From e7b13df2ef10789bb6e142aa0efb3360d721fe66 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 25 Jun 2002 19:27:55 +0000 Subject: [PATCH] Update the samples for 1.3.2 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@94 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/one-interface/interfaces | 14 ++++++-- Samples/one-interface/rules | 18 +++++++++- Samples/one-interface/shorewall.conf | 50 +++++++++++++++++++--------- Samples/three-interfaces/interfaces | 12 ++++++- Samples/three-interfaces/masq | 6 ++-- Samples/three-interfaces/rules | 18 +++++++++- Samples/two-interfaces/interfaces | 14 ++++++-- Samples/two-interfaces/masq | 6 ++-- Samples/two-interfaces/rules | 19 ++++++++++- 9 files changed, 128 insertions(+), 29 deletions(-) diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 99d326937..2db92d9b9 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -36,8 +36,18 @@ # # dhcp - interface is managed by DHCP or used by # a DHCP server running on the firewall. -# noping - icmp echo-request (ping) packets should +# noping - icmp echo-request (ping) packets +# addressed to the firewall should # be ignored on this interface +# filterping - icmp echo-request (ping) packets +# addressed to the firewall should +# be controlled by the rules file and +# applicable policy. If neither 'noping' +# nor 'filterping' are specified then +# the firewall will respond to 'ping' +# requests. 'filterping' takes +# precedence over 'noping' if both are +# given. # routestopped - When the firewall is stopped, allow # and route traffic to and from this # interface. @@ -90,6 +100,6 @@ # # net ppp0 - noping ############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS +#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918,routefilter,dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules index e46c3b7af..274648997 100755 --- a/Samples/one-interface/rules +++ b/Samples/one-interface/rules @@ -97,6 +97,14 @@ # In that case, it is suggested that this field contain # "-" # +# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port @@ -106,7 +114,15 @@ # specify an ADDRESS in the next column, then place "-" # in this column. # -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or +# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 2a209bbf6..8b6ea7fe1 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -1,4 +1,4 @@ -############################################################################# +############################################################################## # /etc/shorewall/shorewall.conf V1.3 - Change the following variables to # match your setup # @@ -37,14 +37,14 @@ STATEDIR=/var/lib/shorewall # explicit "related" rules in /etc/shorewall/rules. # -ALLOWRELATED="yes" +ALLOWRELATED=yes # # If your netfilter kernel modules are in a directory other than # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that # directory in this variable. Example: MODULESDIR=/etc/modules. -MODULESDIR="" +MODULESDIR= # # The next two variables can be used to control the amount of log output @@ -57,8 +57,8 @@ MODULESDIR="" # If BOTH variables are set empty then logging will not be rate-limited. # -LOGRATE="" -LOGBURST="" +LOGRATE= +LOGBURST= # @@ -80,7 +80,7 @@ LOGUNCLEAN=info # # http://www.shorewall.net/FAQ.htm#faq6 -LOGFILE="/var/log/messages" +LOGFILE=/var/log/messages # # Enable nat support. @@ -88,7 +88,7 @@ LOGFILE="/var/log/messages" # You probally want yes here. Only gateways not doing NAT in any form, like # SNAT,DNAT masquerading, port forwading etc. should say "no" here. # -NAT_ENABLED="Yes" +NAT_ENABLED=Yes # # Enable mangle support. @@ -98,7 +98,7 @@ NAT_ENABLED="Yes" # your firewall. You must enable mangling if you want Traffic Shaping # (see TC_ENABLED below). # -MANGLE_ENABLED="Yes" +MANGLE_ENABLED=Yes # # Enable IP Forwarding @@ -112,7 +112,7 @@ MANGLE_ENABLED="Yes" # If you set this variable to "Keep" or "keep", Shorewall will neither # enable nor disable packet forwarding. # -IP_FORWARDING="Off" +IP_FORWARDING=Off # # Automatically add IP Aliases # @@ -120,7 +120,7 @@ IP_FORWARDING="Off" # for each NAT external address that you give in /etc/shorewall/nat. If you say # "No" or "no", you must add these aliases youself. # -ADD_IP_ALIASES="Yes" +ADD_IP_ALIASES=Yes # # Automatically add SNAT Aliases @@ -129,7 +129,7 @@ ADD_IP_ALIASES="Yes" # for each SNAT external address that you give in /etc/shorewall/masq. If you say # "No" or "no", you must add these aliases youself. # -ADD_SNAT_ALIASES="No" +ADD_SNAT_ALIASES=No # # Enable Traffic Shaping @@ -139,7 +139,7 @@ ADD_SNAT_ALIASES="No" # shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and # you must enable packet mangling above. # -TC_ENABLED="No" +TC_ENABLED=No # # Blacklisting @@ -186,7 +186,7 @@ BLACKLIST_LOGLEVEL= # # If left blank, or set to "No" or "no", the option is not enabled. # -CLAMPMSS="No" +CLAMPMSS=No # # Route Filtering @@ -196,7 +196,7 @@ CLAMPMSS="No" # # If this variable is not set or is set to the empty value, "No" is assumed. -ROUTE_FILTER="No" +ROUTE_FILTER=No # # NAT before RULES @@ -206,6 +206,26 @@ ROUTE_FILTER="No" # # If this variable is not set or is set to the empty value, "Yes" is assumed. -NAT_BEFORE_RULES="Yes" +NAT_BEFORE_RULES=Yes + +# MULTIPORT +# +# If your kernel includes the multiport match option +# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this +# option is enabled by setting it's value to "Yes" or "yes": +# +# 1) If you list more that 15 ports in a comma-seperated list in +# /etc/shorewall/rules, Shorewall will not use the multiport option +# but will generate a separate rule for each element of each port +# list. +# 2) If you include a port range (:) in the +# rule, Shorewall will not use the multiport option but will generate +# a separate rule for each element of each port list. +# +# See the /etc/shorewall/rules file for additional information on this option. +# +# if this variable is not set or is set to the empty value, "No" is assumed. + +MULTIPORT=No #LAST LINE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index b09cac0a3..6f390cd33 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -36,8 +36,18 @@ # # dhcp - interface is managed by DHCP or used by # a DHCP server running on the firewall. -# noping - icmp echo-request (ping) packets should +# noping - icmp echo-request (ping) packets +# addressed to the firewall should # be ignored on this interface +# filterping - icmp echo-request (ping) packets +# addressed to the firewall should +# be controlled by the rules file and +# applicable policy. If neither 'noping' +# nor 'filterping' are specified then +# the firewall will respond to 'ping' +# requests. 'filterping' takes +# precedence over 'noping' if both are +# given. # routestopped - When the firewall is stopped, allow # and route traffic to and from this # interface. diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq index 2cc0317b1..37e30cb15 100755 --- a/Samples/three-interfaces/masq +++ b/Samples/three-interfaces/masq @@ -29,15 +29,15 @@ # # ADDRESS -- (Optional). If you specify an address here, SNAT will be # used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in +# ADD_SNAT_ALIASES is set to Yes or yes in # /etc/shorewall/shorewall.conf then Shorewall # will automatically add this address to the -# INTERFACE named in the first column. +# INTERFACE named in the first column. # # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # the address given in this column is the primary # IP address for the interface in the INTERFACE -# column. +# column. # # Example 1: # diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index 78c7d49dd..dec4f7c20 100755 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -97,6 +97,14 @@ # In that case, it is suggested that this field contain # "-" # +# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port @@ -106,7 +114,15 @@ # specify an ADDRESS in the next column, then place "-" # in this column. # -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or +# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index 2272392ee..e1ffd9d88 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -26,7 +26,7 @@ # select this option, the interface must be up before # the firewall is started and you must have iproute # installed. -# +# # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter # "-" in this column. @@ -36,8 +36,18 @@ # # dhcp - interface is managed by DHCP or used by # a DHCP server running on the firewall. -# noping - icmp echo-request (ping) packets should +# noping - icmp echo-request (ping) packets +# addressed to the firewall should # be ignored on this interface +# filterping - icmp echo-request (ping) packets +# addressed to the firewall should +# be controlled by the rules file and +# applicable policy. If neither 'noping' +# nor 'filterping' are specified then +# the firewall will respond to 'ping' +# requests. 'filterping' takes +# precedence over 'noping' if both are +# given. # routestopped - When the firewall is stopped, allow # and route traffic to and from this # interface. diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq index a1e7258d6..e5d43b687 100755 --- a/Samples/two-interfaces/masq +++ b/Samples/two-interfaces/masq @@ -29,15 +29,15 @@ # # ADDRESS -- (Optional). If you specify an address here, SNAT will be # used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in +# ADD_SNAT_ALIASES is set to Yes or yes in # /etc/shorewall/shorewall.conf then Shorewall # will automatically add this address to the -# INTERFACE named in the first column. +# INTERFACE named in the first column. # # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # the address given in this column is the primary # IP address for the interface in the INTERFACE -# column. +# column. # # Example 1: # diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index c376cb0a5..83b406df3 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -97,6 +97,14 @@ # In that case, it is suggested that this field contain # "-" # +# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # any source port is acceptable. Specified as a comma- # separated list of port names, port numbers or port @@ -106,7 +114,15 @@ # specify an ADDRESS in the next column, then place "-" # in this column. # -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or +# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to @@ -151,6 +167,7 @@ ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST +# # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53