From d142c4ce9e3a4c49149caf03f4e50bc47c291ec2 Mon Sep 17 00:00:00 2001 From: frannie Date: Wed, 12 Mar 2003 20:55:17 +0000 Subject: [PATCH] Modified Samples For 1.4 Usage And Readbility git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@499 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/one-interface/common | 1 - Samples/one-interface/interfaces | 150 +++++++++--------- Samples/one-interface/policy | 25 ++- Samples/one-interface/rules | 155 +++++++++--------- Samples/one-interface/zones | 5 +- Samples/three-interfaces/common | 1 - Samples/three-interfaces/interfaces | 167 +++++++++---------- Samples/three-interfaces/masq | 134 ++++++++-------- Samples/three-interfaces/policy | 35 ++-- Samples/three-interfaces/routestopped | 31 ++-- Samples/three-interfaces/rules | 220 +++++++++++++++----------- Samples/three-interfaces/zones | 5 +- Samples/two-interfaces/common | 1 - Samples/two-interfaces/interfaces | 160 +++++++++---------- Samples/two-interfaces/masq | 134 ++++++++-------- Samples/two-interfaces/policy | 32 ++-- Samples/two-interfaces/routestopped | 31 ++-- Samples/two-interfaces/rules | 187 ++++++++++++---------- Samples/two-interfaces/zones | 5 +- 19 files changed, 784 insertions(+), 695 deletions(-) diff --git a/Samples/one-interface/common b/Samples/one-interface/common index 9b03f7213..cfbadd903 100644 --- a/Samples/one-interface/common +++ b/Samples/one-interface/common @@ -7,4 +7,3 @@ # DNS replies # run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP - diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 73600dc44..588784761 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -1,7 +1,7 @@ +# +# Shorewall 1.4 -- Sample Interface File For One Interface # -# Shorewall 1.3 -- Interfaces File -# -# /etc/shorewall/interfaces +# /etc/shorewall/interfaces # # You must add an entry in this file for each network interface on your # firewall system. @@ -24,7 +24,7 @@ # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this -# column is left black.If the interface has multiple +# column is left blank.If the interface has multiple # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. # @@ -34,7 +34,7 @@ # the firewall is started, you must have iproute # installed and the interface must only be associated # with a single subnet. -# +# # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter # "-" in this column. @@ -42,92 +42,86 @@ # OPTIONS A comma-separated list of options including the # following: # -# dhcp - interface is managed by DHCP or used by -# a DHCP server running on the firewall or -# you have a static IP but are on a LAN -# segment with lots of Laptop DHCP clients. -# routestopped - (Deprecated -- use -# /etc/shorewall/routestopped) -# When the firewall is stopped, allow -# and route traffic to and from this -# interface. -# norfc1918 - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling is -# enabled in shorewall.conf, packets -# whose destination addresses are -# reserved by RFC 1918 are also rejected. -# multi - This interface has multiple IP -# addresses and you want to be able to -# route between them. -# routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# dropunclean - Logs and drops mangled/invalid packets +# dhcp +# Interface is managed by DHCP or used by +# a DHCP server running on the firewall or +# you have a static IP but are on a LAN +# segment with lots of Laptop DHCP clients. +# norfc1918 +# This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling is +# enabled in shorewall.conf, packets +# whose destination addresses are +# reserved by RFC 1918 are also rejected. +# routefilter +# Turn on kernel route filtering for this +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. +# dropunclean +# Logs and drops mangled/invalid packets +# logunclean +# Logs mangled/invalid packets but does +# not drop them. +# blacklist +# Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# maclist +# Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# tcpflags +# Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# proxyarp +# Sets /proc/sys/net/ipv4/conf//proxy_arp. +# Do NOT use this option if you are +# employing Proxy ARP through entries in +# /etc/shorewall/proxyarp. This option is +# intended soley for use with Proxy ARP +# sub-networking as described at: +# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # -# logunclean - Logs mangled/invalid packets but does -# not drop them. -# blacklist - Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# maclist - Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# tcpflags - Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# proxyarp - -# Sets -# /proc/sys/net/ipv4/conf//proxy_arp. -# Do NOT use this option if you are -# employing Proxy ARP through entries in -# /etc/shorewall/proxyarp. This option is -# intended soley for use with Proxy ARP -# sub-networking as described at: -# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# # The order in which you list the options is not # significant but the list should have no embedded white # space. # -# Example 1: Suppose you have eth0 connected to a DSL modem and -# eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The interface gets -# it's IP address via DHCP from subnet -# 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. You want to be able to -# access the firewall from the local network when the -# firewall is stopped. +# Example 1: +# Suppose you have eth0 connected to a DSL modem +# that gets it's IP address via DHCP from subnet +# 206.191.149.192/27. # # Your entries for this setup would look like: # -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 routestopped -# dmz eth2 192.168.2.255 +# #ZONE INTERFACE BROADCAST OPTIONS +# net eth0 206.191.149.223 dhcp # -# Example 2: The same configuration without specifying broadcast +# Example 2: +# The same configuration without specifying broadcast # addresses is: # -# net eth0 detect dhcp -# loc eth1 detect routestopped -# dmz eth2 detect +# #ZONE INTERFACE BROADCAST OPTIONS +# net eth0 detect dhcp # -# Example 3: You have a simple dial-in system with no ethernet +# Example 3: +# You have a simple dial-in system with no ethernet # connections. -# -# net ppp0 - +# #ZONE INTERFACE BROADCAST OPTIONS +# net ppp0 - ############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS +#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918,routefilter,dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy index 9ec001d84..d86fd6e13 100644 --- a/Samples/one-interface/policy +++ b/Samples/one-interface/policy @@ -1,7 +1,7 @@ +# +# Shorewall 1.4 -- Sample Policy File For One Interface # -# Shorewall 1.3 -- Policy File -# -# /etc/shorewall/policy +# /etc/shorewall/policy # # This file determines what to do with a new connection request if we # don't get a match from the /etc/shorewall/rules file or from the @@ -17,9 +17,9 @@ # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # -# WARNING: Firewall->Firewall policies are not allowed; if -# you have a policy where both SOURCE and DEST are $FW, -# Shorewall will not start! +# WARNING: Firewall->Firewall policies are not allowed; if +# you have a policy where both SOURCE and DEST are $FW, +# Shorewall will not start! # # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT" or "CONTINUE" @@ -32,8 +32,7 @@ # Beginning with Shorewall version 1.3.12, you may # also specify ULOG (must be in upper case). This will # log to the ULOG target and sent to a separate log -# through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). +# through use of ulogd (http://www.gnumonks.org/projects/ulogd). # # If you don't want to log but need to specify the # following column, place "_" here. @@ -44,11 +43,11 @@ # # As shipped, the default policies are: # -# a) All connections from the local network to the internet are allowed -# b) All connections from the internet are ignored but logged at syslog -# level KERNEL.INFO. -# d) All other connection requests are rejected and logged at level -# KERNEL.INFO. +# a) All connections from the Firewall to the Internet are allowed +# b) All connections from the Internet are ignored but logged at syslog +# level KERNEL.INFO. +# d) All other connection requests are rejected and logged at level +# KERNEL.INFO. ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules index de6d2d76f..e419ddd3b 100755 --- a/Samples/one-interface/rules +++ b/Samples/one-interface/rules @@ -1,7 +1,7 @@ +# +# Shorewall version 1.4 - Sample Rules File For One Interface # -# Shorewall version 1.3 - Rules File -# -# /etc/shorewall/rules +# /etc/shorewall/rules # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. @@ -15,35 +15,49 @@ # Columns are: # # -# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT # -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. +# ACCEPT +# Allow the connection request +# DROP +# Ignore the request +# REJECT +# Disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT +# Forward the request to another +# system (and optionally another +# port). +# DNAT- +# Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. +# REDIRECT +# Redirect the request to a local +# port on the firewall. +# CONTINUE +# (For experts only). Do Not Process +# any of the following rules for this +# (source zone,destination zone). If +# the source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zones(s). # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be # logged at the specified level. # -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case) as a log level.\ -# This will log to the ULOG target and sent to a separate log -# through use of ulogd +# You may also specify ULOG (must be in upper case) as a +# log level. This will log to the ULOG target for routing +# to a separate log through use of ulogd. # (http://www.gnumonks.org/projects/ulogd). # -# # SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the +# defined in /etc/shorewall/zones, $FW to indicate the # firewall itself, or "all" If the ACTION is DNAT or # REDIRECT, sub-zones of the specified zone may be # excluded from the rule by following the zone name with @@ -56,24 +70,30 @@ # address; mac addresses must begin with "~" and must use # "-" as a separator. # -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# Some Examples: # -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the +# net:155.186.235.1 +# Host 155.186.235.1 on the Internet +# +# net:155.186.235.0/24 +# Subnet 155.186.235.0/24 on the # Internet # -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. +# net:155.186.235.1,155.186.235.2 +# Hosts 155.186.235.1 and +# 155.186.235.2 on the Internet. +# +# net:~00-A0-C9-15-39-78 +# Host on the Internet with +# MAC address 00:A0:C9:15:39:78. # # Alternatively, clients may be specified by interface # by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a +# interface name. For example, net:eth0 specifies a # client that communicates with the firewall system -# through eth1. This may be optionally followed by +# through eth0. This may be optionally followed by # another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). +# as described above (e.g., net:eth0:192.168.1.5). # # DEST Location of Server. May be a zone defined in # /etc/shorewall/zones, $FW to indicate the firewall @@ -84,12 +104,12 @@ # interface by appending ":" and the subnet, host or # interface. See above. # -# Restrictions: +# Restrictions: # -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. # # The port that the server is listening on may be # included and separated from the server's IP address by @@ -97,27 +117,25 @@ # destination port. A destination port may only be # included if the ACTION is DNAT or REDIRECT. # -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer +# Example: net:155.186.235.1:25 specifies a Internet +# server at IP address 155.186.235.1 and listening on port +# 25. The port number MUST be specified as an integer # and not as a name from /etc/services. # -# if the ACTION is REDIRECT, this column needs only to +# If the ACTION is REDIRECT, this column needs only to # contain the port number on the firewall that the # request should be redirected to. # # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, -# "all" or "related". If "related", the remainder of the -# entry must be omitted and connection requests that are -# related to existing requests will be accepted. +# "all". # -# DEST PORT(S) Destination Ports. A comma-separated list of Port +# DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # # A port range is expressed as :. -# +# # This column is ignored if PROTOCOL = all but must be # entered if any of the following ields are supplied. # In that case, it is suggested that this field contain @@ -149,7 +167,7 @@ # port. # # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or -# REDIRECT) If included and different from the IP +# REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port @@ -163,35 +181,24 @@ # If no source IP address is given, the original source # address is not altered. # -# Example: Accept SMTP requests from the DMZ to the internet +# Note: Most one interface rules are of the type ACCEPT, REDIRECT or REJECT. +# DNAT, DNAT-, CONTINUE rules are for multiple interface firewall. +# Also by default all outbound fw -> net communications are allowed. +# (One Interface Only) You can change this behavior in the sample policy file. # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp +# Example: Accept www requests to the one interface server. # -# Example: Forward all ssh and http connection requests from the internet -# to local system 192.168.1.3 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT net fw tcp http # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http +# Example: Redirect port 88 Internet traffic to fw port 80 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT net 80 tcp 88 # -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 -# -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT PORT(S) DEST -ACCEPT net fw icmp 8 +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT PORT(S) DEST +ACCEPT net fw icmp 8 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/one-interface/zones b/Samples/one-interface/zones index 4295b2147..504452e92 100644 --- a/Samples/one-interface/zones +++ b/Samples/one-interface/zones @@ -1,7 +1,8 @@ # -# Shorewall 1.3 /etc/shorewall/zones +# Shorewall 1.4 -- Sample Zone File For One Interface +# /etc/shorewall/zones # -# This file determines your network zones. Columns are: +# This file determines your network zones. Columns are: # # ZONE Short name of the zone # DISPLAY Display name of the zone diff --git a/Samples/three-interfaces/common b/Samples/three-interfaces/common index 9b03f7213..cfbadd903 100644 --- a/Samples/three-interfaces/common +++ b/Samples/three-interfaces/common @@ -7,4 +7,3 @@ # DNS replies # run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP - diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index 982033397..5aa0f7256 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -1,33 +1,36 @@ +# +# Shorewall 1.4 -- Sample Interface File For Three Interfaces # -# Shorewall 1.3 -- Interfaces File -# -# /etc/shorewall/interfaces +# /etc/shorewall/interfaces # # You must add an entry in this file for each network interface on your # firewall system. # # Columns are: # -# ZONE Zone for this interface. Must match the short name +# ZONE +# Zone for this interface. Must match the short name # of a zone defined in /etc/shorewall/zones. # # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should # place "-" in this column. -# -# INTERFACE Name of interface. Each interface may be listed only +# +# INTERFACE +# Name of interface. Each interface may be listed only # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see # http://www.shorewall.net/FAQ.htm#faq18 # # DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # -# BROADCAST The broadcast address for the subnetwork to which the +# BROADCAST +# The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this -# column is left black.If the interface has multiple +# column is left blank.If the interface has multiple # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. -# +# # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before @@ -39,97 +42,95 @@ # you want to enter a value in the OPTIONS column, enter # "-" in this column. # -# OPTIONS A comma-separated list of options including the +# OPTIONS +# A comma-separated list of options including the # following: # -# dhcp - interface is managed by DHCP or used by -# a DHCP server running on the firewall or -# you have a static IP but are on a LAN -# segment with lots of Laptop DHCP clients. -# routestopped - (Deprecated -- use -# /etc/shorewall/routestopped) -# When the firewall is stopped, allow -# and route traffic to and from this -# interface. -# norfc1918 - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling is -# enabled in shorewall.conf, packets -# whose destination addresses are -# reserved by RFC 1918 are also rejected. -# multi - This interface has multiple IP -# addresses and you want to be able to -# route between them. -# routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# dropunclean - Logs and drops mangled/invalid packets -# -# logunclean - Logs mangled/invalid packets but does -# not drop them. -# blacklist - Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# maclist - Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# tcpflags - Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# proxyarp - -# Sets -# /proc/sys/net/ipv4/conf//proxy_arp. +# dhcp +# Interface is managed by DHCP or used by +# a DHCP server running on the firewall or +# you have a static IP but are on a LAN +# segment with lots of Laptop DHCP clients. +# norfc1918 +# This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling is +# enabled in shorewall.conf, packets +# whose destination addresses are +# reserved by RFC 1918 are also rejected. +# routefilter +# Turn on kernel route filtering for this +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. +# dropunclean +# Logs and drops mangled/invalid packets +# logunclean +# Logs mangled/invalid packets but does +# not drop them. +# blacklist +# Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# maclist +# Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# tcpflags +# Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# proxyarp +# Sets /proc/sys/net/ipv4/conf//proxy_arp. # Do NOT use this option if you are # employing Proxy ARP through entries in # /etc/shorewall/proxyarp. This option is # intended soley for use with Proxy ARP # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# -# The order in which you list the options is not -# significant but the list should have no embedded white -# space. # -# Example 1: Suppose you have eth0 connected to a DSL modem and -# eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The interface gets +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. +# +# Example 1: +# Suppose you have eth0 connected to a DSL modem, +# eth1 connected to your local network and eth2 +# connected to your dmz. Assuming that your local +# subnet is 192.168.1.0/24 and your dmz subnet is +# 192.168.2.0/24 . The eth0 interface gets # it's IP address via DHCP from subnet -# 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. You want to be able to -# access the firewall from the local network when the -# firewall is stopped. +# 206.191.149.192/27. # # Your entries for this setup would look like: # -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 routestopped -# dmz eth2 192.168.2.255 +# #ZONE INTERFACE BROADCAST OPTIONS +# net eth0 206.191.149.223 dhcp +# local eth1 192.168.1.255 +# dmz eth2 192.168.2.255 # -# Example 2: The same configuration without specifying broadcast +# Example 2: +# The same configuration without specifying broadcast # addresses is: # -# net eth0 detect dhcp -# loc eth1 detect routestopped -# dmz eth2 detect +# #ZONE INTERFACE BROADCAST OPTIONS +# net eth0 detect dhcp +# loc eth1 detect +# dmz eth2 detect # -# Example 3: You have a simple dial-in system with no ethernet -# connections. -# -# net ppp0 - ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect dhcp,norfc1918 -loc eth1 detect routestopped -dmz eth2 detect routestopped +net eth0 detect dhcp,routefilter,norfc1918 +loc eth1 detect +dmz eth2 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq index a6bc02210..12b88d709 100755 --- a/Samples/three-interfaces/masq +++ b/Samples/three-interfaces/masq @@ -1,95 +1,103 @@ +# +# Shorewall 1.4 - Sample Masquerade file For Three Interfaces # -# Shorewall 1.3 - Masquerade file +# etc/shorewall/masq # -# /etc/shorewall/masq +# Use this file to define dynamic NAT (Masquerading) and to define Source NAT +# (SNAT). # -# Use this file to define dynamic NAT (Masquerading) and to define Source NAT -# (SNAT). +# Columns are: # -# Columns are: +# INTERFACE +# Outgoing interface. This is usually your internet +# interface. If ADD_SNAT_ALIASES=Yes in +# /etc/shorewall/shorewall.conf, you may add ":" and +# a digit to indicate that you want the alias added with +# that name (e.g., eth0:0). This will allow the alias to +# be displayed with ifconfig. THAT IS THE ONLY USE FOR +# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER +# PLACE IN YOUR SHOREWALL CONFIGURATION. # -# INTERFACE -- Outgoing interface. This is usually your internet -# interface. If ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf, you may add ":" and -# a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER -# PLACE IN YOUR SHOREWALL CONFIGURATION. -# -# This may be qualified by adding the character -# ":" followed by a destination host or subnet. +# This may be qualified by adding the character +# ":" followed by a destination host or subnet. # # -# SUBNET -- Subnet that you wish to masquerade. You can specify this as -# a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. -# -# In order to exclude a subset of the specified SUBNET, you -# may append "!" and a comma-separated list of IP addresses -# and/or subnets that you wish to exclude. +# SUBNET +# Subnet that you wish to masquerade. You can specify this as +# a subnet or as an interface. If you give the name of an +# interface, you must have iproute installed and the interface +# must be up before you start the firewall. # -# Example: eth1!192.168.1.4,192.168.32.0/27 +# In order to exclude a subset of the specified SUBNET, you +# may append "!" and a comma-separated list of IP addresses +# and/or subnets that you wish to exclude. # -# In that example traffic from eth1 would be masqueraded unless -# it came from 192.168.1.4 or 196.168.32.0/27 +# Example: eth1!192.168.1.4,192.168.32.0/27 # -# ADDRESS -- (Optional). If you specify an address here, SNAT will be -# used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in -# /etc/shorewall/shorewall.conf then Shorewall -# will automatically add this address to the -# INTERFACE named in the first column. +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 # -# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if -# the address given in this column is the primary -# IP address for the interface in the INTERFACE -# column. +# ADDRESS (Optional) +# If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. # -# This column may not contain a DNS Name. +# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if +# the address given in this column is the primary +# IP address for the interface in the INTERFACE +# column. # -# Example 1: +# This column may not contain a DNS Name. # -# You have a simple masquerading setup where eth0 connects to -# a DSL or cable modem and eth1 connects to your local network -# with subnet 192.168.0.0/24. +# Example 1: # -# Your entry in the file can be either: +# You have a simple masquerading setup where eth0 connects to +# a DSL or cable modem and eth1 connects to your local network +# with subnet 192.168.0.0/24. # -# eth0 eth1 +# Your entry in the file can be either: # -# or +# #INTERFACE SUBNET ADDRESS +# eth0 eth1 # -# eth0 192.168.0.0/24 +# or # -# Example 2: +# #INTERFACE SUBNET ADDRESS +# eth0 192.168.0.0/24 # -# You add a router to your local network to connect subnet -# 192.168.1.0/24 which you also want to masquerade. You then -# add a second entry for eth0 to this file: +# Example 2: # -# eth0 192.168.1.0/24 +# You add a router to your local network to connect subnet +# 192.168.1.0/24 which you also want to masquerade. You then +# add a second entry for eth0 to this file: # -# Example 3: +# #INTERFACE SUBNET ADDRESS +# eth0 192.168.1.0/24 # -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: +# Example 3: # -# ipsec0:10.1.1.0/24 196.168.1.0/24 +# You have an IPSEC tunnel through ipsec0 and you want to +# masquerade packets coming from 192.168.1.0/24 but only if +# these packets are destined for hosts in 10.1.1.0/24: # -# Example 4: +# #INTERFACE SUBNET ADDRESS +# ipsec0:10.1.1.0/24 196.168.1.0/24 # -# You want all outgoing traffic from 192.168.1.0/24 through -# eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to -# be added to eth0 with name eth0:0. +# Example 4: # -# eth0:0 192.168.1.0/24 206.124.146.176 +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176 which is NOT the +# primary address of eth0. You want 206.124.146.176 added to +# be added to eth0 with name eth0:0. +# +# #INTERFACE SUBNET ADDRESS +# eth0:0 192.168.1.0/24 206.124.146.176 # ############################################################################## -#INTERFACE SUBNET ADDRESS +#INTERFACE SUBNET ADDRESS eth0 eth1 eth0 eth2 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/policy b/Samples/three-interfaces/policy index 338e7cf68..9e59c6880 100644 --- a/Samples/three-interfaces/policy +++ b/Samples/three-interfaces/policy @@ -1,7 +1,7 @@ +# +# Shorewall 1.4 -- Sample Policy File For Three Interfaces # -# Shorewall 1.3 -- Policy File -# -# /etc/shorewall/policy +# /etc/shorewall/policy # # This file determines what to do with a new connection request if we # don't get a match from the /etc/shorewall/rules file or from the @@ -17,9 +17,9 @@ # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # -# WARNING: Firewall->Firewall policies are not allowed; if -# you have a policy where both SOURCE and DEST are $FW, -# Shorewall will not start! +# WARNING: Firewall->Firewall policies are not allowed; if +# you have a policy where both SOURCE and DEST are $FW, +# Shorewall will not start! # # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT" or "CONTINUE" @@ -32,8 +32,7 @@ # Beginning with Shorewall version 1.3.12, you may # also specify ULOG (must be in upper case). This will # log to the ULOG target and sent to a separate log -# through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). +# through use of ulogd (http://www.gnumonks.org/projects/ulogd). # # If you don't want to log but need to specify the # following column, place "_" here. @@ -44,18 +43,20 @@ # # As shipped, the default policies are: # -# a) All connections from the local network to the internet are allowed -# b) All connections from the internet are ignored but logged at syslog -# level KERNEL.INFO. -# d) All other connection requests are rejected and logged at level -# KERNEL.INFO. +# a) All connections from the local network to the Internet are allowed +# b) All connections from the Internet are ignored but logged at syslog +# level KERNEL.INFO. +# d) All other connection requests are rejected and logged at level +# KERNEL.INFO. ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT -# -# If you want open access to the internet from your firewall, uncomment the -# following line +# If you want open access to the Internet from your Firewall +# remove the comment from the following line. #fw net ACCEPT +# Also If You Wish To Open Up DMZ Access To The Internet +# remove the comment from the following line. +#dmz net ACCEPT net all DROP info all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/routestopped b/Samples/three-interfaces/routestopped index b7423f455..e59297cbf 100644 --- a/Samples/three-interfaces/routestopped +++ b/Samples/three-interfaces/routestopped @@ -1,25 +1,30 @@ ############################################################################## # -# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped +# Shorewall 1.4 -- Sample Routestopped File For Three Interfaces. # -# /etc/shorewall/routestopped +# /etc/shorewall/routestopped # -# This file is used to define the hosts that are accessible when the -# firewall is stopped +# This file is used to define the hosts that are accessible when the +# firewall is stopped. # -# Columns must be separated by white space and are: +# Columns must be separated by white space and are: # -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# addresses. If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. +# INTERFACE +# Interface through which host(s) communicate with +# the firewall. +# HOST(S) +# (Optional) Comma-separated list of IP/subnet +# addresses. If left empty or supplied as "-", +# 0.0.0.0/0 is assumed. # -# Example: +# Examples: # # INTERFACE HOST(S) -# eth2 192.168.1.0/24 -# eth0 192.0.2.44 +# eth1 - +# Or +# eth1 192.168.1.0/24 +# Or +# eth1 192.0.2.44 ############################################################################## #INTERFACE HOST(S) eth1 - diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index 06c1cb101..522d5cf4c 100755 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -1,7 +1,7 @@ +# +# Shorewall version 1.4 - Sample Rules File For Three Interfaces # -# Shorewall version 1.3 - Rules File -# -# /etc/shorewall/rules +# /etc/shorewall/rules # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. @@ -15,35 +15,49 @@ # Columns are: # # -# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT # -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. +# ACCEPT +# Allow the connection request +# DROP +# Ignore the request +# REJECT +# Disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT +# Forward the request to another +# system (and optionally another +# port). +# DNAT- +# Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. +# REDIRECT +# Redirect the request to a local +# port on the firewall. +# CONTINUE +# (For experts only). Do Not Process +# any of the following rules for this +# (source zone,destination zone). If +# the source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zones(s). # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be # logged at the specified level. # -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case) as a log level.\ -# This will log to the ULOG target and sent to a separate log -# through use of ulogd +# You may also specify ULOG (must be in upper case) as a +# log level. This will log to the ULOG target for routing +# to a separate log through use of ulogd. # (http://www.gnumonks.org/projects/ulogd). # -# # SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the +# defined in /etc/shorewall/zones, $FW to indicate the # firewall itself, or "all" If the ACTION is DNAT or # REDIRECT, sub-zones of the specified zone may be # excluded from the rule by following the zone name with @@ -56,24 +70,30 @@ # address; mac addresses must begin with "~" and must use # "-" as a separator. # -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# Some Examples: # -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet +# net:155.186.235.1 +# Host 155.186.235.1 on the Internet # -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. +# loc:192.168.1.0/24 +# Subnet 192.168.1.0/24 on the +# Local Network +# +# net:155.186.235.1,155.186.235.2 +# Hosts 155.186.235.1 and +# 155.186.235.2 on the Internet. +# +# loc:~00-A0-C9-15-39-78 +# Host on the Local Network with +# MAC address 00:A0:C9:15:39:78. # # Alternatively, clients may be specified by interface # by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a +# interface name. For example, net:eth0 specifies a # client that communicates with the firewall system -# through eth1. This may be optionally followed by +# through eth0. This may be optionally followed by # another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). +# as described above (e.g., net:eth0:192.168.1.5). # # DEST Location of Server. May be a zone defined in # /etc/shorewall/zones, $FW to indicate the firewall @@ -84,12 +104,12 @@ # interface by appending ":" and the subnet, host or # interface. See above. # -# Restrictions: +# Restrictions: # -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. # # The port that the server is listening on may be # included and separated from the server's IP address by @@ -97,27 +117,25 @@ # destination port. A destination port may only be # included if the ACTION is DNAT or REDIRECT. # -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer +# Example: net:155.186.235.1:25 specifies a Internet +# server at IP address 155.186.235.1 and listening on port +# 25. The port number MUST be specified as an integer # and not as a name from /etc/services. # -# if the ACTION is REDIRECT, this column needs only to +# If the ACTION is REDIRECT, this column needs only to # contain the port number on the firewall that the # request should be redirected to. # # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, -# "all" or "related". If "related", the remainder of the -# entry must be omitted and connection requests that are -# related to existing requests will be accepted. +# "all". # -# DEST PORT(S) Destination Ports. A comma-separated list of Port +# DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # # A port range is expressed as :. -# +# # This column is ignored if PROTOCOL = all but must be # entered if any of the following ields are supplied. # In that case, it is suggested that this field contain @@ -149,7 +167,7 @@ # port. # # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or -# REDIRECT) If included and different from the IP +# REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port @@ -163,61 +181,83 @@ # If no source IP address is given, the original source # address is not altered. # -# Example: Accept SMTP requests from the DMZ to the internet +# Also by default all outbound loc -> net communications are allowed. +# You can change this behavior in the sample policy file. # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp +# Example: Accept www requests to the firewall. # -# Example: Forward all ssh and http connection requests from the internet -# to local system 192.168.1.3 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT net fw tcp http # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http +# Example: Accept SMTP requests from the Local Network to the Internet # -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT loc net tcp smtp # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 +# Example: Forward all ssh and http connection requests from the Internet +# to dmz system 192.168.2.3 # -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net dmz:192.168.2.3 tcp ssh,http # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 +# Example: Redirect all locally-originating www connection requests to +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the Internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT PORT(S) DEST +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT PORT(S) DEST # -# Accept outgoing DNS connections from the firewall +# Accept DNS connections from the firewall to the network # -ACCEPT fw net tcp 53 -ACCEPT fw net udp 53 +ACCEPT fw net tcp 53 +ACCEPT fw net udp 53 # -# Accept SSH connections from the local network to the firewall and DMZ +# Accept SSH connections from the local network for administration. # -ACCEPT loc fw tcp 22 -ACCEPT loc dmz tcp 22 +ACCEPT loc fw tcp 22 # -# DMZ DNS access to the internet +############################################################################## +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT PORT(S) DEST # -ACCEPT dmz net tcp 53 -ACCEPT dmz net udp 53 +# Accept outgoing DNS connections from the firewall # -# Make ping work between the DMZ, net and local zone (assumes that the loc-> -# net policy is ACCEPT). +ACCEPT fw net tcp 53 +ACCEPT fw net udp 53 # -ACCEPT net fw icmp 8 -ACCEPT loc fw icmp 8 -ACCEPT dmz fw icmp 8 -ACCEPT loc dmz icmp 8 -ACCEPT dmz loc icmp 8 -ACCEPT dmz net icmp 8 -ACCEPT net dmz icmp 8 # Only with Proxy ARP and -ACCEPT net loc icmp 8 # static NAT +# Accept SSH connections from the local network to the firewall and DMZ +# +ACCEPT loc fw tcp 22 +ACCEPT loc dmz tcp 22 +# +# DMZ DNS access to the internet +# +ACCEPT dmz net tcp 53 +ACCEPT dmz net udp 53 +# +# Make ping work between the DMZ, net and local zone (assumes that the loc-> +# net policy is ACCEPT). +# +ACCEPT net fw icmp 8 +ACCEPT loc fw icmp 8 +ACCEPT dmz fw icmp 8 +ACCEPT loc dmz icmp 8 +ACCEPT dmz loc icmp 8 +ACCEPT dmz net icmp 8 +ACCEPT net dmz icmp 8 # Only with Proxy ARP and +ACCEPT net loc icmp 8 # static NAT #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/zones b/Samples/three-interfaces/zones index 93af385b0..2e4721606 100644 --- a/Samples/three-interfaces/zones +++ b/Samples/three-interfaces/zones @@ -1,5 +1,6 @@ # -# Shorewall 1.3 /etc/shorewall/zones +# Shorewall 1.4 -- Sample Zone File For Two Interfaces +# /etc/shorewall/zones # # This file determines your network zones. Columns are: # @@ -9,6 +10,6 @@ # #ZONE DISPLAY COMMENTS net Net Internet -loc Local Local networks +loc Local Local Networks dmz DMZ Demilitarized Zone #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/common b/Samples/two-interfaces/common index 9b03f7213..cfbadd903 100644 --- a/Samples/two-interfaces/common +++ b/Samples/two-interfaces/common @@ -7,4 +7,3 @@ # DNS replies # run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP - diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index 363b5b6b7..bc042c3c9 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -1,33 +1,36 @@ +# +# Shorewall 1.4 -- Sample Interface File For Two Interfaces # -# Shorewall 1.3 -- Interfaces File -# -# /etc/shorewall/interfaces +# /etc/shorewall/interfaces # # You must add an entry in this file for each network interface on your # firewall system. # # Columns are: # -# ZONE Zone for this interface. Must match the short name +# ZONE +# Zone for this interface. Must match the short name # of a zone defined in /etc/shorewall/zones. # # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should # place "-" in this column. -# -# INTERFACE Name of interface. Each interface may be listed only +# +# INTERFACE +# Name of interface. Each interface may be listed only # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see # http://www.shorewall.net/FAQ.htm#faq18 # # DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # -# BROADCAST The broadcast address for the subnetwork to which the +# BROADCAST +# The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this -# column is left black.If the interface has multiple +# column is left blank.If the interface has multiple # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. -# +# # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before @@ -39,96 +42,89 @@ # you want to enter a value in the OPTIONS column, enter # "-" in this column. # -# OPTIONS A comma-separated list of options including the +# OPTIONS +# A comma-separated list of options including the # following: # -# dhcp - interface is managed by DHCP or used by -# a DHCP server running on the firewall or -# you have a static IP but are on a LAN -# segment with lots of Laptop DHCP clients. -# routestopped - (Deprecated -- use -# /etc/shorewall/routestopped) -# When the firewall is stopped, allow -# and route traffic to and from this -# interface. -# norfc1918 - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling is -# enabled in shorewall.conf, packets -# whose destination addresses are -# reserved by RFC 1918 are also rejected. -# multi - This interface has multiple IP -# addresses and you want to be able to -# route between them. -# routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# dropunclean - Logs and drops mangled/invalid packets -# -# logunclean - Logs mangled/invalid packets but does -# not drop them. -# blacklist - Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# maclist - Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# tcpflags - Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# proxyarp - -# Sets -# /proc/sys/net/ipv4/conf//proxy_arp. +# dhcp +# Interface is managed by DHCP or used by +# a DHCP server running on the firewall or +# you have a static IP but are on a LAN +# segment with lots of Laptop DHCP clients. +# norfc1918 +# This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling is +# enabled in shorewall.conf, packets +# whose destination addresses are +# reserved by RFC 1918 are also rejected. +# routefilter +# Turn on kernel route filtering for this +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. +# dropunclean +# Logs and drops mangled/invalid packets +# logunclean +# Logs mangled/invalid packets but does +# not drop them. +# blacklist +# Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# maclist +# Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# tcpflags +# Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# proxyarp +# Sets /proc/sys/net/ipv4/conf//proxy_arp. # Do NOT use this option if you are # employing Proxy ARP through entries in # /etc/shorewall/proxyarp. This option is # intended soley for use with Proxy ARP # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# -# The order in which you list the options is not -# significant but the list should have no embedded white -# space. # -# Example 1: Suppose you have eth0 connected to a DSL modem and +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. +# +# Example 1: +# Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The interface gets -# it's IP address via DHCP from subnet -# 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. You want to be able to -# access the firewall from the local network when the -# firewall is stopped. +# local subnet is 192.168.1.0/24. The eth0 interface gets +# it's IP address via DHCP from subnet 206.191.149.192/27. # # Your entries for this setup would look like: # -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 routestopped -# dmz eth2 192.168.2.255 +# #ZONE INTERFACE BROADCAST OPTIONS +# net eth0 206.191.149.223 dhcp +# local eth1 192.168.1.255 # -# Example 2: The same configuration without specifying broadcast +# Example 2: +# The same configuration without specifying broadcast # addresses is: # -# net eth0 detect dhcp -# loc eth1 detect routestopped -# dmz eth2 detect +# #ZONE INTERFACE BROADCAST OPTIONS +# net eth0 detect dhcp +# loc eth1 detect # -# Example 3: You have a simple dial-in system with no ethernet -# connections. -# -# net ppp0 - ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect dhcp,routefilter,norfc1918 -loc eth1 detect +net eth0 detect dhcp,routefilter,norfc1918 +loc eth1 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq index 9df194bc2..6710f94c4 100755 --- a/Samples/two-interfaces/masq +++ b/Samples/two-interfaces/masq @@ -1,94 +1,102 @@ +# +# Shorewall 1.4 - Sample Masquerade file For Two Interfaces # -# Shorewall 1.3 - Masquerade file +# etc/shorewall/masq # -# /etc/shorewall/masq +# Use this file to define dynamic NAT (Masquerading) and to define Source NAT +# (SNAT). # -# Use this file to define dynamic NAT (Masquerading) and to define Source NAT -# (SNAT). +# Columns are: # -# Columns are: +# INTERFACE +# Outgoing interface. This is usually your internet +# interface. If ADD_SNAT_ALIASES=Yes in +# /etc/shorewall/shorewall.conf, you may add ":" and +# a digit to indicate that you want the alias added with +# that name (e.g., eth0:0). This will allow the alias to +# be displayed with ifconfig. THAT IS THE ONLY USE FOR +# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER +# PLACE IN YOUR SHOREWALL CONFIGURATION. # -# INTERFACE -- Outgoing interface. This is usually your internet -# interface. If ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf, you may add ":" and -# a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER -# PLACE IN YOUR SHOREWALL CONFIGURATION. -# -# This may be qualified by adding the character -# ":" followed by a destination host or subnet. +# This may be qualified by adding the character +# ":" followed by a destination host or subnet. # # -# SUBNET -- Subnet that you wish to masquerade. You can specify this as -# a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. -# -# In order to exclude a subset of the specified SUBNET, you -# may append "!" and a comma-separated list of IP addresses -# and/or subnets that you wish to exclude. +# SUBNET +# Subnet that you wish to masquerade. You can specify this as +# a subnet or as an interface. If you give the name of an +# interface, you must have iproute installed and the interface +# must be up before you start the firewall. # -# Example: eth1!192.168.1.4,192.168.32.0/27 +# In order to exclude a subset of the specified SUBNET, you +# may append "!" and a comma-separated list of IP addresses +# and/or subnets that you wish to exclude. # -# In that example traffic from eth1 would be masqueraded unless -# it came from 192.168.1.4 or 196.168.32.0/27 +# Example: eth1!192.168.1.4,192.168.32.0/27 # -# ADDRESS -- (Optional). If you specify an address here, SNAT will be -# used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in -# /etc/shorewall/shorewall.conf then Shorewall -# will automatically add this address to the -# INTERFACE named in the first column. +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 # -# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if -# the address given in this column is the primary -# IP address for the interface in the INTERFACE -# column. +# ADDRESS (Optional) +# If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. # -# This column may not contain a DNS Name. +# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if +# the address given in this column is the primary +# IP address for the interface in the INTERFACE +# column. # -# Example 1: +# This column may not contain a DNS Name. # -# You have a simple masquerading setup where eth0 connects to -# a DSL or cable modem and eth1 connects to your local network -# with subnet 192.168.0.0/24. +# Example 1: # -# Your entry in the file can be either: +# You have a simple masquerading setup where eth0 connects to +# a DSL or cable modem and eth1 connects to your local network +# with subnet 192.168.0.0/24. # -# eth0 eth1 +# Your entry in the file can be either: # -# or +# #INTERFACE SUBNET ADDRESS +# eth0 eth1 # -# eth0 192.168.0.0/24 +# or # -# Example 2: +# #INTERFACE SUBNET ADDRESS +# eth0 192.168.0.0/24 # -# You add a router to your local network to connect subnet -# 192.168.1.0/24 which you also want to masquerade. You then -# add a second entry for eth0 to this file: +# Example 2: # -# eth0 192.168.1.0/24 +# You add a router to your local network to connect subnet +# 192.168.1.0/24 which you also want to masquerade. You then +# add a second entry for eth0 to this file: # -# Example 3: +# #INTERFACE SUBNET ADDRESS +# eth0 192.168.1.0/24 # -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: +# Example 3: # -# ipsec0:10.1.1.0/24 196.168.1.0/24 +# You have an IPSEC tunnel through ipsec0 and you want to +# masquerade packets coming from 192.168.1.0/24 but only if +# these packets are destined for hosts in 10.1.1.0/24: # -# Example 4: +# #INTERFACE SUBNET ADDRESS +# ipsec0:10.1.1.0/24 196.168.1.0/24 # -# You want all outgoing traffic from 192.168.1.0/24 through -# eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to -# be added to eth0 with name eth0:0. +# Example 4: # -# eth0:0 192.168.1.0/24 206.124.146.176 +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176 which is NOT the +# primary address of eth0. You want 206.124.146.176 added to +# be added to eth0 with name eth0:0. +# +# #INTERFACE SUBNET ADDRESS +# eth0:0 192.168.1.0/24 206.124.146.176 # ############################################################################## -#INTERFACE SUBNET ADDRESS +#INTERFACE SUBNET ADDRESS eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy index 338e7cf68..7d297638e 100644 --- a/Samples/two-interfaces/policy +++ b/Samples/two-interfaces/policy @@ -1,7 +1,7 @@ +# +# Shorewall 1.4 -- Sample Policy File For Two Interfaces # -# Shorewall 1.3 -- Policy File -# -# /etc/shorewall/policy +# /etc/shorewall/policy # # This file determines what to do with a new connection request if we # don't get a match from the /etc/shorewall/rules file or from the @@ -17,9 +17,9 @@ # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # -# WARNING: Firewall->Firewall policies are not allowed; if -# you have a policy where both SOURCE and DEST are $FW, -# Shorewall will not start! +# WARNING: Firewall->Firewall policies are not allowed; if +# you have a policy where both SOURCE and DEST are $FW, +# Shorewall will not start! # # POLICY Policy if no match from the rules file is found. Must # be "ACCEPT", "DROP", "REJECT" or "CONTINUE" @@ -32,8 +32,7 @@ # Beginning with Shorewall version 1.3.12, you may # also specify ULOG (must be in upper case). This will # log to the ULOG target and sent to a separate log -# through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). +# through use of ulogd (http://www.gnumonks.org/projects/ulogd). # # If you don't want to log but need to specify the # following column, place "_" here. @@ -44,18 +43,17 @@ # # As shipped, the default policies are: # -# a) All connections from the local network to the internet are allowed -# b) All connections from the internet are ignored but logged at syslog -# level KERNEL.INFO. -# d) All other connection requests are rejected and logged at level -# KERNEL.INFO. +# a) All connections from the local network to the Internet are allowed +# b) All connections from the Internet are ignored but logged at syslog +# level KERNEL.INFO. +# d) All other connection requests are rejected and logged at level +# KERNEL.INFO. ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT -# -# If you want open access to the internet from your firewall, uncomment the -# following line +# If you want open access to the Internet from your Firewall +# remove the comment from the following line. #fw net ACCEPT net all DROP info all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/routestopped b/Samples/two-interfaces/routestopped index cfb192afd..af3cd97ce 100644 --- a/Samples/two-interfaces/routestopped +++ b/Samples/two-interfaces/routestopped @@ -1,25 +1,30 @@ ############################################################################## # -# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped +# Shorewall 1.4 -- Sample Routestopped file for two interfaces. # -# /etc/shorewall/routestopped +# /etc/shorewall/routestopped # -# This file is used to define the hosts that are accessible when the -# firewall is stopped +# This file is used to define the hosts that are accessible when the +# firewall is stopped. # -# Columns must be separated by white space and are: +# Columns must be separated by white space and are: # -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# addresses. If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. +# INTERFACE +# Interface through which host(s) communicate with +# the firewall. +# HOST(S) +# (Optional) Comma-separated list of IP/subnet +# addresses. If left empty or supplied as "-", +# 