From f0887d47ac4ae2b5e30b7f9b7da095f7a11b8c01 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 10 Nov 2004 21:11:00 +0000 Subject: [PATCH] Update for Shorewall 2.2.0 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1747 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/two-interfaces/interfaces | 21 ++++++- Samples/two-interfaces/masq | 89 ++++++++++++++++++++++++++++- Samples/two-interfaces/policy | 2 +- Samples/two-interfaces/routestopped | 5 +- Samples/two-interfaces/rules | 74 +++++++++++++++++++----- Samples/two-interfaces/zones | 2 +- 6 files changed, 171 insertions(+), 22 deletions(-) diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index a0caefd12..924c5cc6f 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 2.0 -- Sample Interface File For Two Interfaces +# Shorewall 2.2 -- Sample Interface File For Two Interfaces # # /etc/shorewall/interfaces # @@ -80,6 +80,14 @@ # Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. +# logmartians +# Turn on kernel martian logging (logging +# of packets with impossible source +# addresses. It is suggested that if you +# set routefilter on an interface that +# you also set logmartians. This option +# may also be enabled globally in the +# /etc/shorewall/shorewall.conf file. # maclist # Connection requests from this interface # are compared against the contents of @@ -109,10 +117,19 @@ # which are not part of an established connection # will be accepted from this interface, even if # NEWNOTSYN=No has been specified in -# /etc/shorewall/shorewall.conf. +# /etc/shorewall/shorewall.conf. In other +# words, packets coming in on this interface +# are processed as if NEWNOTSYN=Yes had been +# specified in /etc/shorewall/shorewall.conf. # # This option has no effect if NEWNOTSYN=Yes. # +# It is the opinion of the author that +# NEWNOTSYN=No creates more problems than +# it solves and I recommend against using +# that setting in shorewall.conf (hence +# making the use of the 'newnotsyn' +# interface option unnecessary). # routeback # If specified, indicates that Shorewall # should include rules that allow filtering diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq index 3f25845c3..922fd97df 100755 --- a/Samples/two-interfaces/masq +++ b/Samples/two-interfaces/masq @@ -1,5 +1,5 @@ # -# Shorewall 2.0 - Sample Masquerade file For Two Interfaces +# Shorewall 2.2 - Sample Masquerade file For Two Interfaces # # etc/shorewall/masq # @@ -21,6 +21,24 @@ # This may be qualified by adding the character # ":" followed by a destination host or subnet. # +# If you wish to inhibit the action of ADD_SNAT_ALIASES +# for this entry then include the ":" but omit the digit: +# +# eth0: +# eth2::192.0.2.32/27 +# +# Normally Masq/SNAT rules are evaluated after those for +# one-to-one NAT (/etc/shorewall/nat file). If you want +# the rule to be applied before one-to-one NAT rules, +# prefix the interface name with "+": +# +# +eth0 +# +eth0:192.0.2.32/27 +# +eth0:2 +# +# This feature should only be required if you need to +# insert rules in this file that preempt entries in +# /etc/shorewall/nat. # # SUBNET # Subnet that you wish to masquerade. You can specify this as @@ -55,6 +73,57 @@ # # This column may not contain DNS names. # +# PROTO -- (Optional) +# If you wish to restrict this entry to a +# particular protocol then enter the protocol +# name (from /etc/protocols) or number here. +# +# PORT(S) -- (Optional) +# If the PROTO column specifies TCP (protocol 6) +# or UDP (protocol 17) then you may list one +# or more port numbers (or names from +# /etc/services) separated by commas or you +# may list a single port range +# (:). +# +# Where a comma-separated list is given, your +# kernel and iptables must have multiport match +# support and a maximum of 15 ports may be listed. +# +# IPSEC -- (Optional) +# If you specify a value other than "-" in this +# column, you must be running kernel 2.6 and +# your kernel and iptables must include policy +# match support. +# +# Comma-separated list of options from the following. +# Only packets that will be encrypted via an SA that +# matches these options will have their source address +# changed. +# +# reqid= where is specified +# using setkey(8) using the 'unique: +# option for the SPD level. +# +# spi= where is the SPI of +# the SA. +# +# proto=ah|esp|ipcomp +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match all +# rules. +# +# next Separates rules; can only be used +# with strict.. +# # Example 1: # # You have a simple masquerading setup where eth0 connects to @@ -99,7 +168,21 @@ # #INTERFACE SUBNET ADDRESS # eth0:0 192.168.1.0/24 206.124.146.176 # -############################################################################## -#INTERFACE SUBNET ADDRESS +# Example 5: +# +# You want all outgoing SMTP traffic entering the firewall +# on eth1 to be sent from eth0 with source IP address +# 206.124.146.177. You want all other outgoing traffic +# from eth1 to be sent from eth0 with source IP address +# 206.124.146.176. +# +# INTERFACE SUBNET ADDRESS PROTO PORT(S) +# eth0 eth1 206.124.146.177 tcp smtp +# eth0 eth1 206.124.146.176 +# +# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! +# +############################################################################# +#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy index 4146b6926..1a8e76656 100644 --- a/Samples/two-interfaces/policy +++ b/Samples/two-interfaces/policy @@ -1,5 +1,5 @@ # -# Shorewall 2.0 -- Sample Policy File For Two Interfaces +# Shorewall 2.2 -- Sample Policy File For Two Interfaces # # /etc/shorewall/policy # diff --git a/Samples/two-interfaces/routestopped b/Samples/two-interfaces/routestopped index 1b401b759..0913d722d 100644 --- a/Samples/two-interfaces/routestopped +++ b/Samples/two-interfaces/routestopped @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 2.0 -- Sample Routestopped file for two interfaces. +# Shorewall 2.2 -- Sample Routestopped file for two interfaces. # # /etc/shorewall/routestopped # @@ -17,6 +17,9 @@ # addresses. If left empty or supplied as "-", # 0.0.0.0/0 is assumed. # +# If your kernel and iptables include iprange match +# support, IP address ranges are also allowed. +# # Example: # # INTERFACE HOST(S) diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index 95315f9e6..c5f5cdafe 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -1,5 +1,5 @@ # -# Shorewall version 2.0 - Sample Rules File For Two Interfaces +# Shorewall version 2.2 - Sample Rules File For Two Interfaces # # /etc/shorewall/rules # @@ -27,6 +27,15 @@ # # ACCEPT # Allow the connection request +# ACCEPT+ +# Like ACCEPT but also excludes the +# connection from any subsequent +# DNAT[-] or REDIRECT[-] rules +# NONAT +# Excludes the connection from any +# subsequent DNAT[-] or REDIRECT[-] +# rules but doesn't generate a rule +# to accept the traffic. # DROP # Ignore the request # REJECT @@ -74,11 +83,34 @@ # log level (e.g, REJECT:info or DNAT:debug). This causes the # packet to be logged at the specified level. # +# If the ACTION names an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std then: +# +# - If the log level is followed by "!' then all rules +# in the action are logged at the log level. +# +# - If the log level is not followed by "!" then only +# those rules in the action that do not specify +# logging are logged at the specified level. +# +# - The special log level 'none!' suppresses logging +# by the action. +# # You may also specify ULOG (must be in upper case) as a # log level. This will log to the ULOG target for routing # to a separate log through use of ulogd. # (http://www.gnumonks.org/projects/ulogd). # +# Actions specifying logging may be followed by a +# log tag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the # firewall itself, or "all" If the ACTION is DNAT or @@ -86,6 +118,10 @@ # excluded from the rule by following the zone name with # "!' and a comma-separated list of sub-zone names. # +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. You must add +# separate rules to handle that traffic. +# # Except when "all" is specified, clients may be further # restricted to a list of subnets and/or hosts by # appending ":" and a comma-separated list of subnets @@ -93,6 +129,10 @@ # address; mac addresses must begin with "~" and must use # "-" as a separator. # +# Hosts may be specified as an IP address range using the +# syntax -. This requires that +# your kernel and iptables contain iprange match support. +# # Some Examples: # # net:155.186.235.1 @@ -110,6 +150,10 @@ # Host on the Local Network with # MAC address 00:A0:C9:15:39:78. # +# net:192.0.2.11-192.0.2.17 +# Hosts 192.0.2.11-192.0.2.17 in +# the net zone. +# # Alternatively, clients may be specified by interface # by appending ":" to the zone name followed by the # interface name. For example, net:eth0 specifies a @@ -122,6 +166,10 @@ # /etc/shorewall/zones, $FW to indicate the firewall # itself or "all" # +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. You must add +# separate rules to handle that traffic. +# # Except when "all" is specified, the server may be # further restricted to a particular subnet, host or # interface by appending ":" and the subnet, host or @@ -136,7 +184,7 @@ # 3 You may not specify both an interface and # an address. # -# Unlike in the SOURCE column, you may specify a range of +# Like in the SOURCE column, you may specify a range of # up to 256 IP addresses using the syntax # -. When the ACTION is DNAT or DNAT-, # the connections will be assigned to the addresses in the @@ -157,14 +205,20 @@ # contain the port number on the firewall that the # request should be redirected to. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number or -# "all". +# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", +# a number, or "all". "ipp2p" requires ipp2p match +# support in your kernel and iptables. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # +# If the protocol is ipp2p, this column is interpreted +# as an ipp2p option without the leading "--" (example "bit" +# for bit-torrent). If no port is given, "ipp2p" is +# assumed. +# # A port range is expressed as :. # # This column is ignored if PROTOCOL = all but must be @@ -186,8 +240,8 @@ # ranges. # # If you don't want to restrict client ports but need to -# specify an ADDRESS in the next column, then place "-" -# in this column. +# specify an ORIGINAL DEST in the next column, then place +# "-" in this column. # # If your kernel contains multi-port match support, then # only a single Netfilter rule will be generated if in @@ -214,14 +268,6 @@ # destination address in the connection request does not # match any of the addresses listed. # -# The address may optionally be followed by -# a colon (":") and a second IP address. This causes -# Shorewall to use the second IP address as the source -# address in forwarded packets. See the Shorewall -# documentation for restrictions concerning this feature. -# If no source IP address is given, the original source -# address is not altered. -# # RATE LIMIT You may rate-limit the rule by placing a value in this column: # # /[:] diff --git a/Samples/two-interfaces/zones b/Samples/two-interfaces/zones index 0ace51540..e5171fce3 100644 --- a/Samples/two-interfaces/zones +++ b/Samples/two-interfaces/zones @@ -1,5 +1,5 @@ # -# Shorewall 2.0 -- Sample Zone File For Two Interfaces +# Shorewall 2.2 -- Sample Zone File For Two Interfaces # /etc/shorewall/zones # # This file determines your network zones. Columns are: