Update the samples for 1.3.2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@94 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-06-25 19:27:55 +00:00
parent 399aa099ba
commit e7b13df2ef
9 changed files with 128 additions and 29 deletions

View File

@ -36,8 +36,18 @@
# #
# dhcp - interface is managed by DHCP or used by # dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall. # a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets should # noping - icmp echo-request (ping) packets
# addressed to the firewall should
# be ignored on this interface # be ignored on this interface
# filterping - icmp echo-request (ping) packets
# addressed to the firewall should
# be controlled by the rules file and
# applicable policy. If neither 'noping'
# nor 'filterping' are specified then
# the firewall will respond to 'ping'
# requests. 'filterping' takes
# precedence over 'noping' if both are
# given.
# routestopped - When the firewall is stopped, allow # routestopped - When the firewall is stopped, allow
# and route traffic to and from this # and route traffic to and from this
# interface. # interface.

View File

@ -97,6 +97,14 @@
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
# "-" # "-"
# #
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma- # any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port # separated list of port names, port numbers or port
@ -106,6 +114,14 @@
# specify an ADDRESS in the next column, then place "-" # specify an ADDRESS in the next column, then place "-"
# in this column. # in this column.
# #
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP # REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address

View File

@ -1,4 +1,4 @@
############################################################################# ##############################################################################
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to # /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
# match your setup # match your setup
# #
@ -37,14 +37,14 @@ STATEDIR=/var/lib/shorewall
# explicit "related" rules in /etc/shorewall/rules. # explicit "related" rules in /etc/shorewall/rules.
# #
ALLOWRELATED="yes" ALLOWRELATED=yes
# #
# If your netfilter kernel modules are in a directory other than # If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules. # directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR="" MODULESDIR=
# #
# The next two variables can be used to control the amount of log output # The next two variables can be used to control the amount of log output
@ -57,8 +57,8 @@ MODULESDIR=""
# If BOTH variables are set empty then logging will not be rate-limited. # If BOTH variables are set empty then logging will not be rate-limited.
# #
LOGRATE="" LOGRATE=
LOGBURST="" LOGBURST=
# #
@ -80,7 +80,7 @@ LOGUNCLEAN=info
# #
# http://www.shorewall.net/FAQ.htm#faq6 # http://www.shorewall.net/FAQ.htm#faq6
LOGFILE="/var/log/messages" LOGFILE=/var/log/messages
# #
# Enable nat support. # Enable nat support.
@ -88,7 +88,7 @@ LOGFILE="/var/log/messages"
# You probally want yes here. Only gateways not doing NAT in any form, like # You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here. # SNAT,DNAT masquerading, port forwading etc. should say "no" here.
# #
NAT_ENABLED="Yes" NAT_ENABLED=Yes
# #
# Enable mangle support. # Enable mangle support.
@ -98,7 +98,7 @@ NAT_ENABLED="Yes"
# your firewall. You must enable mangling if you want Traffic Shaping # your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below). # (see TC_ENABLED below).
# #
MANGLE_ENABLED="Yes" MANGLE_ENABLED=Yes
# #
# Enable IP Forwarding # Enable IP Forwarding
@ -112,7 +112,7 @@ MANGLE_ENABLED="Yes"
# If you set this variable to "Keep" or "keep", Shorewall will neither # If you set this variable to "Keep" or "keep", Shorewall will neither
# enable nor disable packet forwarding. # enable nor disable packet forwarding.
# #
IP_FORWARDING="Off" IP_FORWARDING=Off
# #
# Automatically add IP Aliases # Automatically add IP Aliases
# #
@ -120,7 +120,7 @@ IP_FORWARDING="Off"
# for each NAT external address that you give in /etc/shorewall/nat. If you say # for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself. # "No" or "no", you must add these aliases youself.
# #
ADD_IP_ALIASES="Yes" ADD_IP_ALIASES=Yes
# #
# Automatically add SNAT Aliases # Automatically add SNAT Aliases
@ -129,7 +129,7 @@ ADD_IP_ALIASES="Yes"
# for each SNAT external address that you give in /etc/shorewall/masq. If you say # for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself. # "No" or "no", you must add these aliases youself.
# #
ADD_SNAT_ALIASES="No" ADD_SNAT_ALIASES=No
# #
# Enable Traffic Shaping # Enable Traffic Shaping
@ -139,7 +139,7 @@ ADD_SNAT_ALIASES="No"
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and # shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
# you must enable packet mangling above. # you must enable packet mangling above.
# #
TC_ENABLED="No" TC_ENABLED=No
# #
# Blacklisting # Blacklisting
@ -186,7 +186,7 @@ BLACKLIST_LOGLEVEL=
# #
# If left blank, or set to "No" or "no", the option is not enabled. # If left blank, or set to "No" or "no", the option is not enabled.
# #
CLAMPMSS="No" CLAMPMSS=No
# #
# Route Filtering # Route Filtering
@ -196,7 +196,7 @@ CLAMPMSS="No"
# #
# If this variable is not set or is set to the empty value, "No" is assumed. # If this variable is not set or is set to the empty value, "No" is assumed.
ROUTE_FILTER="No" ROUTE_FILTER=No
# #
# NAT before RULES # NAT before RULES
@ -206,6 +206,26 @@ ROUTE_FILTER="No"
# #
# If this variable is not set or is set to the empty value, "Yes" is assumed. # If this variable is not set or is set to the empty value, "Yes" is assumed.
NAT_BEFORE_RULES="Yes" NAT_BEFORE_RULES=Yes
# MULTIPORT
#
# If your kernel includes the multiport match option
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
# option is enabled by setting it's value to "Yes" or "yes":
#
# 1) If you list more that 15 ports in a comma-seperated list in
# /etc/shorewall/rules, Shorewall will not use the multiport option
# but will generate a separate rule for each element of each port
# list.
# 2) If you include a port range (<low port>:<high port>) in the
# rule, Shorewall will not use the multiport option but will generate
# a separate rule for each element of each port list.
#
# See the /etc/shorewall/rules file for additional information on this option.
#
# if this variable is not set or is set to the empty value, "No" is assumed.
MULTIPORT=No
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE

View File

@ -36,8 +36,18 @@
# #
# dhcp - interface is managed by DHCP or used by # dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall. # a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets should # noping - icmp echo-request (ping) packets
# addressed to the firewall should
# be ignored on this interface # be ignored on this interface
# filterping - icmp echo-request (ping) packets
# addressed to the firewall should
# be controlled by the rules file and
# applicable policy. If neither 'noping'
# nor 'filterping' are specified then
# the firewall will respond to 'ping'
# requests. 'filterping' takes
# precedence over 'noping' if both are
# given.
# routestopped - When the firewall is stopped, allow # routestopped - When the firewall is stopped, allow
# and route traffic to and from this # and route traffic to and from this
# interface. # interface.

View File

@ -97,6 +97,14 @@
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
# "-" # "-"
# #
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma- # any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port # separated list of port names, port numbers or port
@ -106,6 +114,14 @@
# specify an ADDRESS in the next column, then place "-" # specify an ADDRESS in the next column, then place "-"
# in this column. # in this column.
# #
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP # REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address

View File

@ -36,8 +36,18 @@
# #
# dhcp - interface is managed by DHCP or used by # dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall. # a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets should # noping - icmp echo-request (ping) packets
# addressed to the firewall should
# be ignored on this interface # be ignored on this interface
# filterping - icmp echo-request (ping) packets
# addressed to the firewall should
# be controlled by the rules file and
# applicable policy. If neither 'noping'
# nor 'filterping' are specified then
# the firewall will respond to 'ping'
# requests. 'filterping' takes
# precedence over 'noping' if both are
# given.
# routestopped - When the firewall is stopped, allow # routestopped - When the firewall is stopped, allow
# and route traffic to and from this # and route traffic to and from this
# interface. # interface.

View File

@ -97,6 +97,14 @@
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
# "-" # "-"
# #
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma- # any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port # separated list of port names, port numbers or port
@ -106,6 +114,14 @@
# specify an ADDRESS in the next column, then place "-" # specify an ADDRESS in the next column, then place "-"
# in this column. # in this column.
# #
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP # REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address # address given in the SERVER column, this is an address
@ -151,6 +167,7 @@
############################################################################## ##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST # PORT PORT(S) DEST
#
# Accept DNS connections from the firewall to the network # Accept DNS connections from the firewall to the network
# #
ACCEPT fw net tcp 53 ACCEPT fw net tcp 53