From ee429fcd39c486802efee153156b81295c89dd97 Mon Sep 17 00:00:00 2001 From: judas_iscariote Date: Sun, 21 Aug 2005 21:28:29 +0000 Subject: [PATCH] updated to 2.6 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2529 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/two-interfaces/interfaces | 314 +++++++++++++---------- Samples/two-interfaces/masq | 316 ++++++++++++------------ Samples/two-interfaces/rules | 397 ++++++++++++++++-------------- Samples/two-interfaces/zones | 83 ++++++- 4 files changed, 634 insertions(+), 476 deletions(-) diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index 5f8d7552b..83e3a6779 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -1,36 +1,33 @@ -# -# Shorewall 2.2 -- Sample Interface File For Two Interfaces # -# /etc/shorewall/interfaces +# Shorewall version 2.6 - Interfaces File +# +# /etc/shorewall/interfaces # # You must add an entry in this file for each network interface on your # firewall system. # # Columns are: # -# ZONE -# Zone for this interface. Must match the short name +# ZONE Zone for this interface. Must match the short name # of a zone defined in /etc/shorewall/zones. # # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should # place "-" in this column. # -# INTERFACE -# Name of interface. Each interface may be listed only +# INTERFACE Name of interface. Each interface may be listed only # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see # http://www.shorewall.net/FAQ.htm#faq18 # # You may specify wildcards here. For example, if you -# want to make a entry that applies to all PPP +# want to make an entry that applies to all PPP # interfaces, use 'ppp+'. # -# There is no need to defiane the loopback interface -# (lo) in this file. +# There is no need to define the loopback interface (lo) +# in this file. # -# BROADCAST -# The broadcast address for the subnetwork to which the +# BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this # column is left blank.If the interface has multiple # addresses on multiple subnets then list the broadcast @@ -40,153 +37,206 @@ # will detect the broadcast address for you. If you # select this option, the interface must be up before # the firewall is started, you must have iproute -# installed and the interface must only be associated -# with a single subnet. -# +# installed. +# # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter # "-" in this column. # -# OPTIONS -# A comma-separated list of options including the +# OPTIONS A comma-separated list of options including the # following: # -# dhcp -# Interface is managed by DHCP or used by -# a DHCP server running on the firewall or -# you have a static IP but are on a LAN -# segment with lots of Laptop DHCP clients. -# norfc1918 -# This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling is -# enabled in shorewall.conf, packets -# whose destination addresses are -# reserved by RFC 1918 are also rejected. -# nobogons -# This interface should not receive -# any packets whose source is in one -# of the ranges reserved by IANA (this -# option does not cover those ranges -# reserved by RFC 1918 -- see above). +# dhcp - Specify this option when any of +# the following are true: +# 1. the interface gets its IP address +# via DHCP +# 2. the interface is used by +# a DHCP server running on the firewall +# 3. you have a static IP but are on a LAN +# segment with lots of Laptop DHCP +# clients. +# 4. the interface is a bridge with +# a DHCP server on one port and DHCP +# clients on another port. # -# I PERSONALLY RECOMMEND AGAINST USING -# THE 'nobogons' OPTION. -# routefilter -# Turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# blacklist -# Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# logmartians -# Turn on kernel martian logging (logging -# of packets with impossible source -# addresses. It is suggested that if you -# set routefilter on an interface that -# you also set logmartians. This option -# may also be enabled globally in the -# /etc/shorewall/shorewall.conf file. -# maclist -# Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# tcpflags -# Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# proxyarp -# Sets /proc/sys/net/ipv4/conf//proxy_arp. +# norfc1918 - This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling or +# connection-tracking match is enabled in +# your kernel, packets whose destination +# addresses are reserved by RFC 1918 are +# also rejected. +# +# routefilter - turn on kernel route filtering for this +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. +# +# logmartians - turn on kernel martian logging (logging +# of packets with impossible source +# addresses. It is suggested that if you +# set routefilter on an interface that +# you also set logmartians. This option +# may also be enabled globally in the +# /etc/shorewall/shorewall.conf file. +# +# blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# +# tcpflags - Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# +# proxyarp - +# Sets +# /proc/sys/net/ipv4/conf//proxy_arp. # Do NOT use this option if you are # employing Proxy ARP through entries in # /etc/shorewall/proxyarp. This option is # intended soley for use with Proxy ARP # sub-networking as described at: # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# newnotsyn -# TCP