0.0.0.0/0 is assumed. # -# Example: +# Examples: # # INTERFACE HOST(S) -# eth2 192.168.1.0/24 -# eth0 192.0.2.44 +# eth1 - +# Or +# eth1 192.168.1.0/24 +# Or +# eth1 192.0.2.44 ############################################################################## #INTERFACE HOST(S) eth1 - diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index 1c3be1e36..640ac79d6 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -1,7 +1,7 @@ +# +# Shorewall version 1.4 - Sample Rules File For Two Interfaces # -# Shorewall version 1.3 - Rules File -# -# /etc/shorewall/rules +# /etc/shorewall/rules # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. @@ -15,35 +15,49 @@ # Columns are: # # -# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT # -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. +# ACCEPT +# Allow the connection request +# DROP +# Ignore the request +# REJECT +# Disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT +# Forward the request to another +# system (and optionally another +# port). +# DNAT- +# Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. +# REDIRECT +# Redirect the request to a local +# port on the firewall. +# CONTINUE +# (For experts only). Do Not Process +# any of the following rules for this +# (source zone,destination zone). If +# the source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zones(s). # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be # logged at the specified level. # -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case) as a log level.\ -# This will log to the ULOG target and sent to a separate log -# through use of ulogd +# You may also specify ULOG (must be in upper case) as a +# log level. This will log to the ULOG target for routing +# to a separate log through use of ulogd. # (http://www.gnumonks.org/projects/ulogd). # -# # SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the +# defined in /etc/shorewall/zones, $FW to indicate the # firewall itself, or "all" If the ACTION is DNAT or # REDIRECT, sub-zones of the specified zone may be # excluded from the rule by following the zone name with @@ -56,24 +70,30 @@ # address; mac addresses must begin with "~" and must use # "-" as a separator. # -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# Some Examples: # -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet +# net:155.186.235.1 +# Host 155.186.235.1 on the Internet # -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. +# loc:192.168.1.0/24 +# Subnet 192.168.1.0/24 on the +# Local Network +# +# net:155.186.235.1,155.186.235.2 +# Hosts 155.186.235.1 and +# 155.186.235.2 on the Internet. +# +# loc:~00-A0-C9-15-39-78 +# Host on the Local Network with +# MAC address 00:A0:C9:15:39:78. # # Alternatively, clients may be specified by interface # by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a +# interface name. For example, net:eth0 specifies a # client that communicates with the firewall system -# through eth1. This may be optionally followed by +# through eth0. This may be optionally followed by # another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). +# as described above (e.g., net:eth0:192.168.1.5). # # DEST Location of Server. May be a zone defined in # /etc/shorewall/zones, $FW to indicate the firewall @@ -84,12 +104,12 @@ # interface by appending ":" and the subnet, host or # interface. See above. # -# Restrictions: +# Restrictions: # -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. # # The port that the server is listening on may be # included and separated from the server's IP address by @@ -97,27 +117,25 @@ # destination port. A destination port may only be # included if the ACTION is DNAT or REDIRECT. # -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer +# Example: net:155.186.235.1:25 specifies a Internet +# server at IP address 155.186.235.1 and listening on port +# 25. The port number MUST be specified as an integer # and not as a name from /etc/services. # -# if the ACTION is REDIRECT, this column needs only to +# If the ACTION is REDIRECT, this column needs only to # contain the port number on the firewall that the # request should be redirected to. # # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, -# "all" or "related". If "related", the remainder of the -# entry must be omitted and connection requests that are -# related to existing requests will be accepted. +# "all". # -# DEST PORT(S) Destination Ports. A comma-separated list of Port +# DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # # A port range is expressed as :. -# +# # This column is ignored if PROTOCOL = all but must be # entered if any of the following ields are supplied. # In that case, it is suggested that this field contain @@ -149,7 +167,7 @@ # port. # # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or -# REDIRECT) If included and different from the IP +# REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port @@ -163,51 +181,60 @@ # If no source IP address is given, the original source # address is not altered. # -# Example: Accept SMTP requests from the DMZ to the internet +# Also by default all outbound loc -> net communications are allowed. +# You can change this behavior in the sample policy file. # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp +# Example: Accept www requests to the firewall. # -# Example: Forward all ssh and http connection requests from the internet -# to local system 192.168.1.3 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT net fw tcp http # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http +# Example: Accept SMTP requests from the Local Network to the Internet # -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT loc net tcp smtp # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 +# Example: Forward all ssh and http connection requests from the Internet +# to local system 192.168.1.3 # -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 +# Example: Redirect all locally-originating www connection requests to +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the Internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT PORT(S) DEST +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT PORT(S) DEST # -# Accept DNS connections from the firewall to the network +# Accept DNS connections from the firewall to the network # -ACCEPT fw net tcp 53 -ACCEPT fw net udp 53 +ACCEPT fw net tcp 53 +ACCEPT fw net udp 53 # -# Accept SSH connections from the local network for administration +# Accept SSH connections from the local network for administration # -ACCEPT loc fw tcp 22 +ACCEPT loc fw tcp 22 # -# Accept Ping Ubiquitously +# Accept Ping Ubiquitously # -ACCEPT loc fw icmp 8 -ACCEPT net fw icmp 8 +ACCEPT loc fw icmp 8 +ACCEPT net fw icmp 8 # -# All ICMP are accepted fw->all +# All ICMP are accepted fw->all # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/zones b/Samples/two-interfaces/zones index d110bcb67..b223d412e 100644 --- a/Samples/two-interfaces/zones +++ b/Samples/two-interfaces/zones @@ -1,5 +1,6 @@ # -# Shorewall 1.3 /etc/shorewall/zones +# Shorewall 1.4 -- Sample Zone File For Two Interfaces +# /etc/shorewall/zones # # This file determines your network zones. Columns are: # @@ -9,5 +10,5 @@ # #ZONE DISPLAY COMMENTS net Net Internet -loc Local Local networks +loc Local Local Networks #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE