From ede4e38db2022455edbf6726af7faa802ff02473 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 6 Aug 2002 20:45:44 +0000 Subject: [PATCH] Changes for 1.3.6 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@180 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/one-interface/interfaces | 8 ++- Samples/one-interface/policy | 2 +- Samples/one-interface/shorewall.conf | 83 +++++++++++++++++++++------- Samples/three-interfaces/interfaces | 8 ++- Samples/three-interfaces/masq | 5 +- Samples/three-interfaces/policy | 2 +- Samples/two-interfaces/interfaces | 9 ++- Samples/two-interfaces/masq | 5 +- Samples/two-interfaces/policy | 2 +- 9 files changed, 92 insertions(+), 32 deletions(-) diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 9c42048f8..95ef53911 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -35,7 +35,9 @@ # following: # # dhcp - interface is managed by DHCP or used by -# a DHCP server running on the firewall. +# a DHCP server running on the firewall or +# you have a static IP but are on a LAN +# segment with lots of Laptop DHCP clients. # noping - icmp echo-request (ping) packets # addressed to the firewall should # be ignored on this interface @@ -65,7 +67,9 @@ # addresses and you want to be able to # route between them. # routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. # dropunclean - Logs and drops mangled/invalid packets # # logunclean - Logs mangled/invalid packets but does diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy index efe89bce1..6733dad95 100644 --- a/Samples/one-interface/policy +++ b/Samples/one-interface/policy @@ -35,7 +35,7 @@ # As shipped, the default policies are: # # a) All connections from the local network to the internet are allowed -# b) All connections from the network are ignored but logged at syslog +# b) All connections from the internet are ignored but logged at syslog # level KERNEL.INFO. # d) All other connection requests are rejected and logged at level # KERNEL.INFO. diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 7587c6e33..026b66e96 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -9,26 +9,35 @@ # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) ############################################################################## # +# NAME OF THE FIREWALL ZONE +# # Name of the firewall zone -- if not set or if set to an empty string, "fw" # is assumed. # FW=fw - +# +# SUBSYSTEM LOCK FILE +# # Set this to the name of the lock file expected by your init scripts. For # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it # should be /var/state/shorewall. If your init scripts don't use lock files, -# set -this to "". +# set this to "". # SUBSYSLOCK=/var/lock/subsys/shorewall +# +# SHOREWALL TEMPORARY STATE DIRECTORY +# # This is the directory where the firewall maintains state information while # it is running # STATEDIR=/var/lib/shorewall +# +# ALLOW RELATED CONNECTIONS # # Set this to "yes" or "Yes" if you want to accept all connection requests # that are related to already established connections. For example, you want @@ -39,6 +48,8 @@ STATEDIR=/var/lib/shorewall ALLOWRELATED=yes +# +# KERNEL MODULE DIRECTORY # # If your netfilter kernel modules are in a directory other than # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that @@ -46,6 +57,8 @@ ALLOWRELATED=yes MODULESDIR= +# +# LOG RATE LIMITING # # The next two variables can be used to control the amount of log output # generated. LOGRATE is expressed as a number followed by an optional @@ -54,22 +67,35 @@ MODULESDIR= # maximum initial burst size that will be logged. If set empty, the default # value of 5 will be used. # +# Example: +# +# LOGRATE=10/minute +# LOGBURST=5 +# # If BOTH variables are set empty then logging will not be rate-limited. # LOGRATE= LOGBURST= - +# +# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS # # This variable determines the level at which Mangled/Invalid packets are logged # under the 'dropunclean' interface option. If you set this variable to an # empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped # silently. # +# The value of this variable also determines the level at which Mangled/Invalid +# packets are logged under the 'logunclean' interface option. If the variable +# is empty, these packets will still be logged at the 'info' level. +# LOGUNCLEAN=info +# +# LOG FILE LOCATION +# # This variable tells the /sbin/shorewall program where to look for Shorewall # log messages. If not set or set to an empty string (e.g., LOGFILE="") then # /var/log/messages is assumed. @@ -83,7 +109,7 @@ LOGUNCLEAN=info LOGFILE=/var/log/messages # -# Enable nat support. +# ENABLE NAT SUPPORT # # You probally want yes here. Only gateways not doing NAT in any form, like # SNAT,DNAT masquerading, port forwading etc. should say "no" here. @@ -91,7 +117,7 @@ LOGFILE=/var/log/messages NAT_ENABLED=Yes # -# Enable mangle support. +# ENABLE MANGLE SUPPORT # # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file # and will not initialize the mangle table when starting or stopping @@ -101,7 +127,7 @@ NAT_ENABLED=Yes MANGLE_ENABLED=Yes # -# Enable IP Forwarding +# ENABLE IP FORWARDING # # If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you # say "Off" or "off", packet forwarding will be disabled. You would only want @@ -113,26 +139,27 @@ MANGLE_ENABLED=Yes # enable nor disable packet forwarding. # IP_FORWARDING=Off + # -# Automatically add IP Aliases +# AUTOMATICALLY ADD NAT IP ADDRESSES # -# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each NAT external address that you give in /etc/shorewall/nat. If you say # "No" or "no", you must add these aliases youself. # ADD_IP_ALIASES=Yes # -# Automatically add SNAT Aliases +# AUTOMATICALLY ADD SNAT IP ADDRESSES # -# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases +# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each SNAT external address that you give in /etc/shorewall/masq. If you say # "No" or "no", you must add these aliases youself. # ADD_SNAT_ALIASES=No # -# Enable Traffic Shaping +# ENABLE TRAFFIC SHAPING # # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic @@ -142,7 +169,7 @@ ADD_SNAT_ALIASES=No TC_ENABLED=No # -# Blacklisting +# BLACKLIST DISPOSITION # # Set this variable to the action that you want to perform on packets from # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, @@ -151,7 +178,7 @@ TC_ENABLED=No BLACKLIST_DISPOSITION=DROP # -# Blacklist Logging +# BLACKLIST LOG LEVEL # # Set this variable to the syslogd level that you want blacklist packets logged # (beward of DOS attacks resulting from such logging). If not set, no logging @@ -160,7 +187,7 @@ BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= # -# MSS Clamping +# MSS CLAMPING # # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" # option. This option is most commonly required when your internet @@ -189,17 +216,19 @@ BLACKLIST_LOGLEVEL= CLAMPMSS=No # -# Route Filtering +# ROUTE FILTERING # # Set this variable to "Yes" or "yes" if you want kernel route filtering on all # interfaces (anti-spoofing measure). # # If this variable is not set or is set to the empty value, "No" is assumed. +# In that case, you can still enable route filtering on individual interfaces +# in the /etc/shorewall/interfaces file. ROUTE_FILTER=No # -# NAT before RULES +# NAT BEFORE RULES # # Shorewall has traditionally processed static NAT rules before port forwarding # rules. If you would like to reverse the order, set this variable to "No". @@ -208,7 +237,7 @@ ROUTE_FILTER=No NAT_BEFORE_RULES=Yes -# MULTIPORT +# MULTIPORT support # # If your kernel includes the multiport match option # (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this @@ -228,7 +257,7 @@ NAT_BEFORE_RULES=Yes MULTIPORT=No -# DNAT IP Address Detection +# DNAT IP ADDRESS DETECTION # # Normally when Shorewall encounters the following rule: # @@ -259,7 +288,8 @@ MULTIPORT=No DETECT_DNAT_IPADDRS=No -# Merge Hosts File +# +# MERGE HOSTS FILE # # The traditional behavior of the /etc/shorewall/hosts file has been that # if that file has ANY entry for a zone then the zone must be defined @@ -292,7 +322,7 @@ DETECT_DNAT_IPADDRS=No MERGE_HOSTS=Yes # -# Mutex Timeout +# MUTEX TIMEOUT # # The value of this variable determines the number of seconds that programs # will wait for exclusive access to the Shorewall lock file. After the number @@ -306,4 +336,17 @@ MERGE_HOSTS=Yes MUTEX_TIMEOUT=60 +# +# LOGGING 'New not SYN' rejects +# +# When a TCP packet that does not have the SYN flag set and the ACK and RST +# flags clear then unless the packet is part of an established connection, +# it will be rejected by the firewall. If you want these rejects logged, +# then set LOGNEWNOTSYN to the syslog log level at which you want them logged. +# +# Example: LOGNEWNOTSYN=debug + + +LOGNEWNOTSYN= + #LAST LINE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index 7217b1ebb..48330b196 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -35,7 +35,9 @@ # following: # # dhcp - interface is managed by DHCP or used by -# a DHCP server running on the firewall. +# a DHCP server running on the firewall or +# you have a static IP but are on a LAN +# segment with lots of Laptop DHCP clients. # noping - icmp echo-request (ping) packets # addressed to the firewall should # be ignored on this interface @@ -65,7 +67,9 @@ # addresses and you want to be able to # route between them. # routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. # dropunclean - Logs and drops mangled/invalid packets # # logunclean - Logs mangled/invalid packets but does diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq index 37e30cb15..a73d5835c 100755 --- a/Samples/three-interfaces/masq +++ b/Samples/three-interfaces/masq @@ -57,7 +57,7 @@ # # You add a router to your local network to connect subnet # 192.168.1.0/24 which you also want to masquerade. You then -# add the following entry to this file: +# add a second entry for eth0 to this file: # # eth0 192.168.1.0/24 # @@ -76,6 +76,9 @@ # # eth0 192.168.1.0/24 206.124.146.176 # +# This would normally be done when you have a static external +# IP address since it makes the processing of outgoing +# packets somewhat faster. ############################################################################## #INTERFACE SUBNET ADDRESS eth0 eth1 diff --git a/Samples/three-interfaces/policy b/Samples/three-interfaces/policy index b121bdbfc..13e4dffcc 100644 --- a/Samples/three-interfaces/policy +++ b/Samples/three-interfaces/policy @@ -35,7 +35,7 @@ # As shipped, the default policies are: # # a) All connections from the local network to the internet are allowed -# b) All connections from the network are ignored but logged at syslog +# b) All connections from the internet are ignored but logged at syslog # level KERNEL.INFO. # d) All other connection requests are rejected and logged at level # KERNEL.INFO. diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index 16ad36c80..587d32924 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -35,7 +35,9 @@ # following: # # dhcp - interface is managed by DHCP or used by -# a DHCP server running on the firewall. +# a DHCP server running on the firewall or +# you have a static IP but are on a LAN +# segment with lots of Laptop DHCP clients. # noping - icmp echo-request (ping) packets # addressed to the firewall should # be ignored on this interface @@ -65,7 +67,9 @@ # addresses and you want to be able to # route between them. # routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. # dropunclean - Logs and drops mangled/invalid packets # # logunclean - Logs mangled/invalid packets but does @@ -116,6 +120,5 @@ # net ppp0 - noping ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect routestopped #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq index e5d43b687..e30c88829 100755 --- a/Samples/two-interfaces/masq +++ b/Samples/two-interfaces/masq @@ -57,7 +57,7 @@ # # You add a router to your local network to connect subnet # 192.168.1.0/24 which you also want to masquerade. You then -# add the following entry to this file: +# add a second entry for eth0 to this file: # # eth0 192.168.1.0/24 # @@ -76,6 +76,9 @@ # # eth0 192.168.1.0/24 206.124.146.176 # +# This would normally be done when you have a static external +# IP address since it makes the processing of outgoing +# packets somewhat faster. ############################################################################## #INTERFACE SUBNET ADDRESS eth0 eth1 diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy index b121bdbfc..13e4dffcc 100644 --- a/Samples/two-interfaces/policy +++ b/Samples/two-interfaces/policy @@ -35,7 +35,7 @@ # As shipped, the default policies are: # # a) All connections from the local network to the internet are allowed -# b) All connections from the network are ignored but logged at syslog +# b) All connections from the internet are ignored but logged at syslog # level KERNEL.INFO. # d) All other connection requests are rejected and logged at level # KERNEL.INFO.