packets that don't have the SYN flag set and -# which are not part of an established connection -# will be accepted from this interface, even if -# NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. In other -# words, packets coming in on this interface -# are processed as if NEWNOTSYN=Yes had been -# specified in /etc/shorewall/shorewall.conf. # -# This option has no effect if NEWNOTSYN=Yes. +# newnotsyn - TCP packets that don't have the SYN +# flag set and which are not part of an +# established connection will be accepted +# from this interface, even if +# NEWNOTSYN=No has been specified in +# /etc/shorewall/shorewall.conf. In other +# words, packets coming in on this +# interface are processed as if +# NEWNOTSYN=Yes had been specified in +# /etc/shorewall/shorewall.conf. # -# It is the opinion of the author that -# NEWNOTSYN=No creates more problems than -# it solves and I recommend against using -# that setting in shorewall.conf (hence -# making the use of the 'newnotsyn' -# interface option unnecessary). -# routeback -# If specified, indicates that Shorewall -# should include rules that allow filtering -# traffic arriving on this interface back -# out that same interface. +# This option has no effect if +# NEWNOTSYN=Yes. # -# arp_filter -# If specified, this interface will only respond -# to ARP who-has requests for IP addresses -# configured on the interface. If not specified, -# the interface can respond to ARP who-has requests -# for IP addresses on any of the firewall's interface. -# The interface must be up when shorewall is started. -# nosmurfs -# Filter packets for smurfs (Packets with a broadcast -# address as the source). +# It is the opinion of the author that +# NEWNOTSYN=No creates more problems than +# it solves and I recommend against using +# that setting in shorewall.conf (hence +# making the use of the 'newnotsyn' +# interface option unnecessary). # -# Smurfs will be optionally logged based on the setting -# of SMURF_LOG_LEVEL in shorewall.conf. After logging -# the packets are dropped. -# -# detectnets -# Automatically taylors the zone named in the ZONE column -# to include only those hosts routed through the interface. +# routeback - If specified, indicates that Shorewall +# should include rules that allow +# filtering traffic arriving on this +# interface back out that same interface. # -# WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE! +# arp_filter - If specified, this interface will only +# respond to ARP who-has requests for IP +# addresses configured on the interface. +# If not specified, the interface can +# respond to ARP who-has requests for +# IP addresses on any of the firewall's +# interface. The interface must be up +# when Shorewall is started. # +# arp_ignore[=] +# - If specified, this interface will +# respond to arp requests based on the +# value of . # -# The order in which you list the options is not -# significant but the list should have no embedded white -# space. +# 1 - reply only if the target IP address +# is local address configured on the +# incoming interface # -# Example 1: -# Suppose you have eth0 connected to a DSL modem and +# 2 - reply only if the target IP address +# is local address configured on the +# incoming interface and both with the +# sender's IP address are part from same +# subnet on this interface +# +# 3 - do not reply for local addresses +# configured with scope host, only +# resolutions for global and link +# addresses are replied +# +# 4-7 - reserved +# +# 8 - do not reply for all local +# addresses +# +# If no is given then the value +# 1 is assumed +# +# WARNING -- DO NOT SPECIFY arp_ignore +# FOR ANY INTERFACE INVOLVED IN PROXY ARP. +# +# nosmurfs - Filter packets for smurfs +# (packets with a broadcast +# address as the source). +# +# Smurfs will be optionally logged based +# on the setting of SMURF_LOG_LEVEL in +# shorewall.conf. After logging, the +# packets are dropped. +# +# detectnets - Automatically taylors the zone named +# in the ZONE column to include only those +# hosts routed through the interface. +# +# upnp - Incoming requests from this interface +# may be remapped via UPNP (upnpd). +# +# WARNING: DO NOT SET THE detectnets OPTION ON YOUR +# INTERNET INTERFACE. +# +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. +# +# GATEWAY This column is only meaningful if the 'default' OPTION +# is given -- it is ignored otherwise. You may specify +# the default gateway IP address for this interface here +# and Shorewall will use that IP address rather than any +# that it finds in the main routing table. +# +# Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The eth0 interface gets -# it's IP address via DHCP from subnet 206.191.149.192/27. +# local subnet is 192.168.1.0/24. The interface gets +# it's IP address via DHCP from subnet +# 206.191.149.192/27. You have a DMZ with subnet +# 192.168.2.0/24 using eth2. # # Your entries for this setup would look like: # -# #ZONE INTERFACE BROADCAST OPTIONS -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 +# net eth0 206.191.149.223 dhcp +# local eth1 192.168.1.255 +# dmz eth2 192.168.2.255 # -# Example 2: -# The same configuration without specifying broadcast +# Example 2: The same configuration without specifying broadcast # addresses is: # -# #ZONE INTERFACE BROADCAST OPTIONS -# net eth0 detect dhcp -# loc eth1 detect +# net eth0 detect dhcp +# loc eth1 detect +# dmz eth2 detect # -############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians -loc eth1 detect tcpflags,detectnets +# Example 3: You have a simple dial-in system with no ethernet +# connections. +# +# net ppp0 - +# +# For additional information, see +# http://shorewall.net/Documentation.htm#Interfaces +# +############################################################################### +#ZONE INTERFACE BROADCAST OPTIONS GATEWAY +net eth0 detect dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians +loc eth1 detect tcpflags,detectnets #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq index 1bc235ec3..b1995fbb9 100755 --- a/Samples/two-interfaces/masq +++ b/Samples/two-interfaces/masq @@ -1,209 +1,221 @@ -# -# Shorewall 2.2 - Sample Masquerade file For Two Interfaces # -# etc/shorewall/masq +# Shorewall version 2.6 - Masq file # -# Use this file to define dynamic NAT (Masquerading) and to define Source NAT -# (SNAT). +# /etc/shorewall/masq # -# Columns are: +# Use this file to define dynamic NAT (Masquerading) and to define +# Source NAT (SNAT). # -# INTERFACE -# Outgoing interface. This is usually your internet -# interface. If ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf, you may add ":" and -# a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER -# PLACE IN YOUR SHOREWALL CONFIGURATION. +# Columns are: # -# This may be qualified by adding the character -# ":" followed by a destination host or subnet. +# INTERFACE -- Outgoing interface. This is usually your internet +# interface. If ADD_SNAT_ALIASES=Yes in +# /etc/shorewall/shorewall.conf, you may add ":" and +# a digit to indicate that you want the alias added with +# that name (e.g., eth0:0). This will allow the alias to +# be displayed with ifconfig. THAT IS THE ONLY USE FOR +# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER +# PLACE IN YOUR SHOREWALL CONFIGURATION. # -# If you wish to inhibit the action of ADD_SNAT_ALIASES -# for this entry then include the ":" but omit the digit: +# This may be qualified by adding the character +# ":" followed by a destination host or subnet. # -# eth0: -# eth2::192.0.2.32/27 +# If you wish to inhibit the action of ADD_SNAT_ALIASES +# for this entry then include the ":" but omit the digit: # -# Normally Masq/SNAT rules are evaluated after those for -# one-to-one NAT (/etc/shorewall/nat file). If you want -# the rule to be applied before one-to-one NAT rules, -# prefix the interface name with "+": +# eth0: +# eth2::192.0.2.32/27 # -# +eth0 -# +eth0:192.0.2.32/27 -# +eth0:2 +# Normally Masq/SNAT rules are evaluated after those for +# one-to-one NAT (/etc/shorewall/nat file). If you want +# the rule to be applied before one-to-one NAT rules, +# prefix the interface name with "+": # -# This feature should only be required if you need to -# insert rules in this file that preempt entries in -# /etc/shorewall/nat. +# +eth0 +# +eth0:192.0.2.32/27 +# +eth0:2 # -# SUBNET -# Subnet that you wish to masquerade. You can specify this as -# a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. +# This feature should only be required if you need to +# insert rules in this file that preempt entries in +# /etc/shorewall/nat. # -# In order to exclude a subset of the specified SUBNET, you -# may append "!" and a comma-separated list of IP addresses -# and/or subnets that you wish to exclude. +# SUBNET -- Subnet that you wish to masquerade. You can specify this as +# a subnet or as an interface. If you give the name of an +# interface, you must have iproute installed and the interface +# must be up before you start the firewall. # -# Example: eth1!192.168.1.4,192.168.32.0/27 +# In order to exclude a subset of the specified SUBNET, you +# may append "!" and a comma-separated list of IP addresses +# and/or subnets that you wish to exclude. # -# In that example traffic from eth1 would be masqueraded unless -# it came from 192.168.1.4 or 196.168.32.0/27 +# Example: eth1!192.168.1.4,192.168.32.0/27 # -# ADDRESS (Optional) -# If you specify an address here, SNAT will be -# used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in -# /etc/shorewall/shorewall.conf then Shorewall -# will automatically add this address to the -# INTERFACE named in the first column. -# -# You may also specify a range of up to 256 IP -# addresses if you want the SNAT address to be -# assigned from that range in a round robin range -# by connection. The range is specified by -# -. -# -# Example: 206.124.146.177-206.124.146.180 +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 # -# This column may not contain DNS names. +# ADDRESS -- (Optional). If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. # -# Normally, Netfilter will attempt to retain -# the source port number. You may cause -# netfilter to remap the source port by following -# an address or range (if any) by ":" and -# a port range with the format - -# . If this is done, you must -# specify "tcp" or "udp" in the PROTO column. +# You may also specify a range of up to 256 +# IP addresses if you want the SNAT address to +# be assigned from that range in a round-robin +# range by connection. The range is specified by +# -. # -# Examples: +# Example: 206.124.146.177-206.124.146.180 # -# 192.0.2.4:5000-6000 -# :4000-5000 +# Finally, you may also specify a comma-separated +# list of ranges and/or addresses in this column. # -# If you want to leave this column empty -# but you need to specify the next column then -# place a hyphen ("-") here. +# This column may not contain DNS Names. # -# PROTO -- (Optional) -# If you wish to restrict this entry to a -# particular protocol then enter the protocol -# name (from /etc/protocols) or number here. +# Normally, Netfilter will attempt to retain +# the source port number. You may cause +# netfilter to remap the source port by following +# an address or range (if any) by ":" and +# a port range with the format - +# . If this is done, you must +# specify "tcp" or "udp" in the PROTO column. +# +# Examples: # -# PORT(S) -- (Optional) -# If the PROTO column specifies TCP (protocol 6) -# or UDP (protocol 17) then you may list one -# or more port numbers (or names from -# /etc/services) separated by commas or you -# may list a single port range -# (:). +# 192.0.2.4:5000-6000 +# :4000-5000 # -# Where a comma-separated list is given, your -# kernel and iptables must have multiport match -# support and a maximum of 15 ports may be listed. +# You can invoke the SAME target using the +# following in this column: # -# IPSEC -- (Optional) -# If you specify a value other than "-" in this -# column, you must be running kernel 2.6 and -# your kernel and iptables must include policy -# match support. +# SAME:[nodst:][,...] # -# Comma-separated list of options from the following. -# Only packets that will be encrypted via an SA that -# matches these options will have their source address -# changed. +# The may be single addresses. # -# Yes or yes -- must be the only option listed -# and matches all outbound traffic that will be -# encrypted. +# SAME works like SNAT with the exception that +# the same local IP address is assigned to each +# connection from a local address to a given +# remote address. # -# reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. +# If the 'nodst:' option is included, then the +# same source address is used for a given +# internal system regardless of which remote +# system is involved. # -# spi= where is the SPI of -# the SA. +# If you want to leave this column empty +# but you need to specify the next column then +# place a hyphen ("-") here. # -# proto=ah|esp|ipcomp +# PROTO -- (Optional) If you wish to restrict this entry to a +# particular protocol then enter the protocol +# name (from /etc/protocols) or number here. # -# mode=transport|tunnel +# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) +# or UDP (protocol 17) then you may list one +# or more port numbers (or names from +# /etc/services) separated by commas or you +# may list a single port range +# (:). +# +# Where a comma-separated list is given, your +# kernel and iptables must have multiport match +# support and a maximum of 15 ports may be +# listed. +# +# IPSEC -- (Optional) If you specify a value other than "-" in this +# column, you must be running kernel 2.6 and +# your kernel and iptables must include policy +# match support. # -# tunnel-src=
[/] (only -# available with mode=tunnel) +# Comma-separated list of options from the +# following. Only packets that will be encrypted +# via an SA that matches these options will have +# their source address changed. # -# tunnel-dst=
[/] (only -# available with mode=tunnel) +# Yes or yes -- must be the only option +# listed and matches all outbound +# traffic that will be encrypted. # -# strict Means that packets must match all -# rules. +# reqid= where is +# specified using setkey(8) using the +# 'unique: option for the SPD +# level. # -# next Separates rules; can only be used -# with strict.. +# spi= where is the +# SPI of the SA. # -# Example 1: +# proto=ah|esp|ipcomp # -# You have a simple masquerading setup where eth0 connects to -# a DSL or cable modem and eth1 connects to your local network -# with subnet 192.168.0.0/24. +# mode=transport|tunnel # -# Your entry in the file can be either: +# tunnel-src=
[/] (only +# available with mode=tunnel) # -# #INTERFACE SUBNET ADDRESS -# eth0 eth1 +# tunnel-dst=
[/] (only +# available with mode=tunnel) # -# or +# strict Means that packets must match +# all rules. # -# #INTERFACE SUBNET ADDRESS -# eth0 192.168.0.0/24 +# next Separates rules; can only be +# used with strict.. # -# Example 2: +# Example 1: # -# You add a router to your local network to connect subnet -# 192.168.1.0/24 which you also want to masquerade. You then -# add a second entry for eth0 to this file: +# You have a simple masquerading setup where eth0 connects to +# a DSL or cable modem and eth1 connects to your local network +# with subnet 192.168.0.0/24. # -# #INTERFACE SUBNET ADDRESS -# eth0 192.168.1.0/24 +# Your entry in the file can be either: # -# Example 3: +# eth0 eth1 # -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: +# or +# +# eth0 192.168.0.0/24 +# +# Example 2: +# +# You add a router to your local network to connect subnet +# 192.168.1.0/24 which you also want to masquerade. You then +# add a second entry for eth0 to this file: +# +# eth0 192.168.1.0/24 +# +# Example 3: +# +# You have an IPSEC tunnel through ipsec0 and you want to +# masquerade packets coming from 192.168.1.0/24 but only if +# these packets are destined for hosts in 10.1.1.0/24: # -# #INTERFACE SUBNET ADDRESS # ipsec0:10.1.1.0/24 196.168.1.0/24 # -# Example 4: +# Example 4: # -# You want all outgoing traffic from 192.168.1.0/24 through -# eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to -# be added to eth0 with name eth0:0. +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176 which is NOT the +# primary address of eth0. You want 206.124.146.176 added to +# be added to eth0 with name eth0:0. # -# #INTERFACE SUBNET ADDRESS -# eth0:0 192.168.1.0/24 206.124.146.176 +# eth0:0 192.168.1.0/24 206.124.146.176 # -# Example 5: +# Example 5: # -# You want all outgoing SMTP traffic entering the firewall -# on eth1 to be sent from eth0 with source IP address -# 206.124.146.177. You want all other outgoing traffic -# from eth1 to be sent from eth0 with source IP address -# 206.124.146.176. +# You want all outgoing SMTP traffic entering the firewall +# on eth1 to be sent from eth0 with source IP address +# 206.124.146.177. You want all other outgoing traffic +# from eth1 to be sent from eth0 with source IP address +# 206.124.146.176. # -# INTERFACE SUBNET ADDRESS PROTO PORT(S) -# eth0 eth1 206.124.146.177 tcp smtp -# eth0 eth1 206.124.146.176 +# eth0 eth1 206.124.146.177 tcp smtp +# eth0 eth1 206.124.146.176 # -# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! +# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! # -############################################################################# +# For additional information, see http://shorewall.net/Documentation.htm#Masq +# +############################################################################### #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC -eth0 eth1 +eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index 8afc35407..93a2fa4a0 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -1,12 +1,12 @@ -# -# Shorewall version 2.2 - Sample Rules File For Two Interfaces # -# /etc/shorewall/rules +# Shorewall version 2.6 - Rules File +# +# /etc/shorewall/rules # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. For any # particular (source,dest) pair of zones, the rules are evaluated in the -# order in which they appear in the file and the first match is the one +# order in which they appear in this file and the first match is the one # that determines the disposition of the request. # # In most places where an IP address or subnet is allowed, you @@ -14,74 +14,73 @@ # indicate that the rule matches all addresses except the address/subnet # given. Notice that no white space is permitted between "!" and the # address/subnet. -# -# WARNING: If you masquerade or use SNAT from a local system to the internet -# you cannot use a ACCEPT rule to allow traffic from the internet to -# that system. You "must" use a DNAT rule instead. -# +#------------------------------------------------------------------------------ +# WARNING: If you masquerade or use SNAT from a local system to the internet, +# you cannot use an ACCEPT rule to allow traffic from the internet to +# that system. You *must* use a DNAT rule instead. +#------------------------------------------------------------------------------ # Columns are: # +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, +# LOG, QUEUE or an . # -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, -# REDIRECT-, CONTINUE, LOG, QUEUE or an . -# -# ACCEPT -# Allow the connection request -# ACCEPT+ -# Like ACCEPT but also excludes the -# connection from any subsequent -# DNAT[-] or REDIRECT[-] rules -# NONAT -# Excludes the connection from any -# subsequent DNAT[-] or REDIRECT[-] -# rules but doesn't generate a rule -# to accept the traffic. -# DROP -# Ignore the request -# REJECT -# Disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -# Forward the request to another -# system (and optionally another -# port). -# DNAT- -# Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -# Redirect the request to a local -# port on the firewall. +# ACCEPT -- allow the connection request +# ACCEPT+ -- like ACCEPT but also excludes the +# connection from any subsequent +# DNAT[-] or REDIRECT[-] rules +# NONAT -- Excludes the connection from any +# subsequent DNAT[-] or REDIRECT[-] +# rules but doesn't generate a rule +# to accept the traffic. +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# DNAT- -- Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. +# SAME -- Similar to DNAT except that the +# port may not be remapped and when +# multiple server addresses are +# listed, all requests from a given +# remote system go to the same +# server. +# SAME- -- Advanced users only. +# Like SAME but only generates the +# NAT iptables rule and not +# the companion ACCEPT rule. +# REDIRECT -- Redirect the request to a local +# port on the firewall. # REDIRECT- -# Advanced users only. -# Like REDIRECT but only generates the -# REDIRECT iptables rule and not the -# companion ACCEPT rule. -# CONTINUE -# (For experts only). Do Not Process -# any of the following rules for this -# (source zone,destination zone). If -# the source and/or destination IP -# address falls into a zone defined -# later in /etc/shorewall/zones, this -# connection request will be passed -# to the rules defined for that -# (those) zones(s). -# LOG -# Simply log the packet and continue. -# QUEUE -# Queue the packet to a user-space -# application such as ftwall. -# (http://p2pwall.sf.net). -# -# The name of an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std. +# -- Advanced users only. +# Like REDIRET but only generates the +# REDIRECT iptables rule and not +# the companion ACCEPT rule. # -# The ACTION may optionally be followed by ":" and a syslog -# log level (e.g, REJECT:info or DNAT:debug). This causes the -# packet to be logged at the specified level. +# CONTINUE -- (For experts only). Do not process +# any of the following rules for this +# (source zone,destination zone). If +# The source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zone(s). +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as ftwall +# (http://p2pwall.sf.net). +# -- The name of an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std. +# +# The ACTION may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# DNAT:debug). This causes the packet to be +# logged at the specified level. # # If the ACTION names an action defined in # /etc/shorewall/actions or in @@ -97,9 +96,9 @@ # - The special log level 'none!' suppresses logging # by the action. # -# You may also specify ULOG (must be in upper case) as a -# log level. This will log to the ULOG target for routing -# to a separate log through use of ulogd. +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd # (http://www.gnumonks.org/projects/ulogd). # # Actions specifying logging may be followed by a @@ -113,17 +112,21 @@ # # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, or "all" If the ACTION is DNAT or -# REDIRECT, sub-zones of the specified zone may be -# excluded from the rule by following the zone name with -# "!' and a comma-separated list of sub-zone names. +# firewall itself, "all", "all+" or "none" If the ACTION +# is DNAT or REDIRECT, sub-zones of the specified zone +# may be excluded from the rule by following the zone +# name with "!' and a comma-separated list of sub-zone +# names. +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. # # When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add -# separate rules to handle that traffic. +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. # -# Except when "all" is specified, clients may be further -# restricted to a list of subnets and/or hosts by +# Except when "all[+]" is specified, clients may be +# further restricted to a list of subnets and/or hosts by # appending ":" and a comma-separated list of subnets # and/or hosts. Hosts may be specified by IP or MAC # address; mac addresses must begin with "~" and must use @@ -132,22 +135,22 @@ # Hosts may be specified as an IP address range using the # syntax -. This requires that # your kernel and iptables contain iprange match support. +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of source bindings to be +# matched. # -# Some Examples: +# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ # -# net:155.186.235.1 -# Host 155.186.235.1 on the Internet +# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the +# Internet # -# loc:192.168.1.0/24 -# Subnet 192.168.1.0/24 on the -# Local Network -# -# net:155.186.235.1,155.186.235.2 -# Hosts 155.186.235.1 and -# 155.186.235.2 on the Internet. -# -# loc:~00-A0-C9-15-39-78 -# Host on the Local Network with +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with # MAC address 00:A0:C9:15:39:78. # # net:192.0.2.11-192.0.2.17 @@ -156,73 +159,78 @@ # # Alternatively, clients may be specified by interface # by appending ":" to the zone name followed by the -# interface name. For example, net:eth0 specifies a +# interface name. For example, loc:eth1 specifies a # client that communicates with the firewall system -# through eth0. This may be optionally followed by +# through eth1. This may be optionally followed by # another colon (":") and an IP/MAC/subnet address -# as described above (e.g., net:eth0:192.168.1.5). +# as described above (e.g., loc:eth1:192.168.1.5). # # DEST Location of Server. May be a zone defined in # /etc/shorewall/zones, $FW to indicate the firewall -# itself or "all" +# itself, "all". "all+" or "none". +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. # # When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. You must add -# separate rules to handle that traffic. +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. # -# Except when "all" is specified, the server may be +# Except when "all[+]" is specified, the server may be # further restricted to a particular subnet, host or # interface by appending ":" and the subnet, host or # interface. See above. # -# Restrictions: +# Restrictions: # -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. -# 3 You may not specify both an interface and -# an address. +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. +# 3. You may not specify both an interface and +# an address. # # Like in the SOURCE column, you may specify a range of # up to 256 IP addresses using the syntax # -. When the ACTION is DNAT or DNAT-, -# the connections will be assigned to the addresses in the +# the connections will be assigned to addresses in the # range in a round-robin fashion. # +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of destination bindings +# to be matched. Only one of the SOURCE and DEST columns +# may specify an ipset name. +# # The port that the server is listening on may be # included and separated from the server's IP address by # ":". If omitted, the firewall will not modifiy the # destination port. A destination port may only be # included if the ACTION is DNAT or REDIRECT. # -# Example: net:155.186.235.1:25 specifies a Internet -# server at IP address 155.186.235.1 and listening on port -# 25. The port number MUST be specified as an integer +# Example: loc:192.168.1.3:3128 specifies a local +# server at IP address 192.168.1.3 and listening on port +# 3128. The port number MUST be specified as an integer # and not as a name from /etc/services. # -# If the ACTION is REDIRECT, this column needs only to +# if the ACTION is REDIRECT, this column needs only to # contain the port number on the firewall that the # request should be redirected to. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# a number, or "all". "ipp2p" requires ipp2p match -# support in your kernel and iptables. +# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or +# "all". # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example "bit" -# for bit-torrent). If no port is given, "ipp2p" is -# assumed. -# # A port range is expressed as :. # # This column is ignored if PROTOCOL = all but must be -# entered if any of the following fields are supplied. +# entered if any of the following ields are supplied. # In that case, it is suggested that this field contain # "-" # @@ -240,8 +248,8 @@ # ranges. # # If you don't want to restrict client ports but need to -# specify an ORIGINAL DEST in the next column, then place -# "-" in this column. +# specify an ORIGINAL DEST in the next column, then +# place "-" in this column. # # If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in @@ -251,8 +259,8 @@ # Otherwise, a separate rule will be generated for each # port. # -# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or -# REDIRECT[-]) If included and different from the IP +# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] +# then if included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port @@ -261,102 +269,129 @@ # A comma-separated list of addresses may also be used. # This is usually most useful with the REDIRECT target # where you want to redirect traffic destined for -# a particular set of hosts. +# particular set of hosts. # # Finally, if the list of addresses begins with "!" then # the rule will be followed only if the original # destination address in the connection request does not # match any of the addresses listed. # -# RATE LIMIT You may rate-limit the rule by placing a value in this column: +# For other actions, this column may be included and may +# contain one or more addresses (host or network) +# separated by commas. Address ranges are not allowed. +# When this column is supplied, rules are generated +# that require that the original destination address +# matches one of the listed addresses. This feature is +# most useful when you want to generate a filter rule +# that corresponds to a DNAT- or REDIRECT- rule. In this +# usage, the list of addresses should not begin with "!". +# +# See http://shorewall.net/PortKnocking.html for an +# example of using an entry in this column with a +# user-defined action rule. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this colume: # # /[:] # -# Where is the number of connections per ("sec" -# or "min") and is the largest burst permitted. If no -# is given, a value of 5 is assummed. There may be no -# whitespace embedded in the specification. +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. # -# Example: -# 10/sec:20 +# Example: 10/sec:20 # -# If you place a rate limit in this column, you may not place -# a similiar limit in the ACTION column. -# -# USER/GROUP This column may only be non-empty if the SOURCE is the firewall itself. -# +# USER/GROUP This column may only be non-empty if the SOURCE is +# the firewall itself. +# # The column may contain: # -# [!][][:] +# [!][][:][+] # -# When this column is non-empty, the rule applies only if the program -# generating the output is running under the effective and/or -# specified (or is NOT running under that id if "!" is given). +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective and/or specified (or is +# NOT running under that id if "!" is given). # # Examples: -# joe # program must be run by joe -# :kids # program must be run by a member of the 'kids' group. -# !:kids # program must not be run by a member of the 'kids' group. # -# Also by default all outbound loc -> net communications are allowed. -# You can change this behavior in the sample policy file. +# joe #program must be run by joe +# :kids #program must be run by a member of +# #the 'kids' group +# !:kids #program must not be run by a member +# #of the 'kids' group +# +upnpd #program named 'upnpd' # -# Example: Accept www requests to the firewall. +# Example: Accept SMTP requests from the DMZ to the internet # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# # PORT PORT(S) DEST LIMIT GROUP -# ACCEPT net fw tcp http +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT dmz net tcp smtp # -# Example: Accept SMTP requests from the Local Network to the Internet +# Example: Forward all ssh and http connection requests from the +# internet to local system 192.168.1.3 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# # PORT PORT(S) DEST LIMIT GROUP -# ACCEPT loc net tcp smtp +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http # -# Example: Forward all ssh and http connection requests from the Internet -# to local system 192.168.1.3 +# Example: Forward all http connection requests from the internet +# to local system 192.168.1.3 with a limit of 3 per second and +# a maximum burst of 10 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# # PORT PORT(S) DEST LIMIT GROUP -# DNAT net loc:192.168.1.3 tcp ssh,http +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# # PORT PORT(S) DEST LIMIT +# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 # -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 +# Example: Redirect all locally-originating www connection requests to +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# # PORT PORT(S) DEST LIMIT GROUP -# REDIRECT loc 3128 tcp www - !192.168.2.2 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 # -# Example: All http requests from the Internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# # PORT PORT(S) DEST LIMIT GROUP -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 -############################################################################## -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ -# PORT PORT(S) DEST LIMIT GROUP +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 # -# Accept DNS connections from the firewall to the network +# Example: You want to accept SSH connections to your firewall only +# from internet IP addresses 130.252.100.69 and 130.252.100.70 # -DNS/ACCEPT fw net +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT net:130.252.100.69,130.252.100.70 fw \ +# tcp 22 +############################################################################################################# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +# PORT PORT(S) DEST LIMIT GROUP # -# Accept SSH connections from the local network for administration +# Accept DNS connections from the firewall to the network # -SSH/ACCEPT loc net +DNS/ACCEPT fw net # -# Allow Ping from the local network +# Accept SSH connections from the local network for administration # -Ping/ACCEPT loc fw +SSH/ACCEPT loc net +# +# Allow Ping from the local network +# +Ping/ACCEPT loc fw # # Reject Ping from the "bad" net zone.. and prevent your log from being flooded.. # -Ping/REJECT:none! net fw +Ping/REJECT:none! net fw -ACCEPT fw loc icmp -ACCEPT fw net icmp +ACCEPT fw loc icmp +ACCEPT fw net icmp # + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/zones b/Samples/two-interfaces/zones index e5171fce3..5dcac588f 100644 --- a/Samples/two-interfaces/zones +++ b/Samples/two-interfaces/zones @@ -1,19 +1,80 @@ # -# Shorewall 2.2 -- Sample Zone File For Two Interfaces -# /etc/shorewall/zones +# Shorewall version 2.6 - Zones File # -# This file determines your network zones. Columns are: +# /etc/shorewall/zones # -# ZONE Short name of the zone (5 Characters or less in length). -# DISPLAY Display name of the zone -# COMMENTS Comments about the zone +# This file determines your network zones. +# +# Columns are: +# +# ZONE Short name of the zone (5 Characters or less in length). +# The names "all" and "none" are reserved and may not be +# used as zone names. +# +# IPSEC Yes -- Communication with all zone hosts is encrypted +# ONLY Your kernel and iptables must include policy +# match support. +# No -- Communication with some zone hosts may be encrypted. +# Encrypted hosts are designated using the 'ipsec' +# option in /etc/shorewall/hosts. +# +# OPTIONS, A comma-separated list of options as follows: +# IN OPTIONS, +# OUT OPTIONS reqid= where is specified +# using setkey(8) using the 'unique: +# option for the SPD level. +# +# spi= where is the SPI of +# the SA used to encrypt/decrypt packets. +# +# proto=ah|esp|ipcomp +# +# mss= (sets the MSS field in TCP packets) +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match all rules. +# +# next Separates rules; can only be used with +# strict.. +# +# Example: +# mode=transport,reqid=44 +# +# The options in the OPTIONS column are applied to both incoming +# and outgoing traffic. The IN OPTIONS are applied to incoming +# traffic (in addition to OPTIONS) and the OUT OPTIONS are +# applied to outgoing traffic. +# +# If you wish to leave a column empty but need to make an entry +# in a following column, use "-". # # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. # -# See http://www.shorewall.net/Documentation.html#Nested +# See http://www.shorewall.net/Documentation.htm#Nested +#------------------------------------------------------------------------------ +# Example zones: # -#ZONE DISPLAY COMMENTS -net Net Internet -loc Local Local Networks -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +# You have a three interface firewall with internet, local and DMZ +# interfaces. +# +# #ZONE IPSEC OPTIONS IN OUT +# net +# loc +# dmz +# +############################################################################### +#ZONE IPSEC OPTIONS IN OUT +# ONLY OPTIONS OPTIONS + +net +loc + +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE