extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-25 04:01:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Modified Samples For 1.4 Usage And Readbility

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@499 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
frannie 2003-03-12 20:55:17 +00:00
parent 8556250875
commit d142c4ce9e
19 changed files with 784 additions and 695 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Samples/one-interface/common
View File

@ -7,4 +7,3 @@
# DNS replies # DNS replies
# #
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

150
Samples/one-interface/interfaces
View File

@ -1,7 +1,7 @@
#
# Shorewall 1.4 -- Sample Interface File For One Interface
# #
# Shorewall 1.3 -- Interfaces File # /etc/shorewall/interfaces
#
# /etc/shorewall/interfaces
# #
# You must add an entry in this file for each network interface on your # You must add an entry in this file for each network interface on your
# firewall system. # firewall system.
@ -24,7 +24,7 @@
# #
# BROADCAST The broadcast address for the subnetwork to which the # BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this # interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple # column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast # addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list. # addresses as a comma-separated list.
# #
@ -34,7 +34,7 @@
# the firewall is started, you must have iproute # the firewall is started, you must have iproute
# installed and the interface must only be associated # installed and the interface must only be associated
# with a single subnet. # with a single subnet.
# #
# If you don't want to give a value for this column but # If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter # you want to enter a value in the OPTIONS column, enter
# "-" in this column. # "-" in this column.
@ -42,92 +42,86 @@
# OPTIONS A comma-separated list of options including the # OPTIONS A comma-separated list of options including the
# following: # following:
# #
# dhcp - interface is managed by DHCP or used by # dhcp
# a DHCP server running on the firewall or # Interface is managed by DHCP or used by
# you have a static IP but are on a LAN # a DHCP server running on the firewall or
# segment with lots of Laptop DHCP clients. # you have a static IP but are on a LAN
# routestopped - (Deprecated -- use # segment with lots of Laptop DHCP clients.
# /etc/shorewall/routestopped) # norfc1918
# When the firewall is stopped, allow # This interface should not receive
# and route traffic to and from this # any packets whose source is in one
# interface. # of the ranges reserved by RFC 1918
# norfc1918 - This interface should not receive # (i.e., private or "non-routable"
# any packets whose source is in one # addresses. If packet mangling is
# of the ranges reserved by RFC 1918 # enabled in shorewall.conf, packets
# (i.e., private or "non-routable" # whose destination addresses are
# addresses. If packet mangling is # reserved by RFC 1918 are also rejected.
# enabled in shorewall.conf, packets # routefilter
# whose destination addresses are # Turn on kernel route filtering for this
# reserved by RFC 1918 are also rejected. # interface (anti-spoofing measure). This
# multi - This interface has multiple IP # option can also be enabled globally in
# addresses and you want to be able to # the /etc/shorewall/shorewall.conf file.
# route between them. # dropunclean
# routefilter - turn on kernel route filtering for this # Logs and drops mangled/invalid packets
# interface (anti-spoofing measure). This # logunclean
# option can also be enabled globally in # Logs mangled/invalid packets but does
# the /etc/shorewall/shorewall.conf file. # not drop them.
# dropunclean - Logs and drops mangled/invalid packets # blacklist
# Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
# maclist
# Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# tcpflags
# Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp
# Sets /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
# #
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.
# #
# Example 1: Suppose you have eth0 connected to a DSL modem and # Example 1:
# eth1 connected to your local network and that your # Suppose you have eth0 connected to a DSL modem
# local subnet is 192.168.1.0/24. The interface gets # that gets it's IP address via DHCP from subnet
# it's IP address via DHCP from subnet # 206.191.149.192/27.
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
# #
# Your entries for this setup would look like: # Your entries for this setup would look like:
# #
# net eth0 206.191.149.223 dhcp # #ZONE INTERFACE BROADCAST OPTIONS
# local eth1 192.168.1.255 routestopped # net eth0 206.191.149.223 dhcp
# dmz eth2 192.168.2.255
# #
# Example 2: The same configuration without specifying broadcast # Example 2:
# The same configuration without specifying broadcast
# addresses is: # addresses is:
# #
# net eth0 detect dhcp # #ZONE INTERFACE BROADCAST OPTIONS
# loc eth1 detect routestopped # net eth0 detect dhcp
# dmz eth2 detect
# #
# Example 3: You have a simple dial-in system with no ethernet # Example 3:
# You have a simple dial-in system with no ethernet
# connections. # connections.
# # #ZONE INTERFACE BROADCAST OPTIONS
# net ppp0 - # net ppp0 -
############################################################################## ##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,routefilter,dhcp net eth0 detect norfc1918,routefilter,dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
Samples/one-interface/policy
View File

@ -1,7 +1,7 @@
#
# Shorewall 1.4 -- Sample Policy File For One Interface
# #
# Shorewall 1.3 -- Policy File # /etc/shorewall/policy
#
# /etc/shorewall/policy
# #
# This file determines what to do with a new connection request if we # This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the # don't get a match from the /etc/shorewall/rules file or from the
@ -17,9 +17,9 @@
# DEST Destination zone. Must be the name of a zone defined # DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all" # in /etc/shorewall/zones, $FW or "all"
# #
# WARNING: Firewall->Firewall policies are not allowed; if # WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW, # you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start! # Shorewall will not start!
# #
# POLICY Policy if no match from the rules file is found. Must # POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
@ -32,8 +32,7 @@
# Beginning with Shorewall version 1.3.12, you may # Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will # also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log # log to the ULOG target and sent to a separate log
# through use of ulogd # through use of ulogd (http://www.gnumonks.org/projects/ulogd).
# (http://www.gnumonks.org/projects/ulogd).
# #
# If you don't want to log but need to specify the # If you don't want to log but need to specify the
# following column, place "_" here. # following column, place "_" here.
@ -44,11 +43,11 @@
# #
# As shipped, the default policies are: # As shipped, the default policies are:
# #
# a) All connections from the local network to the internet are allowed # a) All connections from the Firewall to the Internet are allowed
# b) All connections from the internet are ignored but logged at syslog # b) All connections from the Internet are ignored but logged at syslog
# level KERNEL.INFO. # level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level # d) All other connection requests are rejected and logged at level
# KERNEL.INFO. # KERNEL.INFO.
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT fw net ACCEPT

155
Samples/one-interface/rules
View File

@ -1,7 +1,7 @@
#
# Shorewall version 1.4 - Sample Rules File For One Interface
# #
# Shorewall version 1.3 - Rules File # /etc/shorewall/rules
#
# /etc/shorewall/rules
# #
# Rules in this file govern connection establishment. Requests and # Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. # responses are automatically allowed using connection tracking.
@ -15,35 +15,49 @@
# Columns are: # Columns are:
# #
# #
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT
# #
# ACCEPT -- allow the connection request # ACCEPT
# DROP -- ignore the request # Allow the connection request
# REJECT -- disallow the request and return an # DROP
# icmp-unreachable or an RST packet. # Ignore the request
# DNAT -- Forward the request to another # REJECT
# system (and optionally another # Disallow the request and return an
# port). # icmp-unreachable or an RST packet.
# DNAT- -- Advanced users only. # DNAT
# Like DNAT but only generates the # Forward the request to another
# DNAT iptables rule and not # system (and optionally another
# the companion ACCEPT rule. # port).
# REDIRECT -- Redirect the request to a local # DNAT-
# port on the firewall. # Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT
# Redirect the request to a local
# port on the firewall.
# CONTINUE
# (For experts only). Do Not Process
# any of the following rules for this
# (source zone,destination zone). If
# the source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zones(s).
# #
# May optionally be followed by ":" and a syslog log # May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be # level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# Beginning with Shorewall version 1.3.12, you may # You may also specify ULOG (must be in upper case) as a
# also specify ULOG (must be in upper case) as a log level.\ # log level. This will log to the ULOG target for routing
# This will log to the ULOG target and sent to a separate log # to a separate log through use of ulogd.
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd). # (http://www.gnumonks.org/projects/ulogd).
# #
#
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or # firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be # REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with # excluded from the rule by following the zone name with
@ -56,24 +70,30 @@
# address; mac addresses must begin with "~" and must use # address; mac addresses must begin with "~" and must use
# "-" as a separator. # "-" as a separator.
# #
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # Some Examples:
# #
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the # net:155.186.235.1
# Host 155.186.235.1 on the Internet
#
# net:155.186.235.0/24
# Subnet 155.186.235.0/24 on the
# Internet # Internet
# #
# loc:192.168.1.1,192.168.1.2 # net:155.186.235.1,155.186.235.2
# Hosts 192.168.1.1 and # Hosts 155.186.235.1 and
# 192.168.1.2 in the local zone. # 155.186.235.2 on the Internet.
# loc:~00-A0-C9-15-39-78 Host in the local zone with #
# MAC address 00:A0:C9:15:39:78. # net:~00-A0-C9-15-39-78
# Host on the Internet with
# MAC address 00:A0:C9:15:39:78.
# #
# Alternatively, clients may be specified by interface # Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the # by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a # interface name. For example, net:eth0 specifies a
# client that communicates with the firewall system # client that communicates with the firewall system
# through eth1. This may be optionally followed by # through eth0. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address # another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5). # as described above (e.g., net:eth0:192.168.1.5).
# #
# DEST Location of Server. May be a zone defined in # DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall # /etc/shorewall/zones, $FW to indicate the firewall
@ -84,12 +104,12 @@
# interface by appending ":" and the subnet, host or # interface by appending ":" and the subnet, host or
# interface. See above. # interface. See above.
# #
# Restrictions: # Restrictions:
# #
# 1. MAC addresses are not allowed. # 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are # 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses # allowed; no FQDNs or subnet addresses
# are permitted. # are permitted.
# #
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
@ -97,27 +117,25 @@
# destination port. A destination port may only be # destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT. # included if the ACTION is DNAT or REDIRECT.
# #
# Example: loc:192.168.1.3:3128 specifies a local # Example: net:155.186.235.1:25 specifies a Internet
# server at IP address 192.168.1.3 and listening on port # server at IP address 155.186.235.1 and listening on port
# 3128. The port number MUST be specified as an integer # 25. The port number MUST be specified as an integer
# and not as a name from /etc/services. # and not as a name from /etc/services.
# #
# if the ACTION is REDIRECT, this column needs only to # If the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the # "all".
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# A port range is expressed as <low port>:<high port>. # A port range is expressed as <low port>:<high port>.
# #
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied. # entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
@ -149,7 +167,7 @@
# port. # port.
# #
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP # REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
# on some interface on the firewall and connections to # on some interface on the firewall and connections to
# that address will be forwarded to the IP and port # that address will be forwarded to the IP and port
@ -163,35 +181,24 @@
# If no source IP address is given, the original source # If no source IP address is given, the original source
# address is not altered. # address is not altered.
# #
# Example: Accept SMTP requests from the DMZ to the internet # Note: Most one interface rules are of the type ACCEPT, REDIRECT or REJECT.
# DNAT, DNAT-, CONTINUE rules are for multiple interface firewall.
# Also by default all outbound fw -> net communications are allowed.
# (One Interface Only) You can change this behavior in the sample policy file.
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # Example: Accept www requests to the one interface server.
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
# #
# Example: Forward all ssh and http connection requests from the internet # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# to local system 192.168.1.3 # # PORT PORT(S) DEST
# ACCEPT net fw tcp http
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # Example: Redirect port 88 Internet traffic to fw port 80
# # PORT PORT(S) DEST # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# DNAT net loc:192.168.1.3 tcp ssh,http # # PORT PORT(S) DEST
# REDIRECT net 80 tcp 88
# #
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
############################################################################## ##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST # PORT PORT(S) DEST
ACCEPT net fw icmp 8 ACCEPT net fw icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5
Samples/one-interface/zones
View File

@ -1,7 +1,8 @@
# #
# Shorewall 1.3 /etc/shorewall/zones # Shorewall 1.4 -- Sample Zone File For One Interface
# /etc/shorewall/zones
# #
# This file determines your network zones. Columns are: # This file determines your network zones. Columns are:
# #
# ZONE Short name of the zone # ZONE Short name of the zone
# DISPLAY Display name of the zone # DISPLAY Display name of the zone

1
Samples/three-interfaces/common
View File

@ -7,4 +7,3 @@
# DNS replies # DNS replies
# #
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

167
Samples/three-interfaces/interfaces
View File

@ -1,33 +1,36 @@
#
# Shorewall 1.4 -- Sample Interface File For Three Interfaces
# #
# Shorewall 1.3 -- Interfaces File # /etc/shorewall/interfaces
#
# /etc/shorewall/interfaces
# #
# You must add an entry in this file for each network interface on your # You must add an entry in this file for each network interface on your
# firewall system. # firewall system.
# #
# Columns are: # Columns are:
# #
# ZONE Zone for this interface. Must match the short name # ZONE
# Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones. # of a zone defined in /etc/shorewall/zones.
# #
# If the interface serves multiple zones that will be # If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should # defined in the /etc/shorewall/hosts file, you should
# place "-" in this column. # place "-" in this column.
# #
# INTERFACE Name of interface. Each interface may be listed only # INTERFACE
# Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of # once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see # an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18 # http://www.shorewall.net/FAQ.htm#faq18
# #
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
# #
# BROADCAST The broadcast address for the subnetwork to which the # BROADCAST
# The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this # interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple # column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast # addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list. # addresses as a comma-separated list.
# #
# If you use the special value "detect", the firewall # If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you # will detect the broadcast address for you. If you
# select this option, the interface must be up before # select this option, the interface must be up before
@ -39,97 +42,95 @@
# you want to enter a value in the OPTIONS column, enter # you want to enter a value in the OPTIONS column, enter
# "-" in this column. # "-" in this column.
# #
# OPTIONS A comma-separated list of options including the # OPTIONS
# A comma-separated list of options including the
# following: # following:
# #
# dhcp - interface is managed by DHCP or used by # dhcp
# a DHCP server running on the firewall or # Interface is managed by DHCP or used by
# you have a static IP but are on a LAN # a DHCP server running on the firewall or
# segment with lots of Laptop DHCP clients. # you have a static IP but are on a LAN
# routestopped - (Deprecated -- use # segment with lots of Laptop DHCP clients.
# /etc/shorewall/routestopped) # norfc1918
# When the firewall is stopped, allow # This interface should not receive
# and route traffic to and from this # any packets whose source is in one
# interface. # of the ranges reserved by RFC 1918
# norfc1918 - This interface should not receive # (i.e., private or "non-routable"
# any packets whose source is in one # addresses. If packet mangling is
# of the ranges reserved by RFC 1918 # enabled in shorewall.conf, packets
# (i.e., private or "non-routable" # whose destination addresses are
# addresses. If packet mangling is # reserved by RFC 1918 are also rejected.
# enabled in shorewall.conf, packets # routefilter
# whose destination addresses are # Turn on kernel route filtering for this
# reserved by RFC 1918 are also rejected. # interface (anti-spoofing measure). This
# multi - This interface has multiple IP # option can also be enabled globally in
# addresses and you want to be able to # the /etc/shorewall/shorewall.conf file.
# route between them. # dropunclean
# routefilter - turn on kernel route filtering for this # Logs and drops mangled/invalid packets
# interface (anti-spoofing measure). This # logunclean
# option can also be enabled globally in # Logs mangled/invalid packets but does
# the /etc/shorewall/shorewall.conf file. # not drop them.
# dropunclean - Logs and drops mangled/invalid packets # blacklist
# # Check packets arriving on this interface
# logunclean - Logs mangled/invalid packets but does # against the /etc/shorewall/blacklist
# not drop them. # file.
# blacklist - Check packets arriving on this interface # maclist
# against the /etc/shorewall/blacklist # Connection requests from this interface
# file. # are compared against the contents of
# maclist - Connection requests from this interface # /etc/shorewall/maclist. If this option
# are compared against the contents of # is specified, the interface must be
# /etc/shorewall/maclist. If this option # an ethernet NIC and must be up before
# is specified, the interface must be # Shorewall is started.
# an ethernet NIC and must be up before # tcpflags
# Shorewall is started. # Packets arriving on this interface are
# tcpflags - Packets arriving on this interface are # checked for certain illegal combinations
# checked for certain illegal combinations # of TCP flags. Packets found to have
# of TCP flags. Packets found to have # such a combination of flags are handled
# such a combination of flags are handled # according to the setting of
# according to the setting of # TCP_FLAGS_DISPOSITION after having been
# TCP_FLAGS_DISPOSITION after having been # logged according to the setting of
# logged according to the setting of # TCP_FLAGS_LOG_LEVEL.
# TCP_FLAGS_LOG_LEVEL. # proxyarp
# proxyarp - # Sets /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are # Do NOT use this option if you are
# employing Proxy ARP through entries in # employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is # /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP # intended soley for use with Proxy ARP
# sub-networking as described at: # sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
# #
# Example 1: Suppose you have eth0 connected to a DSL modem and # The order in which you list the options is not
# eth1 connected to your local network and that your # significant but the list should have no embedded white
# local subnet is 192.168.1.0/24. The interface gets # space.
#
# Example 1:
# Suppose you have eth0 connected to a DSL modem,
# eth1 connected to your local network and eth2
# connected to your dmz. Assuming that your local
# subnet is 192.168.1.0/24 and your dmz subnet is
# 192.168.2.0/24 . The eth0 interface gets
# it's IP address via DHCP from subnet # it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet # 206.191.149.192/27.
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
# #
# Your entries for this setup would look like: # Your entries for this setup would look like:
# #
# net eth0 206.191.149.223 dhcp # #ZONE INTERFACE BROADCAST OPTIONS
# local eth1 192.168.1.255 routestopped # net eth0 206.191.149.223 dhcp
# dmz eth2 192.168.2.255 # local eth1 192.168.1.255
# dmz eth2 192.168.2.255
# #
# Example 2: The same configuration without specifying broadcast # Example 2:
# The same configuration without specifying broadcast
# addresses is: # addresses is:
# #
# net eth0 detect dhcp # #ZONE INTERFACE BROADCAST OPTIONS
# loc eth1 detect routestopped # net eth0 detect dhcp
# dmz eth2 detect # loc eth1 detect
# dmz eth2 detect
# #
# Example 3: You have a simple dial-in system with no ethernet
# connections.
#
# net ppp0 -
############################################################################## ##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,norfc1918 net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect routestopped loc eth1 detect
dmz eth2 detect routestopped dmz eth2 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

134
Samples/three-interfaces/masq
View File

@ -1,95 +1,103 @@
#
# Shorewall 1.4 - Sample Masquerade file For Three Interfaces
# #
# Shorewall 1.3 - Masquerade file # etc/shorewall/masq
# #
# /etc/shorewall/masq # Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
# #
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT # Columns are:
# (SNAT).
# #
# Columns are: # INTERFACE
# Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
# #
# INTERFACE -- Outgoing interface. This is usually your internet # This may be qualified by adding the character
# interface. If ADD_SNAT_ALIASES=Yes in # ":" followed by a destination host or subnet.
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
# #
# #
# SUBNET -- Subnet that you wish to masquerade. You can specify this as # SUBNET
# a subnet or as an interface. If you give the name of an # Subnet that you wish to masquerade. You can specify this as
# interface, you must have iproute installed and the interface # a subnet or as an interface. If you give the name of an
# must be up before you start the firewall. # interface, you must have iproute installed and the interface
# # must be up before you start the firewall.
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
# #
# Example: eth1!192.168.1.4,192.168.32.0/27 # In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
# #
# In that example traffic from eth1 would be masqueraded unless # Example: eth1!192.168.1.4,192.168.32.0/27
# it came from 192.168.1.4 or 196.168.32.0/27
# #
# ADDRESS -- (Optional). If you specify an address here, SNAT will be # In that example traffic from eth1 would be masqueraded unless
# used and this will be the source address. If # it came from 192.168.1.4 or 196.168.32.0/27
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
# #
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # ADDRESS (Optional)
# the address given in this column is the primary # If you specify an address here, SNAT will be
# IP address for the interface in the INTERFACE # used and this will be the source address. If
# column. # ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
# #
# This column may not contain a DNS Name. # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
# #
# Example 1: # This column may not contain a DNS Name.
# #
# You have a simple masquerading setup where eth0 connects to # Example 1:
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
# #
# Your entry in the file can be either: # You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
# #
# eth0 eth1 # Your entry in the file can be either:
# #
# or # #INTERFACE SUBNET ADDRESS
# eth0 eth1
# #
# eth0 192.168.0.0/24 # or
# #
# Example 2: # #INTERFACE SUBNET ADDRESS
# eth0 192.168.0.0/24
# #
# You add a router to your local network to connect subnet # Example 2:
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
# #
# eth0 192.168.1.0/24 # You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
# #
# Example 3: # #INTERFACE SUBNET ADDRESS
# eth0 192.168.1.0/24
# #
# You have an IPSEC tunnel through ipsec0 and you want to # Example 3:
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
# #
# ipsec0:10.1.1.0/24 196.168.1.0/24 # You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
# #
# Example 4: # #INTERFACE SUBNET ADDRESS
# ipsec0:10.1.1.0/24 196.168.1.0/24
# #
# You want all outgoing traffic from 192.168.1.0/24 through # Example 4:
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
# #
# eth0:0 192.168.1.0/24 206.124.146.176 # You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# #INTERFACE SUBNET ADDRESS
# eth0:0 192.168.1.0/24 206.124.146.176
# #
############################################################################## ##############################################################################
#INTERFACE SUBNET ADDRESS #INTERFACE SUBNET ADDRESS
eth0 eth1 eth0 eth1
eth0 eth2 eth0 eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

35
Samples/three-interfaces/policy
View File

@ -1,7 +1,7 @@
#
# Shorewall 1.4 -- Sample Policy File For Three Interfaces
# #
# Shorewall 1.3 -- Policy File # /etc/shorewall/policy
#
# /etc/shorewall/policy
# #
# This file determines what to do with a new connection request if we # This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the # don't get a match from the /etc/shorewall/rules file or from the
@ -17,9 +17,9 @@
# DEST Destination zone. Must be the name of a zone defined # DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all" # in /etc/shorewall/zones, $FW or "all"
# #
# WARNING: Firewall->Firewall policies are not allowed; if # WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW, # you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start! # Shorewall will not start!
# #
# POLICY Policy if no match from the rules file is found. Must # POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
@ -32,8 +32,7 @@
# Beginning with Shorewall version 1.3.12, you may # Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will # also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log # log to the ULOG target and sent to a separate log
# through use of ulogd # through use of ulogd (http://www.gnumonks.org/projects/ulogd).
# (http://www.gnumonks.org/projects/ulogd).
# #
# If you don't want to log but need to specify the # If you don't want to log but need to specify the
# following column, place "_" here. # following column, place "_" here.
@ -44,18 +43,20 @@
# #
# As shipped, the default policies are: # As shipped, the default policies are:
# #
# a) All connections from the local network to the internet are allowed # a) All connections from the local network to the Internet are allowed
# b) All connections from the internet are ignored but logged at syslog # b) All connections from the Internet are ignored but logged at syslog
# level KERNEL.INFO. # level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level # d) All other connection requests are rejected and logged at level
# KERNEL.INFO. # KERNEL.INFO.
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT loc net ACCEPT
# # If you want open access to the Internet from your Firewall
# If you want open access to the internet from your firewall, uncomment the # remove the comment from the following line.
# following line
#fw net ACCEPT #fw net ACCEPT
# Also If You Wish To Open Up DMZ Access To The Internet
# remove the comment from the following line.
#dmz net ACCEPT
net all DROP info net all DROP info
all all REJECT info all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

31
Samples/three-interfaces/routestopped
View File

@ -1,25 +1,30 @@
############################################################################## ##############################################################################
# #
# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped # Shorewall 1.4 -- Sample Routestopped File For Three Interfaces.
# #
# /etc/shorewall/routestopped # /etc/shorewall/routestopped
# #
# This file is used to define the hosts that are accessible when the # This file is used to define the hosts that are accessible when the
# firewall is stopped # firewall is stopped.
# #
# Columns must be separated by white space and are: # Columns must be separated by white space and are:
# #
# INTERFACE - Interface through which host(s) communicate with # INTERFACE
# the firewall # Interface through which host(s) communicate with
# HOST(S) - (Optional) Comma-separated list of IP/subnet # the firewall.
# addresses. If left empty or supplied as "-", # HOST(S)
# 0.0.0.0/0 is assumed. # (Optional) Comma-separated list of IP/subnet
# addresses. If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# #
# Example: # Examples:
# #
# INTERFACE HOST(S) # INTERFACE HOST(S)
# eth2 192.168.1.0/24 # eth1 -
# eth0 192.0.2.44 # Or
# eth1 192.168.1.0/24
# Or
# eth1 192.0.2.44
############################################################################## ##############################################################################
#INTERFACE HOST(S) #INTERFACE HOST(S)
eth1 - eth1 -

220
Samples/three-interfaces/rules
View File

@ -1,7 +1,7 @@
#
# Shorewall version 1.4 - Sample Rules File For Three Interfaces
# #
# Shorewall version 1.3 - Rules File # /etc/shorewall/rules
#
# /etc/shorewall/rules
# #
# Rules in this file govern connection establishment. Requests and # Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. # responses are automatically allowed using connection tracking.
@ -15,35 +15,49 @@
# Columns are: # Columns are:
# #
# #
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT
# #
# ACCEPT -- allow the connection request # ACCEPT
# DROP -- ignore the request # Allow the connection request
# REJECT -- disallow the request and return an # DROP
# icmp-unreachable or an RST packet. # Ignore the request
# DNAT -- Forward the request to another # REJECT
# system (and optionally another # Disallow the request and return an
# port). # icmp-unreachable or an RST packet.
# DNAT- -- Advanced users only. # DNAT
# Like DNAT but only generates the # Forward the request to another
# DNAT iptables rule and not # system (and optionally another
# the companion ACCEPT rule. # port).
# REDIRECT -- Redirect the request to a local # DNAT-
# port on the firewall. # Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT
# Redirect the request to a local
# port on the firewall.
# CONTINUE
# (For experts only). Do Not Process
# any of the following rules for this
# (source zone,destination zone). If
# the source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zones(s).
# #
# May optionally be followed by ":" and a syslog log # May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be # level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# Beginning with Shorewall version 1.3.12, you may # You may also specify ULOG (must be in upper case) as a
# also specify ULOG (must be in upper case) as a log level.\ # log level. This will log to the ULOG target for routing
# This will log to the ULOG target and sent to a separate log # to a separate log through use of ulogd.
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd). # (http://www.gnumonks.org/projects/ulogd).
# #
#
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or # firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be # REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with # excluded from the rule by following the zone name with
@ -56,24 +70,30 @@
# address; mac addresses must begin with "~" and must use # address; mac addresses must begin with "~" and must use
# "-" as a separator. # "-" as a separator.
# #
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # Some Examples:
# #
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the # net:155.186.235.1
# Internet # Host 155.186.235.1 on the Internet
# #
# loc:192.168.1.1,192.168.1.2 # loc:192.168.1.0/24
# Hosts 192.168.1.1 and # Subnet 192.168.1.0/24 on the
# 192.168.1.2 in the local zone. # Local Network
# loc:~00-A0-C9-15-39-78 Host in the local zone with #
# MAC address 00:A0:C9:15:39:78. # net:155.186.235.1,155.186.235.2
# Hosts 155.186.235.1 and
# 155.186.235.2 on the Internet.
#
# loc:~00-A0-C9-15-39-78
# Host on the Local Network with
# MAC address 00:A0:C9:15:39:78.
# #
# Alternatively, clients may be specified by interface # Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the # by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a # interface name. For example, net:eth0 specifies a
# client that communicates with the firewall system # client that communicates with the firewall system
# through eth1. This may be optionally followed by # through eth0. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address # another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5). # as described above (e.g., net:eth0:192.168.1.5).
# #
# DEST Location of Server. May be a zone defined in # DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall # /etc/shorewall/zones, $FW to indicate the firewall
@ -84,12 +104,12 @@
# interface by appending ":" and the subnet, host or # interface by appending ":" and the subnet, host or
# interface. See above. # interface. See above.
# #
# Restrictions: # Restrictions:
# #
# 1. MAC addresses are not allowed. # 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are # 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses # allowed; no FQDNs or subnet addresses
# are permitted. # are permitted.
# #
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
@ -97,27 +117,25 @@
# destination port. A destination port may only be # destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT. # included if the ACTION is DNAT or REDIRECT.
# #
# Example: loc:192.168.1.3:3128 specifies a local # Example: net:155.186.235.1:25 specifies a Internet
# server at IP address 192.168.1.3 and listening on port # server at IP address 155.186.235.1 and listening on port
# 3128. The port number MUST be specified as an integer # 25. The port number MUST be specified as an integer
# and not as a name from /etc/services. # and not as a name from /etc/services.
# #
# if the ACTION is REDIRECT, this column needs only to # If the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the # "all".
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# A port range is expressed as <low port>:<high port>. # A port range is expressed as <low port>:<high port>.
# #
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied. # entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
@ -149,7 +167,7 @@
# port. # port.
# #
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP # REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
# on some interface on the firewall and connections to # on some interface on the firewall and connections to
# that address will be forwarded to the IP and port # that address will be forwarded to the IP and port
@ -163,61 +181,83 @@
# If no source IP address is given, the original source # If no source IP address is given, the original source
# address is not altered. # address is not altered.
# #
# Example: Accept SMTP requests from the DMZ to the internet # Also by default all outbound loc -> net communications are allowed.
# You can change this behavior in the sample policy file.
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # Example: Accept www requests to the firewall.
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
# #
# Example: Forward all ssh and http connection requests from the internet # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# to local system 192.168.1.3 # # PORT PORT(S) DEST
# ACCEPT net fw tcp http
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # Example: Accept SMTP requests from the Local Network to the Internet
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
# #
# Example: Redirect all locally-originating www connection requests to # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# port 3128 on the firewall (Squid running on the firewall # # PORT PORT(S) DEST
# system) except when the destination address is 192.168.2.2 # ACCEPT loc net tcp smtp
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # Example: Forward all ssh and http connection requests from the Internet
# # PORT PORT(S) DEST # to dmz system 192.168.2.3
# REDIRECT loc 3128 tcp www - !192.168.2.2
# #
# Example: All http requests from the internet to address # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# 130.252.100.69 are to be forwarded to 192.168.1.3 # # PORT PORT(S) DEST
# DNAT net dmz:192.168.2.3 tcp ssh,http
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # Example: Redirect all locally-originating www connection requests to
# # PORT PORT(S) DEST # port 3128 on the firewall (Squid running on the firewall
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 # system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the Internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
############################################################################## ##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST # PORT PORT(S) DEST
# #
# Accept outgoing DNS connections from the firewall # Accept DNS connections from the firewall to the network
# #
ACCEPT fw net tcp 53 ACCEPT fw net tcp 53
ACCEPT fw net udp 53 ACCEPT fw net udp 53
# #
# Accept SSH connections from the local network to the firewall and DMZ # Accept SSH connections from the local network for administration.
# #
ACCEPT loc fw tcp 22 ACCEPT loc fw tcp 22
ACCEPT loc dmz tcp 22
# #
# DMZ DNS access to the internet ##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
# #
ACCEPT dmz net tcp 53 # Accept outgoing DNS connections from the firewall
ACCEPT dmz net udp 53
# #
# Make ping work between the DMZ, net and local zone (assumes that the loc-> ACCEPT fw net tcp 53
# net policy is ACCEPT). ACCEPT fw net udp 53
# #
ACCEPT net fw icmp 8 # Accept SSH connections from the local network to the firewall and DMZ
ACCEPT loc fw icmp 8 #
ACCEPT dmz fw icmp 8 ACCEPT loc fw tcp 22
ACCEPT loc dmz icmp 8 ACCEPT loc dmz tcp 22
ACCEPT dmz loc icmp 8 #
ACCEPT dmz net icmp 8 # DMZ DNS access to the internet
ACCEPT net dmz icmp 8 # Only with Proxy ARP and #
ACCEPT net loc icmp 8 # static NAT ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
#
# Make ping work between the DMZ, net and local zone (assumes that the loc->
# net policy is ACCEPT).
#
ACCEPT net fw icmp 8
ACCEPT loc fw icmp 8
ACCEPT dmz fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
ACCEPT net dmz icmp 8 # Only with Proxy ARP and
ACCEPT net loc icmp 8 # static NAT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5
Samples/three-interfaces/zones
View File

@ -1,5 +1,6 @@
# #
# Shorewall 1.3 /etc/shorewall/zones # Shorewall 1.4 -- Sample Zone File For Two Interfaces
# /etc/shorewall/zones
# #
# This file determines your network zones. Columns are: # This file determines your network zones. Columns are:
# #
@ -9,6 +10,6 @@
# #
#ZONE DISPLAY COMMENTS #ZONE DISPLAY COMMENTS
net Net Internet net Net Internet
loc Local Local networks loc Local Local Networks
dmz DMZ Demilitarized Zone dmz DMZ Demilitarized Zone
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

1
Samples/two-interfaces/common
View File

@ -7,4 +7,3 @@
# DNS replies # DNS replies
# #
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

160
Samples/two-interfaces/interfaces
View File

@ -1,33 +1,36 @@
#
# Shorewall 1.4 -- Sample Interface File For Two Interfaces
# #
# Shorewall 1.3 -- Interfaces File # /etc/shorewall/interfaces
#
# /etc/shorewall/interfaces
# #
# You must add an entry in this file for each network interface on your # You must add an entry in this file for each network interface on your
# firewall system. # firewall system.
# #
# Columns are: # Columns are:
# #
# ZONE Zone for this interface. Must match the short name # ZONE
# Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones. # of a zone defined in /etc/shorewall/zones.
# #
# If the interface serves multiple zones that will be # If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should # defined in the /etc/shorewall/hosts file, you should
# place "-" in this column. # place "-" in this column.
# #
# INTERFACE Name of interface. Each interface may be listed only # INTERFACE
# Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of # once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see # an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18 # http://www.shorewall.net/FAQ.htm#faq18
# #
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
# #
# BROADCAST The broadcast address for the subnetwork to which the # BROADCAST
# The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this # interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple # column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast # addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list. # addresses as a comma-separated list.
# #
# If you use the special value "detect", the firewall # If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you # will detect the broadcast address for you. If you
# select this option, the interface must be up before # select this option, the interface must be up before
@ -39,96 +42,89 @@
# you want to enter a value in the OPTIONS column, enter # you want to enter a value in the OPTIONS column, enter
# "-" in this column. # "-" in this column.
# #
# OPTIONS A comma-separated list of options including the # OPTIONS
# A comma-separated list of options including the
# following: # following:
# #
# dhcp - interface is managed by DHCP or used by # dhcp
# a DHCP server running on the firewall or # Interface is managed by DHCP or used by
# you have a static IP but are on a LAN # a DHCP server running on the firewall or
# segment with lots of Laptop DHCP clients. # you have a static IP but are on a LAN
# routestopped - (Deprecated -- use # segment with lots of Laptop DHCP clients.
# /etc/shorewall/routestopped) # norfc1918
# When the firewall is stopped, allow # This interface should not receive
# and route traffic to and from this # any packets whose source is in one
# interface. # of the ranges reserved by RFC 1918
# norfc1918 - This interface should not receive # (i.e., private or "non-routable"
# any packets whose source is in one # addresses. If packet mangling is
# of the ranges reserved by RFC 1918 # enabled in shorewall.conf, packets
# (i.e., private or "non-routable" # whose destination addresses are
# addresses. If packet mangling is # reserved by RFC 1918 are also rejected.
# enabled in shorewall.conf, packets # routefilter
# whose destination addresses are # Turn on kernel route filtering for this
# reserved by RFC 1918 are also rejected. # interface (anti-spoofing measure). This
# multi - This interface has multiple IP # option can also be enabled globally in
# addresses and you want to be able to # the /etc/shorewall/shorewall.conf file.
# route between them. # dropunclean
# routefilter - turn on kernel route filtering for this # Logs and drops mangled/invalid packets
# interface (anti-spoofing measure). This # logunclean
# option can also be enabled globally in # Logs mangled/invalid packets but does
# the /etc/shorewall/shorewall.conf file. # not drop them.
# dropunclean - Logs and drops mangled/invalid packets # blacklist
# # Check packets arriving on this interface
# logunclean - Logs mangled/invalid packets but does # against the /etc/shorewall/blacklist
# not drop them. # file.
# blacklist - Check packets arriving on this interface # maclist
# against the /etc/shorewall/blacklist # Connection requests from this interface
# file. # are compared against the contents of
# maclist - Connection requests from this interface # /etc/shorewall/maclist. If this option
# are compared against the contents of # is specified, the interface must be
# /etc/shorewall/maclist. If this option # an ethernet NIC and must be up before
# is specified, the interface must be # Shorewall is started.
# an ethernet NIC and must be up before # tcpflags
# Shorewall is started. # Packets arriving on this interface are
# tcpflags - Packets arriving on this interface are # checked for certain illegal combinations
# checked for certain illegal combinations # of TCP flags. Packets found to have
# of TCP flags. Packets found to have # such a combination of flags are handled
# such a combination of flags are handled # according to the setting of
# according to the setting of # TCP_FLAGS_DISPOSITION after having been
# TCP_FLAGS_DISPOSITION after having been # logged according to the setting of
# logged according to the setting of # TCP_FLAGS_LOG_LEVEL.
# TCP_FLAGS_LOG_LEVEL. # proxyarp
# proxyarp - # Sets /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are # Do NOT use this option if you are
# employing Proxy ARP through entries in # employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is # /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP # intended soley for use with Proxy ARP
# sub-networking as described at: # sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
# #
# Example 1: Suppose you have eth0 connected to a DSL modem and # The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1:
# Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your # eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets # local subnet is 192.168.1.0/24. The eth0 interface gets
# it's IP address via DHCP from subnet # it's IP address via DHCP from subnet 206.191.149.192/27.
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
# #
# Your entries for this setup would look like: # Your entries for this setup would look like:
# #
# net eth0 206.191.149.223 dhcp # #ZONE INTERFACE BROADCAST OPTIONS
# local eth1 192.168.1.255 routestopped # net eth0 206.191.149.223 dhcp
# dmz eth2 192.168.2.255 # local eth1 192.168.1.255
# #
# Example 2: The same configuration without specifying broadcast # Example 2:
# The same configuration without specifying broadcast
# addresses is: # addresses is:
# #
# net eth0 detect dhcp # #ZONE INTERFACE BROADCAST OPTIONS
# loc eth1 detect routestopped # net eth0 detect dhcp
# dmz eth2 detect # loc eth1 detect
# #
# Example 3: You have a simple dial-in system with no ethernet
# connections.
#
# net ppp0 -
############################################################################## ##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918 net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect loc eth1 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

134
Samples/two-interfaces/masq
View File

@ -1,94 +1,102 @@
#
# Shorewall 1.4 - Sample Masquerade file For Two Interfaces
# #
# Shorewall 1.3 - Masquerade file # etc/shorewall/masq
# #
# /etc/shorewall/masq # Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
# #
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT # Columns are:
# (SNAT).
# #
# Columns are: # INTERFACE
# Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
# #
# INTERFACE -- Outgoing interface. This is usually your internet # This may be qualified by adding the character
# interface. If ADD_SNAT_ALIASES=Yes in # ":" followed by a destination host or subnet.
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
# #
# #
# SUBNET -- Subnet that you wish to masquerade. You can specify this as # SUBNET
# a subnet or as an interface. If you give the name of an # Subnet that you wish to masquerade. You can specify this as
# interface, you must have iproute installed and the interface # a subnet or as an interface. If you give the name of an
# must be up before you start the firewall. # interface, you must have iproute installed and the interface
# # must be up before you start the firewall.
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
# #
# Example: eth1!192.168.1.4,192.168.32.0/27 # In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
# #
# In that example traffic from eth1 would be masqueraded unless # Example: eth1!192.168.1.4,192.168.32.0/27
# it came from 192.168.1.4 or 196.168.32.0/27
# #
# ADDRESS -- (Optional). If you specify an address here, SNAT will be # In that example traffic from eth1 would be masqueraded unless
# used and this will be the source address. If # it came from 192.168.1.4 or 196.168.32.0/27
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
# #
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # ADDRESS (Optional)
# the address given in this column is the primary # If you specify an address here, SNAT will be
# IP address for the interface in the INTERFACE # used and this will be the source address. If
# column. # ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
# #
# This column may not contain a DNS Name. # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
# #
# Example 1: # This column may not contain a DNS Name.
# #
# You have a simple masquerading setup where eth0 connects to # Example 1:
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
# #
# Your entry in the file can be either: # You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
# #
# eth0 eth1 # Your entry in the file can be either:
# #
# or # #INTERFACE SUBNET ADDRESS
# eth0 eth1
# #
# eth0 192.168.0.0/24 # or
# #
# Example 2: # #INTERFACE SUBNET ADDRESS
# eth0 192.168.0.0/24
# #
# You add a router to your local network to connect subnet # Example 2:
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
# #
# eth0 192.168.1.0/24 # You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
# #
# Example 3: # #INTERFACE SUBNET ADDRESS
# eth0 192.168.1.0/24
# #
# You have an IPSEC tunnel through ipsec0 and you want to # Example 3:
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
# #
# ipsec0:10.1.1.0/24 196.168.1.0/24 # You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
# #
# Example 4: # #INTERFACE SUBNET ADDRESS
# ipsec0:10.1.1.0/24 196.168.1.0/24
# #
# You want all outgoing traffic from 192.168.1.0/24 through # Example 4:
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
# #
# eth0:0 192.168.1.0/24 206.124.146.176 # You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# #INTERFACE SUBNET ADDRESS
# eth0:0 192.168.1.0/24 206.124.146.176
# #
############################################################################## ##############################################################################
#INTERFACE SUBNET ADDRESS #INTERFACE SUBNET ADDRESS
eth0 eth1 eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

32
Samples/two-interfaces/policy
View File

@ -1,7 +1,7 @@
#
# Shorewall 1.4 -- Sample Policy File For Two Interfaces
# #
# Shorewall 1.3 -- Policy File # /etc/shorewall/policy
#
# /etc/shorewall/policy
# #
# This file determines what to do with a new connection request if we # This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the # don't get a match from the /etc/shorewall/rules file or from the
@ -17,9 +17,9 @@
# DEST Destination zone. Must be the name of a zone defined # DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all" # in /etc/shorewall/zones, $FW or "all"
# #
# WARNING: Firewall->Firewall policies are not allowed; if # WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW, # you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start! # Shorewall will not start!
# #
# POLICY Policy if no match from the rules file is found. Must # POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
@ -32,8 +32,7 @@
# Beginning with Shorewall version 1.3.12, you may # Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will # also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log # log to the ULOG target and sent to a separate log
# through use of ulogd # through use of ulogd (http://www.gnumonks.org/projects/ulogd).
# (http://www.gnumonks.org/projects/ulogd).
# #
# If you don't want to log but need to specify the # If you don't want to log but need to specify the
# following column, place "_" here. # following column, place "_" here.
@ -44,18 +43,17 @@
# #
# As shipped, the default policies are: # As shipped, the default policies are:
# #
# a) All connections from the local network to the internet are allowed # a) All connections from the local network to the Internet are allowed
# b) All connections from the internet are ignored but logged at syslog # b) All connections from the Internet are ignored but logged at syslog
# level KERNEL.INFO. # level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level # d) All other connection requests are rejected and logged at level
# KERNEL.INFO. # KERNEL.INFO.
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT loc net ACCEPT
# # If you want open access to the Internet from your Firewall
# If you want open access to the internet from your firewall, uncomment the # remove the comment from the following line.
# following line
#fw net ACCEPT #fw net ACCEPT
net all DROP info net all DROP info
all all REJECT info all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

31
Samples/two-interfaces/routestopped
View File

@ -1,25 +1,30 @@
############################################################################## ##############################################################################
# #
# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped # Shorewall 1.4 -- Sample Routestopped file for two interfaces.
# #
# /etc/shorewall/routestopped # /etc/shorewall/routestopped
# #
# This file is used to define the hosts that are accessible when the # This file is used to define the hosts that are accessible when the
# firewall is stopped # firewall is stopped.
# #
# Columns must be separated by white space and are: # Columns must be separated by white space and are:
# #
# INTERFACE - Interface through which host(s) communicate with # INTERFACE
# the firewall # Interface through which host(s) communicate with
# HOST(S) - (Optional) Comma-separated list of IP/subnet # the firewall.
# addresses. If left empty or supplied as "-", # HOST(S)
# 0.0.0.0/0 is assumed. # (Optional) Comma-separated list of IP/subnet
# addresses. If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# #
# Example: # Examples:
# #
# INTERFACE HOST(S) # INTERFACE HOST(S)
# eth2 192.168.1.0/24 # eth1 -
# eth0 192.0.2.44 # Or
# eth1 192.168.1.0/24
# Or
# eth1 192.0.2.44
############################################################################## ##############################################################################
#INTERFACE HOST(S) #INTERFACE HOST(S)
eth1 - eth1 -

187
Samples/two-interfaces/rules
View File

@ -1,7 +1,7 @@
#
# Shorewall version 1.4 - Sample Rules File For Two Interfaces
# #
# Shorewall version 1.3 - Rules File # /etc/shorewall/rules
#
# /etc/shorewall/rules
# #
# Rules in this file govern connection establishment. Requests and # Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. # responses are automatically allowed using connection tracking.
@ -15,35 +15,49 @@
# Columns are: # Columns are:
# #
# #
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT
# #
# ACCEPT -- allow the connection request # ACCEPT
# DROP -- ignore the request # Allow the connection request
# REJECT -- disallow the request and return an # DROP
# icmp-unreachable or an RST packet. # Ignore the request
# DNAT -- Forward the request to another # REJECT
# system (and optionally another # Disallow the request and return an
# port). # icmp-unreachable or an RST packet.
# DNAT- -- Advanced users only. # DNAT
# Like DNAT but only generates the # Forward the request to another
# DNAT iptables rule and not # system (and optionally another
# the companion ACCEPT rule. # port).
# REDIRECT -- Redirect the request to a local # DNAT-
# port on the firewall. # Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT
# Redirect the request to a local
# port on the firewall.
# CONTINUE
# (For experts only). Do Not Process
# any of the following rules for this
# (source zone,destination zone). If
# the source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zones(s).
# #
# May optionally be followed by ":" and a syslog log # May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be # level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level. # logged at the specified level.
# #
# Beginning with Shorewall version 1.3.12, you may # You may also specify ULOG (must be in upper case) as a
# also specify ULOG (must be in upper case) as a log level.\ # log level. This will log to the ULOG target for routing
# This will log to the ULOG target and sent to a separate log # to a separate log through use of ulogd.
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd). # (http://www.gnumonks.org/projects/ulogd).
# #
#
# SOURCE Source hosts to which the rule applies. May be a zone # SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the # defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or # firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be # REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with # excluded from the rule by following the zone name with
@ -56,24 +70,30 @@
# address; mac addresses must begin with "~" and must use # address; mac addresses must begin with "~" and must use
# "-" as a separator. # "-" as a separator.
# #
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # Some Examples:
# #
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the # net:155.186.235.1
# Internet # Host 155.186.235.1 on the Internet
# #
# loc:192.168.1.1,192.168.1.2 # loc:192.168.1.0/24
# Hosts 192.168.1.1 and # Subnet 192.168.1.0/24 on the
# 192.168.1.2 in the local zone. # Local Network
# loc:~00-A0-C9-15-39-78 Host in the local zone with #
# MAC address 00:A0:C9:15:39:78. # net:155.186.235.1,155.186.235.2
# Hosts 155.186.235.1 and
# 155.186.235.2 on the Internet.
#
# loc:~00-A0-C9-15-39-78
# Host on the Local Network with
# MAC address 00:A0:C9:15:39:78.
# #
# Alternatively, clients may be specified by interface # Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the # by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a # interface name. For example, net:eth0 specifies a
# client that communicates with the firewall system # client that communicates with the firewall system
# through eth1. This may be optionally followed by # through eth0. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address # another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5). # as described above (e.g., net:eth0:192.168.1.5).
# #
# DEST Location of Server. May be a zone defined in # DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall # /etc/shorewall/zones, $FW to indicate the firewall
@ -84,12 +104,12 @@
# interface by appending ":" and the subnet, host or # interface by appending ":" and the subnet, host or
# interface. See above. # interface. See above.
# #
# Restrictions: # Restrictions:
# #
# 1. MAC addresses are not allowed. # 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are # 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses # allowed; no FQDNs or subnet addresses
# are permitted. # are permitted.
# #
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
@ -97,27 +117,25 @@
# destination port. A destination port may only be # destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT. # included if the ACTION is DNAT or REDIRECT.
# #
# Example: loc:192.168.1.3:3128 specifies a local # Example: net:155.186.235.1:25 specifies a Internet
# server at IP address 192.168.1.3 and listening on port # server at IP address 155.186.235.1 and listening on port
# 3128. The port number MUST be specified as an integer # 25. The port number MUST be specified as an integer
# and not as a name from /etc/services. # and not as a name from /etc/services.
# #
# if the ACTION is REDIRECT, this column needs only to # If the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the # "all".
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# A port range is expressed as <low port>:<high port>. # A port range is expressed as <low port>:<high port>.
# #
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied. # entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
@ -149,7 +167,7 @@
# port. # port.
# #
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP # REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
# on some interface on the firewall and connections to # on some interface on the firewall and connections to
# that address will be forwarded to the IP and port # that address will be forwarded to the IP and port
@ -163,51 +181,60 @@
# If no source IP address is given, the original source # If no source IP address is given, the original source
# address is not altered. # address is not altered.
# #
# Example: Accept SMTP requests from the DMZ to the internet # Also by default all outbound loc -> net communications are allowed.
# You can change this behavior in the sample policy file.
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # Example: Accept www requests to the firewall.
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
# #
# Example: Forward all ssh and http connection requests from the internet # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# to local system 192.168.1.3 # # PORT PORT(S) DEST
# ACCEPT net fw tcp http
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # Example: Accept SMTP requests from the Local Network to the Internet
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
# #
# Example: Redirect all locally-originating www connection requests to # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# port 3128 on the firewall (Squid running on the firewall # # PORT PORT(S) DEST
# system) except when the destination address is 192.168.2.2 # ACCEPT loc net tcp smtp
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # Example: Forward all ssh and http connection requests from the Internet
# # PORT PORT(S) DEST # to local system 192.168.1.3
# REDIRECT loc 3128 tcp www - !192.168.2.2
# #
# Example: All http requests from the internet to address # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# 130.252.100.69 are to be forwarded to 192.168.1.3 # # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
# #
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # Example: Redirect all locally-originating www connection requests to
# # PORT PORT(S) DEST # port 3128 on the firewall (Squid running on the firewall
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 # system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the Internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
############################################################################## ##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST # PORT PORT(S) DEST
# #
# Accept DNS connections from the firewall to the network # Accept DNS connections from the firewall to the network
# #
ACCEPT fw net tcp 53 ACCEPT fw net tcp 53
ACCEPT fw net udp 53 ACCEPT fw net udp 53
# #
# Accept SSH connections from the local network for administration # Accept SSH connections from the local network for administration
# #
ACCEPT loc fw tcp 22 ACCEPT loc fw tcp 22
# #
# Accept Ping Ubiquitously # Accept Ping Ubiquitously
# #
ACCEPT loc fw icmp 8 ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8 ACCEPT net fw icmp 8
# #
# All ICMP are accepted fw->all # All ICMP are accepted fw->all
# #
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

5
Samples/two-interfaces/zones
View File

@ -1,5 +1,6 @@
# #
# Shorewall 1.3 /etc/shorewall/zones # Shorewall 1.4 -- Sample Zone File For Two Interfaces
# /etc/shorewall/zones
# #
# This file determines your network zones. Columns are: # This file determines your network zones. Columns are:
# #
@ -9,5 +10,5 @@
# #
#ZONE DISPLAY COMMENTS #ZONE DISPLAY COMMENTS
net Net Internet net Net Internet
loc Local Local networks loc Local Local Networks
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE