no effect if
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
# Smurfs will be optionally logged based on the setting
|
||||
# of SMURF_LOG_LEVEL in shorewall.conf. After logging,
|
||||
# the packets are dropped.
|
||||
# detectnets
|
||||
# Automatically taylors the zone named in the ZONE column
|
||||
# to include only those hosts routed through the interface.
|
||||
# It is the opinion of the author that
|
||||
# NEWNOTSYN=No creates more problems than
|
||||
# it solves and I recommend against using
|
||||
# that setting in shorewall.conf (hence
|
||||
# making the use of the 'newnotsyn'
|
||||
# interface option unnecessary).
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
|
||||
# routeback - If specified, indicates that Shorewall
|
||||
# should include rules that allow
|
||||
# filtering traffic arriving on this
|
||||
# interface back out that same interface.
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
# space.
|
||||
# arp_filter - If specified, this interface will only
|
||||
# respond to ARP who-has requests for IP
|
||||
# addresses configured on the interface.
|
||||
# If not specified, the interface can
|
||||
# respond to ARP who-has requests for
|
||||
# IP addresses on any of the firewall's
|
||||
# interface. The interface must be up
|
||||
# when Shorewall is started.
|
||||
#
|
||||
# Example 1:
|
||||
# Suppose you have eth0 connected to a DSL modem,
|
||||
# eth1 connected to your local network and eth2
|
||||
# connected to your dmz. Assuming that your local
|
||||
# subnet is 192.168.1.0/24 and your dmz subnet is
|
||||
# 192.168.2.0/24 . The eth0 interface gets
|
||||
# arp_ignore[=<number>]
|
||||
# - If specified, this interface will
|
||||
# respond to arp requests based on the
|
||||
# value of <number>.
|
||||
#
|
||||
# 1 - reply only if the target IP address
|
||||
# is local address configured on the
|
||||
# incoming interface
|
||||
#
|
||||
# 2 - reply only if the target IP address
|
||||
# is local address configured on the
|
||||
# incoming interface and both with the
|
||||
# sender's IP address are part from same
|
||||
# subnet on this interface
|
||||
#
|
||||
# 3 - do not reply for local addresses
|
||||
# configured with scope host, only
|
||||
# resolutions for global and link
|
||||
# addresses are replied
|
||||
#
|
||||
# 4-7 - reserved
|
||||
#
|
||||
# 8 - do not reply for all local
|
||||
# addresses
|
||||
#
|
||||
# If no <number> is given then the value
|
||||
# 1 is assumed
|
||||
#
|
||||
# WARNING -- DO NOT SPECIFY arp_ignore
|
||||
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
|
||||
#
|
||||
# nosmurfs - Filter packets for smurfs
|
||||
# (packets with a broadcast
|
||||
# address as the source).
|
||||
#
|
||||
# Smurfs will be optionally logged based
|
||||
# on the setting of SMURF_LOG_LEVEL in
|
||||
# shorewall.conf. After logging, the
|
||||
# packets are dropped.
|
||||
#
|
||||
# detectnets - Automatically taylors the zone named
|
||||
# in the ZONE column to include only those
|
||||
# hosts routed through the interface.
|
||||
#
|
||||
# upnp - Incoming requests from this interface
|
||||
# may be remapped via UPNP (upnpd).
|
||||
#
|
||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
||||
# INTERNET INTERFACE.
|
||||
#
|
||||
# The order in which you list the options is not
|
||||
# significant but the list should have no embedded white
|
||||
# space.
|
||||
#
|
||||
# GATEWAY This column is only meaningful if the 'default' OPTION
|
||||
# is given -- it is ignored otherwise. You may specify
|
||||
# the default gateway IP address for this interface here
|
||||
# and Shorewall will use that IP address rather than any
|
||||
# that it finds in the main routing table.
|
||||
#
|
||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
||||
# eth1 connected to your local network and that your
|
||||
# local subnet is 192.168.1.0/24. The interface gets
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27.
|
||||
# 206.191.149.192/27. You have a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# #ZONE INTERFACE BROADCAST OPTIONS
|
||||
# net eth0 206.191.149.223 dhcp
|
||||
# local eth1 192.168.1.255
|
||||
# dmz eth2 192.168.2.255
|
||||
# net eth0 206.191.149.223 dhcp
|
||||
# local eth1 192.168.1.255
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
# Example 2:
|
||||
# The same configuration without specifying broadcast
|
||||
# Example 2: The same configuration without specifying broadcast
|
||||
# addresses is:
|
||||
#
|
||||
# #ZONE INTERFACE BROADCAST OPTIONS
|
||||
# net eth0 detect dhcp
|
||||
# loc eth1 detect
|
||||
# dmz eth2 detect
|
||||
# net eth0 detect dhcp
|
||||
# loc eth1 detect
|
||||
# dmz eth2 detect
|
||||
#
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,routefilter,norfc1918
|
||||
loc eth1 detect
|
||||
dmz eth2 detect
|
||||
# Example 3: You have a simple dial-in system with no ethernet
|
||||
# connections.
|
||||
#
|
||||
# net ppp0 -
|
||||
#
|
||||
# For additional information, see
|
||||
# http://shorewall.net/Documentation.htm#Interfaces
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
|
||||
net eth0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
|
||||
loc eth1 detect tcpflags,detectnets,nosmurfs
|
||||
dmz eth2 detect
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,12 +1,12 @@
|
||||
#
|
||||
# Shorewall version 2.2 -- Sample Rules File For Three Interfaces
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
# Shorewall version 2.6 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
# Rules in this file govern connection establishment. Requests and
|
||||
# responses are automatically allowed using connection tracking. For any
|
||||
# particular (source,dest) pair of zones, the rules are evaluated in the
|
||||
# order in which they appear in this file and the first mactch is the one
|
||||
# order in which they appear in this file and the first match is the one
|
||||
# that determines the disposition of the request.
|
||||
#
|
||||
# In most places where an IP address or subnet is allowed, you
|
||||
@ -14,75 +14,73 @@
|
||||
# indicate that the rule matches all addresses except the address/subnet
|
||||
# given. Notice that no white space is permitted between "!" and the
|
||||
# address/subnet.
|
||||
#
|
||||
# WARNING: If you masquerade or use SNAT from a local system to the internet.
|
||||
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
||||
# that system. You "must" use a DNAT rule instead.
|
||||
#
|
||||
#------------------------------------------------------------------------------
|
||||
# WARNING: If you masquerade or use SNAT from a local system to the internet,
|
||||
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
||||
# that system. You *must* use a DNAT rule instead.
|
||||
#------------------------------------------------------------------------------
|
||||
# Columns are:
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||
# LOG, QUEUE or an <action>.
|
||||
#
|
||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
|
||||
# REDIRECT-, CONTINUE, LOG, QUEUE or an <action>.
|
||||
#
|
||||
# ACCEPT
|
||||
# Allow the connection request.
|
||||
# ACCEPT+
|
||||
# Like ACCEPT but also excludes the
|
||||
# connection from any subsequent
|
||||
# DNAT[-] or REDIRECT[-] rules
|
||||
# NONAT
|
||||
# Excludes the connection from any
|
||||
# subsequent DNAT[-] or REDIRECT[-]
|
||||
# rules but doesn't generate a rule
|
||||
# to accept the traffic.
|
||||
# DROP
|
||||
# Ignore the request.
|
||||
# REJECT
|
||||
# Disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
# DNAT
|
||||
# Forward the request to another
|
||||
# system (and optionally another
|
||||
# port).
|
||||
# DNAT-
|
||||
# Advanced users only.
|
||||
# Like DNAT but only generates the
|
||||
# DNAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# REDIRECT
|
||||
# Redirect the request to a local
|
||||
# port on the firewall.
|
||||
# ACCEPT -- allow the connection request
|
||||
# ACCEPT+ -- like ACCEPT but also excludes the
|
||||
# connection from any subsequent
|
||||
# DNAT[-] or REDIRECT[-] rules
|
||||
# NONAT -- Excludes the connection from any
|
||||
# subsequent DNAT[-] or REDIRECT[-]
|
||||
# rules but doesn't generate a rule
|
||||
# to accept the traffic.
|
||||
# DROP -- ignore the request
|
||||
# REJECT -- disallow the request and return an
|
||||
# icmp-unreachable or an RST packet.
|
||||
# DNAT -- Forward the request to another
|
||||
# system (and optionally another
|
||||
# port).
|
||||
# DNAT- -- Advanced users only.
|
||||
# Like DNAT but only generates the
|
||||
# DNAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# SAME -- Similar to DNAT except that the
|
||||
# port may not be remapped and when
|
||||
# multiple server addresses are
|
||||
# listed, all requests from a given
|
||||
# remote system go to the same
|
||||
# server.
|
||||
# SAME- -- Advanced users only.
|
||||
# Like SAME but only generates the
|
||||
# NAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# REDIRECT -- Redirect the request to a local
|
||||
# port on the firewall.
|
||||
# REDIRECT-
|
||||
# Advanced users only.
|
||||
# Like REDIRECT but only generates the
|
||||
# REDIRECT iptables rules and not the
|
||||
# companion ACCEPT rule.
|
||||
# CONTINUE
|
||||
# (For experts only). Do Not Process
|
||||
# any of the following rules for this
|
||||
# (source zone,destination zone). If
|
||||
# the source and/or destination IP
|
||||
# address falls into a zone defined
|
||||
# later in /etc/shorewall/zones, this
|
||||
# connection request will be passed
|
||||
# to the rules defined for that
|
||||
# (those) zones(s).
|
||||
# LOG
|
||||
# Simply log the packet and continue.
|
||||
# QUEUE
|
||||
# Queue the packet to a user-space
|
||||
# application such as ftwall.
|
||||
# (http://p2pwall.sf.net).
|
||||
# <action>
|
||||
# The name of an action defined in
|
||||
# /etc/shorewall/actions or in
|
||||
# /usr/share/shorewall/actions.std.
|
||||
# -- Advanced users only.
|
||||
# Like REDIRET but only generates the
|
||||
# REDIRECT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
#
|
||||
# The ACTION may optionally be followed by ":" and a syslog log
|
||||
# level (e.g, REJECT:info or DNAT:debug). This causes the packet
|
||||
# to be logged at the specified level.
|
||||
# CONTINUE -- (For experts only). Do not process
|
||||
# any of the following rules for this
|
||||
# (source zone,destination zone). If
|
||||
# The source and/or destination IP
|
||||
# address falls into a zone defined
|
||||
# later in /etc/shorewall/zones, this
|
||||
# connection request will be passed
|
||||
# to the rules defined for that
|
||||
# (those) zone(s).
|
||||
# LOG -- Simply log the packet and continue.
|
||||
# QUEUE -- Queue the packet to a user-space
|
||||
# application such as ftwall
|
||||
# (http://p2pwall.sf.net).
|
||||
# <action> -- The name of an action defined in
|
||||
# /etc/shorewall/actions or in
|
||||
# /usr/share/shorewall/actions.std.
|
||||
#
|
||||
# The ACTION may optionally be followed
|
||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||
# DNAT:debug). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# If the ACTION names an action defined in
|
||||
# /etc/shorewall/actions or in
|
||||
@ -98,9 +96,9 @@
|
||||
# - The special log level 'none!' suppresses logging
|
||||
# by the action.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level. This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd.
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
# (http://www.gnumonks.org/projects/ulogd).
|
||||
#
|
||||
# Actions specifying logging may be followed by a
|
||||
@ -114,17 +112,21 @@
|
||||
#
|
||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
||||
# firewall itself, or "all" If the ACTION is DNAT or
|
||||
# REDIRECT, sub-zones of the specified zone may be
|
||||
# excluded from the rule by following the zone name with
|
||||
# "!' and a comma-separated list of sub-zone names.
|
||||
# firewall itself, "all", "all+" or "none" If the ACTION
|
||||
# is DNAT or REDIRECT, sub-zones of the specified zone
|
||||
# may be excluded from the rule by following the zone
|
||||
# name with "!' and a comma-separated list of sub-zone
|
||||
# names.
|
||||
#
|
||||
# When "none" is used either in the SOURCE or DEST
|
||||
# column, the rule is ignored.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. You must add
|
||||
# separate rules to handle that traffic.
|
||||
# intra-zone traffic is not affected. When "all+" is
|
||||
# used, intra-zone traffic is affected.
|
||||
#
|
||||
# Except when "all" is specified, clients may be further
|
||||
# restricted to a list of subnets and/or hosts by
|
||||
# Except when "all[+]" is specified, clients may be
|
||||
# further restricted to a list of subnets and/or hosts by
|
||||
# appending ":" and a comma-separated list of subnets
|
||||
# and/or hosts. Hosts may be specified by IP or MAC
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
@ -133,22 +135,22 @@
|
||||
# Hosts may be specified as an IP address range using the
|
||||
# syntax <low address>-<high address>. This requires that
|
||||
# your kernel and iptables contain iprange match support.
|
||||
# If you kernel and iptables have ipset match support
|
||||
# then you may give the name of an ipset prefaced by "+".
|
||||
# The ipset name may be optionally followed by a number
|
||||
# from 1 to 6 enclosed in square brackets ([]) to
|
||||
# indicate the number of levels of source bindings to be
|
||||
# matched.
|
||||
#
|
||||
# Some Examples:
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
#
|
||||
# net:155.186.235.1
|
||||
# Host 155.186.235.1 on the Internet
|
||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||
# Internet
|
||||
#
|
||||
# loc:192.168.1.0/24
|
||||
# Subnet 192.168.1.0/24 on the
|
||||
# Local Network
|
||||
#
|
||||
# net:155.186.235.1,155.186.235.2
|
||||
# Hosts 155.186.235.1 and
|
||||
# 155.186.235.2 on the Internet.
|
||||
#
|
||||
# loc:~00-A0-C9-15-39-78
|
||||
# Host on the Local Network with
|
||||
# loc:192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2 in the local zone.
|
||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# net:192.0.2.11-192.0.2.17
|
||||
@ -157,69 +159,78 @@
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" to the zone name followed by the
|
||||
# interface name. For example, net:eth0 specifies a
|
||||
# interface name. For example, loc:eth1 specifies a
|
||||
# client that communicates with the firewall system
|
||||
# through eth0. This may be optionally followed by
|
||||
# through eth1. This may be optionally followed by
|
||||
# another colon (":") and an IP/MAC/subnet address
|
||||
# as described above (e.g., net:eth0:192.168.1.5).
|
||||
# as described above (e.g., loc:eth1:192.168.1.5).
|
||||
#
|
||||
# DEST Location of Server. May be a zone defined in
|
||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
||||
# itself or "all"
|
||||
# itself, "all". "all+" or "none".
|
||||
#
|
||||
# Except when "all" is specified, the server may be
|
||||
# When "none" is used either in the SOURCE or DEST
|
||||
# column, the rule is ignored.
|
||||
#
|
||||
# When "all" is used either in the SOURCE or DEST column
|
||||
# intra-zone traffic is not affected. When "all+" is
|
||||
# used, intra-zone traffic is affected.
|
||||
#
|
||||
# Except when "all[+]" is specified, the server may be
|
||||
# further restricted to a particular subnet, host or
|
||||
# interface by appending ":" and the subnet, host or
|
||||
# interface. See above.
|
||||
#
|
||||
# Restrictions:
|
||||
# Restrictions:
|
||||
#
|
||||
# 1. MAC addresses are not allowed.
|
||||
# 2. In DNAT rules, only IP addresses are
|
||||
# allowed; no FQDNs or subnet addresses
|
||||
# are permitted.
|
||||
# 3. You may not specify both an interface and
|
||||
# an address.
|
||||
# 1. MAC addresses are not allowed.
|
||||
# 2. In DNAT rules, only IP addresses are
|
||||
# allowed; no FQDNs or subnet addresses
|
||||
# are permitted.
|
||||
# 3. You may not specify both an interface and
|
||||
# an address.
|
||||
#
|
||||
# Unlike in the SOURCE column, you may specify a range of
|
||||
# Like in the SOURCE column, you may specify a range of
|
||||
# up to 256 IP addresses using the syntax
|
||||
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
||||
# the connections will be assigned to addresses in the
|
||||
# range in a round-robin fashion.
|
||||
#
|
||||
# If you kernel and iptables have ipset match support
|
||||
# then you may give the name of an ipset prefaced by "+".
|
||||
# The ipset name may be optionally followed by a number
|
||||
# from 1 to 6 enclosed in square brackets ([]) to
|
||||
# indicate the number of levels of destination bindings
|
||||
# to be matched. Only one of the SOURCE and DEST columns
|
||||
# may specify an ipset name.
|
||||
#
|
||||
# The port that the server is listening on may be
|
||||
# included and separated from the server's IP address by
|
||||
# ":". If omitted, the firewall will not modifiy the
|
||||
# destination port. A destination port may only be
|
||||
# included if the ACTION is DNAT or REDIRECT.
|
||||
#
|
||||
# Example: net:155.186.235.1:25 specifies a Internet
|
||||
# server at IP address 155.186.235.1 and listening on port
|
||||
# 25. The port number MUST be specified as an integer
|
||||
# Example: loc:192.168.1.3:3128 specifies a local
|
||||
# server at IP address 192.168.1.3 and listening on port
|
||||
# 3128. The port number MUST be specified as an integer
|
||||
# and not as a name from /etc/services.
|
||||
#
|
||||
# If the ACTION is REDIRECT, this column needs only to
|
||||
# if the ACTION is REDIRECT, this column needs only to
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example "bit"
|
||||
# for bit-torrent). If no port is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following fields are supplied.
|
||||
# entered if any of the following ields are supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
@ -237,8 +248,8 @@
|
||||
# ranges.
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ORIGINAL DEST in the next column, then place
|
||||
# "-" in this column.
|
||||
# specify an ORIGINAL DEST in the next column, then
|
||||
# place "-" in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
@ -248,122 +259,156 @@
|
||||
# Otherwise, a separate rule will be generated for each
|
||||
# port.
|
||||
#
|
||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
|
||||
# REDIRECT[-]) If included and different from the IP
|
||||
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
|
||||
# then if included and different from the IP
|
||||
# address given in the SERVER column, this is an address
|
||||
# on some interface on the firewall and connections to
|
||||
# that address will be forwarded to the IP and port
|
||||
# specified in the DEST column.
|
||||
#
|
||||
# A comma separated list of addresses may also be used.
|
||||
# A comma-separated list of addresses may also be used.
|
||||
# This is usually most useful with the REDIRECT target
|
||||
# where you want to redirect traffic destined for
|
||||
# a particular set of hosts.
|
||||
# particular set of hosts.
|
||||
#
|
||||
# Finally, if the list of addresses begines with "!" then
|
||||
# Finally, if the list of addresses begins with "!" then
|
||||
# the rule will be followed only if the original
|
||||
# destination address in the connection request does not
|
||||
# match any of the addresses listed.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in this column:
|
||||
# For other actions, this column may be included and may
|
||||
# contain one or more addresses (host or network)
|
||||
# separated by commas. Address ranges are not allowed.
|
||||
# When this column is supplied, rules are generated
|
||||
# that require that the original destination address
|
||||
# matches one of the listed addresses. This feature is
|
||||
# most useful when you want to generate a filter rule
|
||||
# that corresponds to a DNAT- or REDIRECT- rule. In this
|
||||
# usage, the list of addresses should not begin with "!".
|
||||
#
|
||||
# See http://shorewall.net/PortKnocking.html for an
|
||||
# example of using an entry in this column with a
|
||||
# user-defined action rule.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this colume:
|
||||
#
|
||||
# <rate>/<interval>[:<burst>]
|
||||
#
|
||||
# Where <rate> is the number of connections per <interval> ("sec"
|
||||
# or "min") and <burst> is the largest burst permitted. If no
|
||||
# <burst> is given, a value of 5 is assummed. There may be no
|
||||
# whitespace embedded in the specification.
|
||||
# where <rate> is the number of connections per
|
||||
# <interval> ("sec" or "min") and <burst> is the
|
||||
# largest burst permitted. If no <burst> is given,
|
||||
# a value of 5 is assumed. There may be no
|
||||
# no whitespace embedded in the specification.
|
||||
#
|
||||
# Example:
|
||||
# 10/sec:20
|
||||
#
|
||||
# If you place a rate limit in this column, you may not place
|
||||
# a similiar limit in the ACTION column.
|
||||
#
|
||||
# USER/GROUP
|
||||
# This column may only be non-empty if the SOURCE is the firewall itself.
|
||||
# Example: 10/sec:20
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
||||
# the firewall itself.
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only if the program
|
||||
# generating the output is running under the effective <user> and/or
|
||||
# <group> specified (or is NOT running under that id if "!" is given).
|
||||
# [!][<user name or number>][:<group name or number>][+<program name>]
|
||||
#
|
||||
# Examples:
|
||||
# joe # program must be run by joe.
|
||||
# :kids # program must be run by a member of the 'kids' group.
|
||||
# !:kids # program must not be run by a member of the 'kids' group.
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective <user> and/or <group> specified (or is
|
||||
# NOT running under that id if "!" is given).
|
||||
#
|
||||
# Also by default all outbound loc -> net communications are allowed.
|
||||
# You can change this behavior in the sample policy file.
|
||||
# Examples:
|
||||
#
|
||||
# Example: Accept www requests to the firewall.
|
||||
# joe #program must be run by joe
|
||||
# :kids #program must be run by a member of
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
# +upnpd #program named 'upnpd'
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# # PORT PORT(S) DEST LIMIT GROUP
|
||||
# ACCEPT net fw tcp http
|
||||
# Example: Accept SMTP requests from the DMZ to the internet
|
||||
#
|
||||
# Example: Accept SMTP requests from the Local Network to the Internet
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# ACCEPT dmz net tcp smtp
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# # PORT PORT(S) DEST LIMIT GROUP
|
||||
# ACCEPT loc net tcp smtp
|
||||
# Example: Forward all ssh and http connection requests from the
|
||||
# internet to local system 192.168.1.3
|
||||
#
|
||||
# Example: Forward all ssh and http connection requests from the Internet
|
||||
# to dmz system 192.168.2.3
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# DNAT net loc:192.168.1.3 tcp ssh,http
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# # PORT PORT(S) DEST LIMIT GROUP
|
||||
# DNAT net dmz:192.168.2.3 tcp ssh,http
|
||||
# Example: Forward all http connection requests from the internet
|
||||
# to local system 192.168.1.3 with a limit of 3 per second and
|
||||
# a maximum burst of 10
|
||||
#
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 3128 on the firewall (Squid running on the firewall
|
||||
# system) except when the destination address is 192.168.2.2
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# # PORT PORT(S) DEST LIMIT
|
||||
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# # PORT PORT(S) DEST LIMIT GROUP
|
||||
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 3128 on the firewall (Squid running on the firewall
|
||||
# system) except when the destination address is 192.168.2.2
|
||||
#
|
||||
# Example: All http requests from the Internet to address
|
||||
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# # PORT PORT(S) DEST LIMIT GROUP
|
||||
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
||||
##############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
# Example: All http requests from the internet to address
|
||||
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
||||
#
|
||||
# Example: You want to accept SSH connections to your firewall only
|
||||
# from internet IP addresses 130.252.100.69 and 130.252.100.70
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
|
||||
# tcp 22
|
||||
#############################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#
|
||||
# Accept DNS connections from the firewall to the Internet
|
||||
#
|
||||
ACCEPT fw net tcp 53
|
||||
ACCEPT fw net udp 53
|
||||
DNS/ACCEPT fw net
|
||||
#
|
||||
#
|
||||
# Accept SSH connections from the local network to the firewall and DMZ
|
||||
#
|
||||
ACCEPT loc fw tcp 22
|
||||
ACCEPT loc dmz tcp 22
|
||||
SSH/ACCEPT loc fw
|
||||
SSH/ACCEPT loc dmz
|
||||
#
|
||||
# DMZ DNS access to the Internet
|
||||
#
|
||||
ACCEPT dmz net tcp 53
|
||||
ACCEPT dmz net udp 53
|
||||
DNS/ACCEPT dmz net
|
||||
|
||||
|
||||
# Reject Ping from the "bad" net zone.
|
||||
|
||||
Ping/REJECT:none! net fw
|
||||
|
||||
#
|
||||
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
|
||||
# (assumes that the loc-> net policy is ACCEPT).
|
||||
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
|
||||
# (assumes that the loc-> net policy is ACCEPT).
|
||||
#
|
||||
ACCEPT net fw icmp 8
|
||||
ACCEPT loc fw icmp 8
|
||||
ACCEPT dmz fw icmp 8
|
||||
ACCEPT loc dmz icmp 8
|
||||
ACCEPT dmz loc icmp 8
|
||||
ACCEPT dmz net icmp 8
|
||||
|
||||
Ping/ACCEPT loc fw
|
||||
Ping/ACCEPT dmz fw
|
||||
Ping/ACCEPT loc dmz
|
||||
Ping/ACCEPT dmz loc
|
||||
Ping/ACCEPT dmz net
|
||||
|
||||
ACCEPT fw net icmp
|
||||
ACCEPT fw loc icmp
|
||||
ACCEPT fw dmz icmp
|
||||
ACCEPT net dmz icmp 8 # Only with Proxy ARP and
|
||||
ACCEPT net loc icmp 8 # static NAT
|
||||
|
||||
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
|
||||
# the net zone to the dmz and loc
|
||||
|
||||
#Ping/ACCEPT net dmz
|
||||
#Ping/ACCEPT net loc
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,20 +1,79 @@
|
||||
#
|
||||
# Shorewall 2.2 -- Sample Zone File For Two Interfaces
|
||||
# /etc/shorewall/zones
|
||||
# Shorewall version 2.6 - Zones File
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
# /etc/shorewall/zones
|
||||
#
|
||||
# ZONE Short name of the zone (5 Characters or less in length).
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
# This file determines your network zones.
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone (5 Characters or less in length).
|
||||
# The names "all" and "none" are reserved and may not be
|
||||
# used as zone names.
|
||||
#
|
||||
# IPSEC Yes -- Communication with all zone hosts is encrypted
|
||||
# ONLY Your kernel and iptables must include policy
|
||||
# match support.
|
||||
# No -- Communication with some zone hosts may be encrypted.
|
||||
# Encrypted hosts are designated using the 'ipsec'
|
||||
# option in /etc/shorewall/hosts.
|
||||
#
|
||||
# OPTIONS, A comma-separated list of options as follows:
|
||||
# IN OPTIONS,
|
||||
# OUT OPTIONS reqid=<number> where <number> is specified
|
||||
# using setkey(8) using the 'unique:<number>
|
||||
# option for the SPD level.
|
||||
#
|
||||
# spi=<number> where <number> is the SPI of
|
||||
# the SA used to encrypt/decrypt packets.
|
||||
#
|
||||
# proto=ah|esp|ipcomp
|
||||
#
|
||||
# mss=<number> (sets the MSS field in TCP packets)
|
||||
#
|
||||
# mode=transport|tunnel
|
||||
#
|
||||
# tunnel-src=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# tunnel-dst=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# strict Means that packets must match all rules.
|
||||
#
|
||||
# next Separates rules; can only be used with
|
||||
# strict..
|
||||
#
|
||||
# Example:
|
||||
# mode=transport,reqid=44
|
||||
#
|
||||
# The options in the OPTIONS column are applied to both incoming
|
||||
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||
# applied to outgoing traffic.
|
||||
#
|
||||
# If you wish to leave a column empty but need to make an entry
|
||||
# in a following column, use "-".
|
||||
#
|
||||
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
|
||||
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
|
||||
#
|
||||
# See http://www.shorewall.net/Documentation.html#Nested
|
||||
# See http://www.shorewall.net/Documentation.htm#Nested
|
||||
#------------------------------------------------------------------------------
|
||||
# Example zones:
|
||||
#
|
||||
#ZONE DISPLAY COMMENTS
|
||||
net Net Internet
|
||||
loc Local Local Networks
|
||||
dmz DMZ Demilitarized Zone
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
# You have a three interface firewall with internet, local and DMZ
|
||||
# interfaces.
|
||||
#
|
||||
# #ZONE IPSEC OPTIONS IN OUT
|
||||
# net
|
||||
# loc
|
||||
# dmz
|
||||
#
|
||||
###############################################################################
|
||||
#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
net
|
||||
loc
|
||||
dmz
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
@ -238,5 +238,5 @@
|
||||
###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
|
||||
net eth0 detect dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
|
||||
loc eth1 detect tcpflags,detectnets
|
||||
loc eth1 detect tcpflags,detectnets,nosmurfs
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
Loading…
Reference in New Issue
Block a user