Update the samples for 1.3.2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@94 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/interfaces

@@ -36,8 +36,18 @@
 #
 #			dhcp	     - interface is managed by DHCP or used by
 #                                      a DHCP server running on the firewall.
-#			noping	     - icmp echo-request (ping) packets should
+#			noping	     - icmp echo-request (ping) packets
+#				       addressed to the firewall should
 #				       be ignored on this interface
+#			filterping   - icmp echo-request (ping) packets 
+#				       addressed to the firewall should
+#				       be controlled by the rules file and
+#				       applicable policy. If neither 'noping'
+#				       nor 'filterping' are specified then
+#				       the firewall will respond to 'ping'
+#				       requests. 'filterping' takes 
+#				       precedence over 'noping' if both are
+#				       given.
 #			routestopped - When the firewall is stopped, allow
 #				       and route traffic to and from this
 #				       interface.
@@ -90,6 +100,6 @@
 #
 #			net	ppp0	-		noping
 ##############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+#ZONE	 INTERFACE	BROADCAST	OPTIONS
 net	eth0		detect		norfc1918,routefilter,dhcp
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/one-interface/rules

@@ -97,6 +97,14 @@
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
+#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the CLIENT PORT(S) list below:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
 #	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
@@ -106,7 +114,15 @@
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
-#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or
+#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the DEST PORT(S) list above:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or 
 #                       REDIRECT) If included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to

Samples/one-interface/shorewall.conf

@@ -1,4 +1,4 @@
-#############################################################################
+##############################################################################
 #  /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
 #  match your setup
 #
@@ -37,14 +37,14 @@ STATEDIR=/var/lib/shorewall
 # explicit "related" rules in /etc/shorewall/rules.
 #
 
-ALLOWRELATED="yes"
+ALLOWRELATED=yes
 
 #
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
 
-MODULESDIR=""
+MODULESDIR=
 
 #
 # The next two variables can be used to control the amount of log output
@@ -57,8 +57,8 @@ MODULESDIR=""
 # If BOTH variables are set empty then logging will not be rate-limited.
 #
 
-LOGRATE=""
-LOGBURST=""
+LOGRATE=
+LOGBURST=
 
 
 #
@@ -80,7 +80,7 @@ LOGUNCLEAN=info
 #
 #              http://www.shorewall.net/FAQ.htm#faq6
 
-LOGFILE="/var/log/messages"
+LOGFILE=/var/log/messages
 
 #
 # Enable nat support.
@@ -88,7 +88,7 @@ LOGFILE="/var/log/messages"
 # You probally want yes here. Only gateways not doing NAT in any form, like
 # SNAT,DNAT masquerading, port forwading etc. should say "no" here.
 #
-NAT_ENABLED="Yes"
+NAT_ENABLED=Yes
 
 #
 # Enable mangle support.
@@ -98,7 +98,7 @@ NAT_ENABLED="Yes"
 # your firewall. You must enable mangling if you want Traffic Shaping
 # (see TC_ENABLED below).
 #
-MANGLE_ENABLED="Yes"
+MANGLE_ENABLED=Yes
 
 #
 # Enable IP Forwarding
@@ -112,7 +112,7 @@ MANGLE_ENABLED="Yes"
 # If you set this variable to "Keep" or "keep", Shorewall will neither
 # enable nor disable packet forwarding.
 #
-IP_FORWARDING="Off"
+IP_FORWARDING=Off
 #
 # Automatically add IP Aliases
 #
@@ -120,7 +120,7 @@ IP_FORWARDING="Off"
 # for each NAT external address that you give in /etc/shorewall/nat. If you say
 # "No" or "no", you must add these aliases youself.
 #
-ADD_IP_ALIASES="Yes"
+ADD_IP_ALIASES=Yes
 
 #
 # Automatically add SNAT Aliases
@@ -129,7 +129,7 @@ ADD_IP_ALIASES="Yes"
 # for each SNAT external address that you give in /etc/shorewall/masq. If you say
 # "No" or "no", you must add these aliases youself.
 #
-ADD_SNAT_ALIASES="No"
+ADD_SNAT_ALIASES=No
 
 #
 # Enable Traffic Shaping
@@ -139,7 +139,7 @@ ADD_SNAT_ALIASES="No"
 # shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
 # you must enable packet mangling above.
 #
-TC_ENABLED="No"
+TC_ENABLED=No
 
 #
 # Blacklisting
@@ -186,7 +186,7 @@ BLACKLIST_LOGLEVEL=
 #
 # If left blank, or set to "No" or "no", the option is not enabled.
 #
-CLAMPMSS="No"
+CLAMPMSS=No
 
 #
 # Route Filtering
@@ -196,7 +196,7 @@ CLAMPMSS="No"
 #
 # If this variable is not set or is set to the empty value, "No" is assumed.
 
-ROUTE_FILTER="No"
+ROUTE_FILTER=No
 
 #
 # NAT before RULES
@@ -206,6 +206,26 @@ ROUTE_FILTER="No"
 #
 # If this variable is not set or is set to the empty value, "Yes" is assumed.
 
-NAT_BEFORE_RULES="Yes"
+NAT_BEFORE_RULES=Yes
+
+# MULTIPORT
+#
+# If your kernel includes the multiport match option
+# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
+# option is enabled by setting it's value to "Yes" or "yes":
+#
+#	1) If you list more that 15 ports in a comma-seperated list in
+#	   /etc/shorewall/rules, Shorewall will not use the multiport option
+#	   but will generate a separate rule for each element of each port
+#	   list.
+#	2) If you include a port range (<low port>:<high port>) in the
+#	   rule, Shorewall will not use the multiport option but will generate
+#	   a separate rule for each element of each port list.
+#
+# See the /etc/shorewall/rules file for additional information on this option.
+#
+# if this variable is not set or is set to the empty value, "No" is assumed.
+
+MULTIPORT=No
 
 #LAST LINE -- DO NOT REMOVE

Samples/three-interfaces/interfaces

@@ -36,8 +36,18 @@
 #
 #			dhcp	     - interface is managed by DHCP or used by
 #                                      a DHCP server running on the firewall.
-#			noping	     - icmp echo-request (ping) packets should
+#			noping	     - icmp echo-request (ping) packets
+#				       addressed to the firewall should
 #				       be ignored on this interface
+#			filterping   - icmp echo-request (ping) packets 
+#				       addressed to the firewall should
+#				       be controlled by the rules file and
+#				       applicable policy. If neither 'noping'
+#				       nor 'filterping' are specified then
+#				       the firewall will respond to 'ping'
+#				       requests. 'filterping' takes 
+#				       precedence over 'noping' if both are
+#				       given.
 #			routestopped - When the firewall is stopped, allow
 #				       and route traffic to and from this
 #				       interface.

Samples/three-interfaces/masq

@@ -29,15 +29,15 @@
 #
 #	ADDRESS -- (Optional).  If you specify an address here, SNAT will be
 #				used and this will be the source address. If
-#				ADD_SNAT_ALIASES is set to Yes or yes in
+#				ADD_SNAT_ALIASES is set to Yes or yes in 
 #				/etc/shorewall/shorewall.conf then Shorewall
 #				will automatically add this address to the
-#				INTERFACE named in the first column.
+#				INTERFACE named in the first column. 
 #
 #				WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
 #				the address given in this column is the primary
 #				IP address for the interface in the INTERFACE
-#				column.
+#				column. 
 #
 #	Example 1:
 #

Samples/three-interfaces/rules

@@ -97,6 +97,14 @@
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
+#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the CLIENT PORT(S) list below:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
 #	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
@@ -106,7 +114,15 @@
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
-#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or
+#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the DEST PORT(S) list above:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or 
 #                       REDIRECT) If included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to

Samples/two-interfaces/interfaces

@@ -26,7 +26,7 @@
 #			select this option, the interface must be up before
 #			the firewall is started and you must have iproute
 #			installed.
-#
+#			
 #			If you don't want to give a value for this column but
 #			you want to enter a value in the OPTIONS column, enter
 #			"-" in this column.
@@ -36,8 +36,18 @@
 #
 #			dhcp	     - interface is managed by DHCP or used by
 #                                      a DHCP server running on the firewall.
-#			noping	     - icmp echo-request (ping) packets should
+#			noping	     - icmp echo-request (ping) packets
+#				       addressed to the firewall should
 #				       be ignored on this interface
+#			filterping   - icmp echo-request (ping) packets 
+#				       addressed to the firewall should
+#				       be controlled by the rules file and
+#				       applicable policy. If neither 'noping'
+#				       nor 'filterping' are specified then
+#				       the firewall will respond to 'ping'
+#				       requests. 'filterping' takes 
+#				       precedence over 'noping' if both are
+#				       given.
 #			routestopped - When the firewall is stopped, allow
 #				       and route traffic to and from this
 #				       interface.

Samples/two-interfaces/masq

@@ -29,15 +29,15 @@
 #
 #	ADDRESS -- (Optional).  If you specify an address here, SNAT will be
 #				used and this will be the source address. If
-#				ADD_SNAT_ALIASES is set to Yes or yes in
+#				ADD_SNAT_ALIASES is set to Yes or yes in 
 #				/etc/shorewall/shorewall.conf then Shorewall
 #				will automatically add this address to the
-#				INTERFACE named in the first column.
+#				INTERFACE named in the first column. 
 #
 #				WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
 #				the address given in this column is the primary
 #				IP address for the interface in the INTERFACE
-#				column.
+#				column. 
 #
 #	Example 1:
 #

Samples/two-interfaces/rules

@@ -97,6 +97,14 @@
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
+#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the CLIENT PORT(S) list below:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
 #	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
@@ -106,7 +114,15 @@
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
-#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or
+#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the DEST PORT(S) list above:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or 
 #                       REDIRECT) If included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
@@ -151,6 +167,7 @@
 ##############################################################################
 #ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL
 #                       	        	PORT    PORT(S)    DEST
+#
 # Accept DNS connections from the firewall to the network
 #
 ACCEPT		fw	  net		tcp	53