updated to 2.6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2529 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/two-interfaces/interfaces

@@ -1,5 +1,5 @@
 #
-#	Shorewall 2.2 -- Sample Interface File For Two Interfaces
+# Shorewall version 2.6 - Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@@ -8,29 +8,26 @@
 #
 # Columns are:
 #
-#	ZONE
+#	ZONE		Zone for this interface. Must match the short name
-#			Zone for this interface. Must match the short name
 #			of a zone defined in /etc/shorewall/zones.
 #
 #			If the interface serves multiple zones that will be
 #			defined in the /etc/shorewall/hosts file, you should
 #			place "-" in this column.
 #
-#	INTERFACE
+#	INTERFACE	Name of interface. Each interface may be listed only
-#			Name of interface. Each interface may be listed only
 #			once in this file. You may NOT specify the name of
 #			an alias (e.g., eth0:0) here; see
 #			http://www.shorewall.net/FAQ.htm#faq18
 #
 #			You may specify wildcards here. For example, if you
-#			want to make a entry that applies to all PPP
+#			want to make an entry that applies to all PPP
 #			interfaces, use 'ppp+'.
 #
-#			There is no need to defiane the loopback interface
+#			There is no need to define the loopback	interface (lo)
-#			(lo) in this file.
+#			in this file.
 #
-#	BROADCAST
+#	BROADCAST	The broadcast address for the subnetwork to which the
-#			The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
 #			column is left blank.If the interface has multiple
 #			addresses on multiple subnets then list the broadcast
@@ -40,66 +37,63 @@
 #			will detect the broadcast address for you. If you
 #			select this option, the interface must be up before
 #			the firewall is started, you must have iproute
-#			installed and the interface must only be associated
+#			installed.
-#			with a single subnet.
 #
 #			If you don't want to give a value for this column but
 #			you want to enter a value in the OPTIONS column, enter
 #			"-" in this column.
 #
-#	OPTIONS
+#	OPTIONS		A comma-separated list of options including the
-#			A comma-separated list of options including the
 #			following:
 #
-#		dhcp
+#			dhcp	     - Specify this option when any of
-#				Interface is managed by DHCP or used by
+#				       the following are true:
-#				a DHCP server running on the firewall or
+#				       1. the interface gets its IP address
-#				you have a static IP but are on a LAN
+#					  via DHCP
-#				segment with lots of Laptop DHCP clients.
+#				       2. the interface is used by
-#		norfc1918
+#					  a DHCP server running on the firewall
-#				This interface should not receive
+#				       3. you have a static IP but are on a LAN
+#					  segment with lots of Laptop DHCP
+#					  clients.
+#				       4. the interface is a bridge with
+#					  a DHCP server on one port and DHCP
+#					  clients on another port.
+#
+#			norfc1918    - This interface should not receive
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
 #				       (i.e., private or "non-routable"
-#				addresses. If packet mangling is
+#				       addresses. If packet mangling or
-#				enabled in shorewall.conf, packets
+#				       connection-tracking match is enabled in
-#				whose destination addresses are
+#				       your kernel, packets whose destination
-#				reserved by RFC 1918 are also rejected.
+#				       addresses are reserved by RFC 1918 are
-#		nobogons
+#				       also rejected.
-#				This interface should not receive
-#				any packets whose source is in one
-#				of the ranges reserved by IANA (this
-#				option does not cover those ranges
-#				reserved by RFC 1918 -- see above).
 #
-#				I PERSONALLY RECOMMEND AGAINST USING
+#			routefilter  - turn on kernel route filtering for this
-#				THE 'nobogons' OPTION.
-#		routefilter
-#				Turn on kernel route filtering for this
 #				       interface (anti-spoofing measure). This
 #				       option can also be enabled globally in
 #				       the /etc/shorewall/shorewall.conf file.
-#		blacklist
+#
-#				Check packets arriving on this interface
+#			logmartians  - turn on kernel martian logging (logging
-#				against the /etc/shorewall/blacklist
-#				file.
-#		logmartians
-#				Turn on kernel martian logging (logging
 #				       of packets with impossible source
 #				       addresses. It is suggested that if you
 #				       set routefilter on an interface that
 #				       you also set logmartians. This option
 #				       may also be enabled globally in the
 #				       /etc/shorewall/shorewall.conf file.
-#		maclist
+#
-#				Connection requests from this interface
+#			blacklist    - Check packets arriving on this interface
+#				       against the /etc/shorewall/blacklist
+#				       file.
+#
+#			maclist	     - Connection requests from this interface
 #				       are compared against the contents of
 #				       /etc/shorewall/maclist. If this option
 #				       is specified, the interface must be
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
-#		tcpflags
+#
-#				Packets arriving on this interface are
+#			tcpflags     - Packets arriving on this interface are
 #				       checked for certain illegal combinations
 #				       of TCP flags. Packets found to have
 #				       such a combination of flags are handled
@@ -107,25 +101,30 @@
 #				       TCP_FLAGS_DISPOSITION after having been
 #				       logged according to the setting of
 #				       TCP_FLAGS_LOG_LEVEL.
-#		proxyarp
+#
-#				Sets /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+#			proxyarp     -
+#				Sets
+#				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
 #				Do NOT use this option if you are
 #				employing Proxy ARP through entries in
 #				/etc/shorewall/proxyarp. This option is
 #				intended soley for use with Proxy ARP
 #				sub-networking as described at:
 #				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
-#		newnotsyn
+#
-#				TCP packets that don't have the SYN flag set and
+#			newnotsyn    - TCP packets that don't have the SYN
-#				which are not part of an established connection
+#				       flag set and which are not part of an
-#				will be accepted from this interface, even if
+#				       established connection will be accepted
+#				       from this interface, even if
 #				       NEWNOTSYN=No has been specified in
 #				       /etc/shorewall/shorewall.conf. In other
-#				words, packets coming in on this interface
+#				       words, packets coming in on this
-#				are processed as if NEWNOTSYN=Yes had been
+#				       interface are processed as if
-#				specified in /etc/shorewall/shorewall.conf.
+#				       NEWNOTSYN=Yes had been specified in
+#					/etc/shorewall/shorewall.conf.
 #
-#				This option has no effect if NEWNOTSYN=Yes.
+#				       This option has no effect if
+#				       NEWNOTSYN=Yes.
 #
 #				       It is the opinion of the author that
 #				       NEWNOTSYN=No creates more problems than
@@ -133,60 +132,111 @@
 #				       that setting in shorewall.conf (hence
 #				       making the use of the 'newnotsyn'
 #				       interface option unnecessary).
-#		routeback
-#				If specified, indicates that Shorewall
-#				should include rules that allow filtering
-#				traffic arriving on this interface back
-#				out that same interface.
 #
-#		arp_filter
+#			routeback    - If specified, indicates that Shorewall
-#				If specified, this interface will only respond
+#				       should include rules that allow
-#				to ARP who-has requests for IP addresses
+#				       filtering traffic arriving on this
-#				configured on the interface. If not specified,
+#				       interface back out that same interface.
-#				the interface can respond to ARP who-has requests
+#
-#				for IP addresses on any of the firewall's interface.
+#			arp_filter   - If specified, this interface will only
-#				The interface must be up when shorewall is started.
+#				       respond to ARP who-has requests for IP
-#		nosmurfs
+#				       addresses configured on the interface.
-#				Filter packets for smurfs (Packets with a broadcast
+#				       If not specified, the interface can
+#				       respond to ARP who-has requests for
+#				       IP addresses on any of the firewall's
+#				       interface. The interface must be up
+#				       when Shorewall is started.
+#
+#			arp_ignore[=<number>]
+#				     - If specified, this interface will
+#				       respond to arp requests based on the
+#				       value of <number>.
+#
+#				       1 - reply only if the target IP address
+#				       is local address configured on the
+#				       incoming interface
+#
+#				       2 - reply only if the target IP address
+#				       is local address configured on the
+#				       incoming interface and both with the
+#				       sender's IP address are part from same
+#				       subnet on this interface
+#
+#				       3 - do not reply for local addresses
+#				       configured with scope host, only
+#				       resolutions for global and link
+#				       addresses are replied
+#
+#				       4-7 - reserved
+#
+#				       8 - do not reply for all local
+#				       addresses
+#
+#				       If no <number> is given then the value
+#				       1 is assumed
+#
+#				       WARNING -- DO NOT SPECIFY arp_ignore
+#				       FOR ANY INTERFACE INVOLVED IN PROXY ARP.
+#
+#			nosmurfs     - Filter packets for smurfs
+#				       (packets with a broadcast
 #				       address as the source).
 #
-#				Smurfs will be optionally logged based on the setting
+#				       Smurfs will be optionally logged based
-#				of SMURF_LOG_LEVEL in shorewall.conf. After logging
+#				       on the setting of SMURF_LOG_LEVEL in
-#				the packets are dropped.
+#				       shorewall.conf. After logging, the
+#				       packets are dropped.
 #
-#		detectnets
+#			detectnets   - Automatically taylors the zone named
-#				Automatically taylors the zone named in the ZONE column
+#				       in the ZONE column to include only those
-#				to include only those hosts routed through the interface.
+#				       hosts routed through the interface.
 #
-#	WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
+#			upnp	     - Incoming requests from this interface
+#				       may be remapped via UPNP (upnpd).
 #			
+#			WARNING: DO NOT SET THE detectnets OPTION ON YOUR
+#				 INTERNET INTERFACE.
 #
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white
 #			space.
 #
-#	Example 1:
+#	GATEWAY		This column is only meaningful if the 'default' OPTION
-#			Suppose you have eth0 connected to a DSL modem and
+#			is given -- it is ignored otherwise. You may specify
+#			the default gateway IP address for this interface here
+#			and Shorewall will use that IP address rather than any
+#			that it finds in the main routing table.
+#
+#	Example 1:	Suppose you have eth0 connected to a DSL modem and
 #			eth1 connected to your local network and that your
-#			local subnet is 192.168.1.0/24. The eth0 interface gets
+#			local subnet is 192.168.1.0/24. The interface gets
-#			it's IP address via DHCP from subnet 206.191.149.192/27.
+#			it's IP address via DHCP from subnet
+#			206.191.149.192/27. You have a DMZ with subnet
+#			192.168.2.0/24 using eth2.
 #
 #			Your entries for this setup would look like:
 #
-#			#ZONE	INTERFACE	BROADCAST		OPTIONS
 #			net	eth0	206.191.149.223	dhcp
 #			local	eth1	192.168.1.255
+#			dmz	eth2	192.168.2.255
 #
-#	Example 2:
+#	Example 2:	The same configuration without specifying broadcast
-#			The same configuration without specifying broadcast
 #			addresses is:
 #
-#			#ZONE	INTERFACE	BROADCAST		OPTIONS
 #			net	eth0	detect		dhcp
 #			loc	eth1	detect
+#			dmz	eth2	detect
 #
-##############################################################################
+#	Example 3:	You have a simple dial-in system with no ethernet
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+#			connections.
+#
+#			net	ppp0	-
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS			GATEWAY
 net     eth0            detect          dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
 loc     eth1            detect          tcpflags,detectnets
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/two-interfaces/masq

@@ -1,15 +1,14 @@
 #
-#	Shorewall 2.2 - Sample Masquerade file For Two Interfaces
+# Shorewall version 2.6 - Masq file
 #
-#	etc/shorewall/masq
+# /etc/shorewall/masq
 #
-#	Use this file to define dynamic NAT (Masquerading) and to define Source NAT
+#	Use this file to define dynamic NAT (Masquerading) and to define
-#	(SNAT).
+#	Source NAT (SNAT).
 #
 # Columns are:
 #
-#	INTERFACE
+#	INTERFACE -- Outgoing interface. This is usually your internet
-#			Outgoing interface. This is usually your internet
 #		     interface. If ADD_SNAT_ALIASES=Yes in
 #		     /etc/shorewall/shorewall.conf, you may add ":" and
 #		     a digit to indicate that you want the alias added with
@@ -40,8 +39,7 @@
 #		     insert rules in this file that preempt entries in
 #		     /etc/shorewall/nat.
 #
-#	SUBNET
+#	SUBNET -- Subnet that you wish to masquerade. You can specify this as
-#			Subnet that you wish to masquerade. You can specify this as
 #		  a subnet or as an interface. If you give the name of an
 #		  interface, you must have iproute installed and the interface
 #		  must be up before you start the firewall.
@@ -55,23 +53,25 @@
 #		  In that example traffic from eth1 would be masqueraded unless
 #		  it came from 192.168.1.4 or 196.168.32.0/27
 #
-#	ADDRESS (Optional)  	
+#	ADDRESS -- (Optional).	If you specify an address here, SNAT will be
-#			If you specify an address here, SNAT will be
 #				used and this will be the source address. If
 #				ADD_SNAT_ALIASES is set to Yes or yes in
 #				/etc/shorewall/shorewall.conf then Shorewall
 #				will automatically add this address to the
 #				INTERFACE named in the first column.
 #
-#			You may also specify a range of up to 256 IP
+#				You may also specify a range of up to 256
-#			addresses if you want the SNAT address to be
+#				IP addresses if you want the SNAT address to
-#			assigned from that range in a round robin range
+#				be assigned from that range in a round-robin
-#			by connection. The range is specified by
+#				range by connection. The range is specified by
 #				<first ip in range>-<last ip in range>.
 #
 #				Example: 206.124.146.177-206.124.146.180
 #
-#			This column may not contain DNS names.
+#				Finally, you may also specify a comma-separated
+#				list of ranges and/or addresses in this column.
+#
+#				This column may not contain DNS Names.
 #
 #				Normally, Netfilter will attempt to retain
 #				the source port number. You may cause
@@ -86,17 +86,32 @@
 #					192.0.2.4:5000-6000
 #					:4000-5000
 #
+#				You can invoke the SAME target using the
+#				following in this column:
+#
+#			SAME:[nodst:]<address-range>[,<address-range>...]
+#
+#				The <address-ranges> may be single addresses.
+#
+#				SAME works like SNAT with the exception that
+#				the same local IP address is assigned to each
+#				connection from a local address to a given
+#				remote address.
+#
+#				If the 'nodst:' option is included, then the
+#				same source address is used for a given
+#				internal system regardless of which remote
+#				system is involved.
+#
 #				If you want to leave this column empty
 #				but you need to specify the next column then
 #				place a hyphen ("-") here.
 #
-#	PROTO -- (Optional)
+#	PROTO -- (Optional)	If you wish to restrict this entry to a
-#			If you wish to restrict this entry to a
 #				particular protocol then enter the protocol
 #				name (from /etc/protocols) or number here.
 #
-#	PORT(S) -- (Optional)
+#	PORT(S) -- (Optional)	If the PROTO column specifies TCP (protocol 6)
-#			If the PROTO column specifies TCP (protocol 6)
 #				or UDP (protocol 17) then you may list one
 #				or more port numbers (or names from
 #				/etc/services) separated by commas or you
@@ -105,29 +120,30 @@
 #				
 #				Where a comma-separated list is given, your
 #				kernel and iptables must have multiport match
-#			support and a maximum of 15 ports may be listed.
+#				support and a maximum of 15 ports may be
+#				listed.
 #				
-#	IPSEC -- (Optional)
+#	IPSEC -- (Optional)	If you specify a value other than "-" in this
-#			If you specify a value other than "-" in this
 #				column, you must be running kernel 2.6 and
 #				your kernel and iptables must include policy
 #				match support.
 #
-#			Comma-separated list of options from the following.
+#				Comma-separated list of options from the
-#                       Only packets that will be encrypted via an SA that
+#				following. Only packets that will be encrypted
-#                       matches these options will have their source address
+#				via an SA that matches these options will have
-#                       changed.
+#				their source address changed.
 #
-#				       Yes or yes -- must be the only option listed
+#					Yes or yes -- must be the only option
-#				       and matches all outbound traffic that will be
+#					listed and matches all outbound
-#				       encrypted.
+#					traffic that will be encrypted.
 #
-#                                      reqid=<number> where <number> is specified
+#					reqid=<number> where <number> is
-#                                      using setkey(8) using the 'unique:<number>
+#					specified using setkey(8) using the
-#                                      option for the SPD level.
+#					'unique:<number> option for the SPD
+#					level.
 #
-#                                      spi=<number> where <number> is the SPI of
+#					spi=<number> where <number> is the
-#                                      the SA.
+#					SPI of the SA.
 #
 #					proto=ah|esp|ipcomp
 #
@@ -139,11 +155,11 @@
 #					tunnel-dst=<address>[/<mask>] (only
 #					available with mode=tunnel)
 #
-#                                      strict  Means that packets must match all
+#					strict	Means that packets must match
-#                                              rules.
+#						all rules.
 #
-#                                      next    Separates rules; can only be used
+#					next	Separates rules; can only be
-#                                              with strict..
+#						used with strict..
 #
 #	Example 1:
 #
@@ -153,12 +169,10 @@
 #
 #		  Your entry in the file can be either:
 #
-#			#INTERFACE		SUBNET		ADDRESS
 #			eth0	eth1
 #
 #		  or
 #
-#			#INTERFACE		SUBNET		ADDRESS
 #			eth0	192.168.0.0/24
 #
 #	Example 2:
@@ -167,7 +181,6 @@
 #		  192.168.1.0/24 which you also want to masquerade. You then
 #		  add a second entry for eth0 to this file:
 #
-#			#INTERFACE		SUBNET		ADDRESS
 #			eth0	192.168.1.0/24
 #
 #	Example 3:
@@ -176,7 +189,6 @@
 #		  masquerade packets coming from 192.168.1.0/24 but only if
 #		  these packets are destined for hosts in 10.1.1.0/24:
 #
-#			#INTERFACE		SUBNET		ADDRESS
 #			ipsec0:10.1.1.0/24	196.168.1.0/24
 #
 #	Example 4:
@@ -186,7 +198,6 @@
 #		  primary address of eth0. You want 206.124.146.176 added to
 #		  be added to eth0 with name eth0:0.
 #
-#			#INTERFACE		SUBNET		ADDRESS
 #			eth0:0	192.168.1.0/24	206.124.146.176
 #
 #	Example 5:
@@ -197,13 +208,14 @@
 #		 from eth1 to be sent from eth0 with source IP address
 #		 206.124.146.176.
 #
-#			INTERFACE  SUBNET  ADDRESS         PROTO    PORT(S)
 #			eth0	eth1	206.124.146.177	tcp	smtp
 #			eth0	eth1	206.124.146.176
 #
 #		THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
 #
-#############################################################################
+# For additional information, see http://shorewall.net/Documentation.htm#Masq
+#
+###############################################################################
 #INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
 eth0                    eth1
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/two-interfaces/rules

@@ -1,12 +1,12 @@
 #
-# 	Shorewall version 2.2 - Sample Rules File For Two Interfaces
+# Shorewall version 2.6 - Rules File
 #
 # /etc/shorewall/rules
 #
 #	Rules in this file govern connection establishment. Requests and
 #	responses are automatically allowed using connection tracking. For any
 #	particular (source,dest) pair of zones, the rules are evaluated in the
-#	order in which they appear in the file and the first match is the one
+#	order in which they appear in this file and the first match is the one
 #	that determines the disposition of the request.
 #
 #	In most places where an IP address or subnet is allowed, you
@@ -14,74 +14,73 @@
 #	indicate that the rule matches all addresses except the address/subnet
 #	given. Notice that no white space is permitted between "!" and the
 #	address/subnet.
-#
+#------------------------------------------------------------------------------
-#	WARNING: If you masquerade or use SNAT from a local system to the internet
+# WARNING: If you masquerade or use SNAT from a local system to the internet,
-#		you cannot use a ACCEPT rule to allow traffic from the internet to
+#	   you cannot use an ACCEPT rule to allow traffic from the internet to
-#		that system. You "must" use a DNAT rule instead.
+#	   that system. You *must* use a DNAT rule instead.
-#
+#------------------------------------------------------------------------------
 # Columns are:
 #
+#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
+#			LOG, QUEUE or an <action>.
 #
-#	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
+#				ACCEPT	 -- allow the connection request
-#				REDIRECT-, CONTINUE, LOG, QUEUE or an <action>.
+#				ACCEPT+	 -- like ACCEPT but also excludes the
-#
-#				ACCEPT
-#						Allow the connection request
-#				ACCEPT+
-#						Like ACCEPT but also excludes the
 #					    connection from any subsequent
 #					    DNAT[-] or REDIRECT[-] rules
-#				NONAT
+#				NONAT	 -- Excludes the connection from any
-#						Excludes the connection from any
 #					    subsequent DNAT[-] or REDIRECT[-]
 #					    rules but doesn't generate a rule
 #					    to accept the traffic.
-#				DROP
+#				DROP	 -- ignore the request
-#						Ignore the request
+#				REJECT	 -- disallow the request and return an
-#				REJECT
-#						Disallow the request and return an
 #					    icmp-unreachable or an RST packet.
-#				DNAT
+#				DNAT	 -- Forward the request to another
-#						Forward the request to another
 #					    system (and optionally another
 #					    port).
-#				DNAT-
+#				DNAT-	 -- Advanced users only.
-#						Advanced users only.
 #					    Like DNAT but only generates the
 #					    DNAT iptables rule and not
 #					    the companion ACCEPT rule.
-#				REDIRECT
+#				SAME	 -- Similar to DNAT except that the
-#						Redirect the request to a local
+#					    port may not be remapped and when
+#					    multiple server addresses are
+#					    listed, all requests from a given
+#					    remote system go to the same
+#					    server.
+#				SAME-	 -- Advanced users only.
+#					    Like SAME but only generates the
+#					    NAT iptables rule and not
+#					    the companion ACCEPT rule.
+#				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #				REDIRECT-
-#						Advanced users only.
+#					 -- Advanced users only.
-#						Like REDIRECT but only generates the
+#					    Like REDIRET but only generates the
-#						REDIRECT iptables rule and not the
+#					    REDIRECT iptables rule and not
-#						companion ACCEPT rule.
+#					    the companion ACCEPT rule.
-#				CONTINUE
+#
-#						(For experts only). Do Not Process
+#				CONTINUE -- (For experts only). Do not process
 #					    any of the following rules for this
 #					    (source zone,destination zone). If
-#						the source and/or destination IP
+#					    The source and/or destination IP
 #					    address falls into a zone defined
 #					    later in /etc/shorewall/zones, this
 #					    connection request will be passed
 #					    to the rules defined for that
-#						(those) zones(s).
+#					    (those) zone(s).
-#				LOG		
+#				LOG	 -- Simply log the packet and continue.
-#						Simply log the packet and continue.
+#				QUEUE	 -- Queue the packet to a user-space
-#				QUEUE   
+#					    application such as ftwall
-#						Queue the packet to a user-space
-#						application such as ftwall.
 #					    (http://p2pwall.sf.net).
-#				<action>	
+#				<action> -- The name of an action defined in
-#						The name of an action defined in
 #					    /etc/shorewall/actions or in
 #					    /usr/share/shorewall/actions.std.
 #
-#			The ACTION may optionally be followed by ":" and a syslog
+#			The ACTION may optionally be followed
-#			log level (e.g, REJECT:info or DNAT:debug). This causes the
+#			by ":" and a syslog log level (e.g, REJECT:info or
-#			packet to be logged at the specified level.
+#			DNAT:debug). This causes the packet to be
+#			logged at the specified level.
 #
 #			If the ACTION names an action defined in
 #			/etc/shorewall/actions or in
@@ -99,7 +98,7 @@
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
-#			to a separate log through use of ulogd.
+#			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #			Actions specifying logging may be followed by a
@@ -113,17 +112,21 @@
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #			defined in /etc/shorewall/zones, $FW to indicate the
-#			firewall itself, or "all" If the ACTION is DNAT or
+#			firewall itself, "all", "all+" or "none" If the ACTION
-#			REDIRECT, sub-zones of the specified zone may be
+#			is DNAT	or REDIRECT, sub-zones of the specified zone
-#			excluded from the rule by following the zone name with
+#			may be excluded from the rule by following the zone
-#			"!' and a comma-separated list of sub-zone names.
+#			name with "!' and a comma-separated list of sub-zone
+#			names.
+#
+#			When "none" is used either in the SOURCE or DEST
+#			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
-#			intra-zone traffic is not affected. You must add
+#			intra-zone traffic is not affected. When "all+" is
-#			separate rules to handle that traffic.
+#			used, intra-zone traffic is affected.
 #
-#			Except when "all" is specified, clients may be further
+#			Except when "all[+]" is specified, clients may be
-#			restricted to a list of subnets and/or hosts by
+#			further restricted to a list of subnets and/or hosts by
 #			appending ":" and a comma-separated list of subnets
 #			and/or hosts. Hosts may be specified by IP or MAC
 #			address; mac addresses must begin with "~" and must use
@@ -132,22 +135,22 @@
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
+#			If you kernel and iptables have ipset match support
+#			then you may give the name of an ipset prefaced by "+".
+#			The ipset name may be optionally followed by a number
+#			from 1 to 6 enclosed in square brackets ([]) to
+#			indicate the number of levels of source bindings to be
+#			matched.
 #
-#		Some Examples:
+#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
-#			net:155.186.235.1
+#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
-#						Host 155.186.235.1 on the Internet
+#						Internet
 #
-#			loc:192.168.1.0/24
+#			loc:192.168.1.1,192.168.1.2
-#						Subnet 192.168.1.0/24 on the
+#						Hosts 192.168.1.1 and
-#						Local Network
+#						192.168.1.2 in the local zone.
-#
+#			loc:~00-A0-C9-15-39-78	Host in the local zone with
-#			net:155.186.235.1,155.186.235.2
-#						Hosts 155.186.235.1 and
-#						155.186.235.2 on the Internet.
-#
-#			loc:~00-A0-C9-15-39-78
-#						Host on the Local Network with
 #						MAC address 00:A0:C9:15:39:78.
 #
 #			net:192.0.2.11-192.0.2.17
@@ -156,21 +159,24 @@
 #
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
-#			interface name. For example, net:eth0 specifies a
+#			interface name. For example, loc:eth1 specifies a
 #			client that communicates with the firewall system
-#			through eth0. This may be optionally followed by
+#			through eth1. This may be optionally followed by
 #			another colon (":") and an IP/MAC/subnet address
-#			as described above (e.g., net:eth0:192.168.1.5).
+#			as described above (e.g., loc:eth1:192.168.1.5).
 #
 #	DEST		Location of Server. May be a zone defined in
 #			/etc/shorewall/zones, $FW to indicate the firewall
-#			itself or "all"
+#			itself, "all". "all+" or "none".
+#
+#			When "none" is used either in the SOURCE or DEST
+#			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
-#			intra-zone traffic is not affected. You must add
+#			intra-zone traffic is not affected. When "all+" is
-#			separate rules to handle that traffic.
+#			used, intra-zone traffic is affected.
 #
-#			Except when "all" is specified, the server may be
+#			Except when "all[+]" is specified, the server may be
 #			further restricted to a particular subnet, host or
 #			interface by appending ":" and the subnet, host or
 #			interface. See above.
@@ -181,48 +187,50 @@
 #				2. In DNAT rules, only IP addresses are
 #				   allowed; no FQDNs or subnet addresses
 #				   are permitted.
-#			3	You may not specify both an interface and 
+#				3. You may not specify both an interface and
 #				   an address.
 #
 #			Like in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
-#			the connections will be assigned to the addresses in the
+#			the connections will be assigned to addresses in the
 #			range in a round-robin fashion.
 #
+#			If you kernel and iptables have ipset match support
+#			then you may give the name of an ipset prefaced by "+".
+#			The ipset name may be optionally followed by a number
+#			from 1 to 6 enclosed in square brackets ([]) to
+#			indicate the number of levels of destination bindings
+#			to be matched. Only one of the SOURCE and DEST columns
+#			may specify an ipset name.
+#
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
 #			destination port. A destination port may only be
 #			included if the ACTION is DNAT or REDIRECT.
 #
-#			Example: net:155.186.235.1:25 specifies a Internet
+#			Example: loc:192.168.1.3:3128 specifies a local
-#			server at IP address 155.186.235.1 and listening on port
+#			server at IP address 192.168.1.3 and listening on port
-#			25. The port number MUST be specified as an integer
+#			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
-#			If the ACTION is REDIRECT, this column needs only to
+#			if the ACTION is REDIRECT, this column needs only to
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
-#			a number, or "all". "ipp2p" requires ipp2p match
+#			"all".
-#			support in your kernel and iptables.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
-#			If the protocol is ipp2p, this column is interpreted
-#			as an ipp2p option without the leading "--" (example "bit"
-#			for bit-torrent). If no port is given, "ipp2p" is
-#			assumed.
-#
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following fields are supplied.
+#			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
@@ -240,8 +248,8 @@
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
-#			specify an ORIGINAL DEST in the next column, then place
+#			specify an ORIGINAL DEST in the next column, then
-#			"-" in this column.
+#			place "-" in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
@@ -251,8 +259,8 @@
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
-#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT[-] or 
+#	ORIGINAL DEST	(0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
-#			REDIRECT[-]) If included and different from the IP
+#			then if included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
 #			that address will be forwarded to the IP and port
@@ -261,82 +269,108 @@
 #			A comma-separated list of addresses may also be used.
 #			This is usually most useful with the REDIRECT target
 #			where you want to redirect traffic destined for
-#			a particular set of hosts.
+#			particular set of hosts.
 #
 #			Finally, if the list of addresses begins with "!" then
 #			the rule will be followed only if the original
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
-#	RATE LIMIT	You may rate-limit the rule by placing a value in this column:
+#			For other actions, this column may be included and may
+#			contain one or more addresses (host or network)
+#			separated by commas. Address ranges are not allowed.
+#			When this column is supplied, rules are generated
+#			that require that the original destination address
+#			matches one of the listed addresses. This feature is
+#			most useful when you want to generate a filter rule
+#			that corresponds to a DNAT- or REDIRECT- rule. In this
+#			usage, the list of addresses should not begin with "!".
+#
+#			See http://shorewall.net/PortKnocking.html for an
+#			example of using an entry in this column with a
+#			user-defined action rule.		
+#
+#	RATE LIMIT	You may rate-limit the rule by placing a value in
+#			this colume:
 #
 #				<rate>/<interval>[:<burst>]
 #
-#			Where <rate> is the number of connections per <interval> ("sec"
+#			where <rate> is the number of connections per
-#			or "min") and <burst> is the largest burst permitted. If no
+#			<interval> ("sec" or "min") and <burst> is the
-#			<burst> is given, a value of 5 is assummed. There may be no
+#			largest burst permitted. If no <burst> is given,
-#			whitespace embedded in the specification.
+#			a value of 5 is assumed. There may be no
+#			no whitespace embedded in the specification.
 #
-#		Example:
+#				Example: 10/sec:20
-#				10/sec:20
 #
-#			If you place a rate limit in this column, you may not place
+#	USER/GROUP	This column may only be non-empty if the SOURCE is
-#			a similiar limit in the ACTION column.
+#			the firewall itself.
-#
-#	USER/GROUP	This column may only be non-empty if the SOURCE is the firewall itself.
 #			
 #			The column may contain:
 #
-#			[!][<user name or number>][:<group name or number>]
+#	[!][<user name or number>][:<group name or number>][+<program name>]
 #
-#			When this column is non-empty, the rule applies only if the program
+#			When this column is non-empty, the rule applies only
-#			generating the output is running under the effective <user> and/or <group>
+#			if the program generating the output is running under
-#			specified (or is NOT running under that id if "!" is given).
+#			the effective <user> and/or <group> specified (or is
+#			NOT running under that id if "!" is given).
 #
 #			Examples:
+#
 #				joe	#program must be run by joe
-#				:kids	# program must be run by a member of the 'kids' group.
+#				:kids	#program must be run by a member of
-#				!:kids	# program must not be run by a member of the 'kids' group.
+#					#the 'kids' group
+#				!:kids	#program must not be run by a member
+#					#of the 'kids' group
+#				+upnpd	#program named 'upnpd'
 #
-#	Also by default all outbound loc -> net communications are allowed.
+#	Example: Accept SMTP requests from the DMZ to the internet
-#	You can change this behavior in the sample policy file.
 #
-#	Example:	Accept www requests to the firewall.
+#	#ACTION SOURCE	DEST PROTO	DEST	SOURCE	ORIGINAL
+#	#				PORT	PORT(S) DEST
+#	ACCEPT	dmz	net	  tcp	smtp
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	Example: Forward all ssh and http connection requests from the
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#		 internet to local system 192.168.1.3
-#	ACCEPT		net		fw	tcp	http
 #
-#	Example:	Accept SMTP requests from the Local Network to the Internet
+#	#ACTION SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
-#
+#	#					PORT	PORT(S) DEST
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
-#	ACCEPT		loc		net		tcp	smtp
-#
-#	Example:	Forward all ssh and http connection requests from the Internet
-#			to local system 192.168.1.3
-#
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	DNAT	net	loc:192.168.1.3 tcp	ssh,http
 #
+#	Example: Forward all http connection requests from the internet
+#		 to local system 192.168.1.3 with a limit of 3 per second and
+#		 a maximum burst of 10
+#
+#	#ACTION SOURCE DEST	       PROTO  DEST  SOURCE  ORIGINAL RATE
+#	#				      PORT  PORT(S) DEST     LIMIT
+#	DNAT	net    loc:192.168.1.3 tcp    http  -	    -	     3/sec:10
+#
 #	Example: Redirect all locally-originating www connection requests to
 #		 port 3128 on the firewall (Squid running on the firewall
 #		 system) except when the destination address is 192.168.2.2
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#ACTION	 SOURCE	DEST	  PROTO	DEST	SOURCE	ORIGINAL
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#	#				PORT	PORT(S) DEST
 #	REDIRECT loc	3128	  tcp	www	 -	!192.168.2.2
 #
-#	Example:	All http requests from the Internet to address
+#	Example: All http requests from the internet to address
 #		 130.252.100.69 are to be forwarded to 192.168.1.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/	
+#	#ACTION	 SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#	#					PORT	PORT(S) DEST
 #	DNAT	  net	loc:192.168.1.3 tcp	80	-	130.252.100.69
-##############################################################################
+#
+#	Example: You want to accept SSH connections to your firewall only
+#		 from internet IP addresses 130.252.100.69 and 130.252.100.70
+#
+#	#ACTION	 SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#					PORT	PORT(S) DEST
+#	ACCEPT	 net:130.252.100.69,130.252.100.70 fw \
+#					tcp	22
+#############################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
 #						PORT	PORT(S)		DEST		LIMIT		GROUP
+#                                                       PORT    PORT(S) DEST                    LIMIT   GROUP
 #
 #       Accept DNS connections from the firewall to the network
 #
@@ -359,4 +393,5 @@ Ping/REJECT:none!     net		fw
 ACCEPT          fw              loc             icmp
 ACCEPT          fw              net             icmp
 #
+
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/two-interfaces/zones

@@ -1,19 +1,80 @@
 #
-# 	Shorewall 2.2 -- Sample Zone File For Two Interfaces
+# Shorewall version 2.6 - Zones File
+#
 # /etc/shorewall/zones
 #
-# This file determines your network zones. Columns are:
+#	This file determines your network zones.
+#
+# Columns are:
 #
 #	ZONE	Short name of the zone (5 Characters or less in length).
-#	DISPLAY		Display name of the zone
+#		The names "all" and "none" are reserved and may not be
-#	COMMENTS	Comments about the zone
+#		used as zone names.
+#
+#	IPSEC	Yes --	Communication with all zone hosts is encrypted
+#	ONLY		Your kernel and iptables must include policy
+#			match support.
+#		No  --	Communication with some zone hosts may be encrypted.
+#			Encrypted hosts are designated using the 'ipsec'
+#			option in /etc/shorewall/hosts.
+#
+#	OPTIONS,	A comma-separated list of options as follows:
+#	IN OPTIONS,
+#	OUT OPTIONS	reqid=<number> where <number> is specified
+#			using setkey(8) using the 'unique:<number>
+#			option for the SPD level.
+#
+#			spi=<number> where <number> is the SPI of
+#			the SA used to encrypt/decrypt packets.
+#
+#			proto=ah|esp|ipcomp
+#
+#			mss=<number> (sets the MSS field in TCP packets)
+#
+#			mode=transport|tunnel
+#
+#			tunnel-src=<address>[/<mask>] (only
+#			available with mode=tunnel)
+#
+#			tunnel-dst=<address>[/<mask>] (only
+#			available with mode=tunnel)
+#
+#			strict	Means that packets must match all rules.
+#
+#			next	Separates rules; can only be used with
+#				strict..
+#
+#		Example:
+#			mode=transport,reqid=44
+#
+#	The options in the OPTIONS column are applied to both incoming
+#	and outgoing traffic. The IN OPTIONS are applied to incoming
+#	traffic (in addition to OPTIONS) and the OUT OPTIONS are
+#	applied to outgoing traffic.
+#
+#	If you wish to leave a column empty but need to make an entry
+#	in a following column, use "-".
 #
 # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
-# See http://www.shorewall.net/Documentation.html#Nested
+# See http://www.shorewall.net/Documentation.htm#Nested
+#------------------------------------------------------------------------------
+# Example zones:
 #
-#ZONE	DISPLAY		COMMENTS
+#	You have a three interface firewall with internet, local and DMZ
-net	Net		Internet
+#	interfaces.
-loc	Local		Local Networks
+#
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+#	#ZONE	IPSEC	OPTIONS		IN			OUT	
+#	net	
+#	loc
+#	dmz
+#
+###############################################################################
+#ZONE	IPSEC	OPTIONS			IN			OUT
+#	ONLY				OPTIONS			OPTIONS
+
+net
+loc
+
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE