Update for Shorewall 2.2.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1747 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/two-interfaces/interfaces

@@ -1,5 +1,5 @@
 #	
-#	Shorewall 2.0 -- Sample Interface File For Two Interfaces
+#	Shorewall 2.2 -- Sample Interface File For Two Interfaces
 #
 # 	/etc/shorewall/interfaces
 #
@@ -80,6 +80,14 @@
 #				Check packets arriving on this interface
 #				against the /etc/shorewall/blacklist
 #				file.
+#		logmartians
+#				Turn on kernel martian logging (logging
+#				of packets with impossible source
+#				addresses. It is suggested that if you
+#				set routefilter on an interface that
+#				you also set logmartians. This option
+#				may also be enabled globally in the
+#				/etc/shorewall/shorewall.conf file.
 #		maclist
 #				Connection requests from this interface
 #				are compared against the contents of
@@ -109,10 +117,19 @@
 #				which are not part of an established connection
 #				will be accepted from this interface, even if
 #				NEWNOTSYN=No has been specified in
-#				/etc/shorewall/shorewall.conf.
+#				/etc/shorewall/shorewall.conf. In other
+#				words, packets coming in on this interface
+#				are processed as if NEWNOTSYN=Yes had been
+#				specified in /etc/shorewall/shorewall.conf.
 #
 #				This option has no effect if NEWNOTSYN=Yes.
 #
+#				It is the opinion of the author that
+#				NEWNOTSYN=No creates more problems than
+#				it solves and I recommend against using
+#				that setting in shorewall.conf (hence
+#				making the use of the 'newnotsyn'
+#				interface option unnecessary).
 #		routeback
 #				If specified, indicates that Shorewall
 #				should include rules that allow filtering

Samples/two-interfaces/masq

@@ -1,5 +1,5 @@
 #	
-#	Shorewall 2.0 - Sample Masquerade file For Two Interfaces
+#	Shorewall 2.2 - Sample Masquerade file For Two Interfaces
 #
 #	etc/shorewall/masq
 #
@@ -21,6 +21,24 @@
 #			This may be qualified by adding the character
 #			":" followed by a destination host or subnet.
 #
+#			If you wish to inhibit the action of ADD_SNAT_ALIASES
+#			for this entry then include the ":" but omit the digit:
+#
+#                              eth0:
+#                              eth2::192.0.2.32/27
+#
+#			Normally Masq/SNAT rules are evaluated after those for
+#			one-to-one NAT (/etc/shorewall/nat file). If you want
+#			the rule to be applied before one-to-one NAT rules,
+#			prefix the interface name with "+":
+#
+#				+eth0
+#				+eth0:192.0.2.32/27
+#				+eth0:2
+#
+#			This feature should only be required if you need to
+#			insert rules in this file that preempt entries in
+#			/etc/shorewall/nat.
 #
 #	SUBNET
 #			Subnet that you wish to masquerade. You can specify this as
@@ -55,6 +73,57 @@
 #
 #			This column may not contain DNS names.
 #
+#	PROTO -- (Optional)
+#			If you wish to restrict this entry to a
+#			particular protocol then enter the protocol
+#			name (from /etc/protocols) or number here.
+#
+#	PORT(S) -- (Optional)
+#			If the PROTO column specifies TCP (protocol 6)
+#			or UDP (protocol 17) then you may list one
+#			or more port numbers (or names from
+#			/etc/services) separated by commas or you
+#			may list a single port range
+#			(<low port>:<high port>).
+#
+#			Where a comma-separated list is given, your
+#			kernel and iptables must have multiport match
+#			support and a maximum of 15 ports may be listed.
+#
+#	IPSEC -- (Optional)
+#			If you specify a value other than "-" in this
+#			column, you must be running kernel 2.6 and
+#			your kernel and iptables must include policy
+#                       match support.
+#
+#			Comma-separated list of options from the following.
+#                       Only packets that will be encrypted via an SA that
+#                       matches these options will have their source address
+#                       changed.
+#
+#                                      reqid=<number> where <number> is specified
+#                                      using setkey(8) using the 'unique:<number>
+#                                      option for the SPD level.
+#
+#                                      spi=<number> where <number> is the SPI of
+#                                      the SA.
+#
+#                                      proto=ah|esp|ipcomp
+#
+#                                      mode=transport|tunnel
+#
+#                                      tunnel-src=<address>[/<mask>] (only
+#                                      available with mode=tunnel)
+#
+#                                      tunnel-dst=<address>[/<mask>] (only
+#                                      available with mode=tunnel)
+#
+#                                      strict  Means that packets must match all
+#                                              rules.
+#
+#                                      next    Separates rules; can only be used
+#                                              with strict..
+#
 #		Example 1:
 #
 #			You have a simple masquerading setup where eth0 connects to
@@ -99,7 +168,21 @@
 #			#INTERFACE		SUBNET		ADDRESS
 #			eth0:0			192.168.1.0/24	206.124.146.176
 #
-##############################################################################
+#		Example 5:
-#INTERFACE		SUBNET		ADDRESS
+#
+#			You want all outgoing SMTP traffic entering the firewall
+#			on eth1 to be sent from eth0 with source IP address
+#			206.124.146.177. You want all other outgoing traffic
+#			from eth1 to be sent from eth0 with source IP address
+#			206.124.146.176.
+#
+#			INTERFACE  SUBNET  ADDRESS         PROTO    PORT(S)
+#			eth0       eth1    206.124.146.177 tcp      smtp
+#			eth0       eth1    206.124.146.176
+#
+#			THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
+#
+#############################################################################
+#INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
 eth0			eth1
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/two-interfaces/policy

@@ -1,5 +1,5 @@
 #	
-# 	Shorewall 2.0 -- Sample Policy File For Two Interfaces
+# 	Shorewall 2.2 -- Sample Policy File For Two Interfaces
 #
 # 	/etc/shorewall/policy
 #

Samples/two-interfaces/routestopped

@@ -1,6 +1,6 @@
 ##############################################################################
 #
-#	Shorewall 2.0	--	Sample Routestopped file for two interfaces.
+#	Shorewall 2.2	--	Sample Routestopped file for two interfaces.
 #
 #	/etc/shorewall/routestopped
 #
@@ -17,6 +17,9 @@
 #			addresses. If left empty or supplied as "-", 
 #			0.0.0.0/0 is assumed.
 #
+#			If your kernel and iptables include iprange match
+#			support, IP address ranges are also allowed.
+#
 #	Example:
 #
 #	INTERFACE	HOST(S)

Samples/two-interfaces/rules

@@ -1,5 +1,5 @@
 #	
-# 	Shorewall version 2.0 - Sample Rules File For Two Interfaces
+# 	Shorewall version 2.2 - Sample Rules File For Two Interfaces
 #
 # 	/etc/shorewall/rules
 #
@@ -27,6 +27,15 @@
 #
 #				ACCEPT
 #						Allow the connection request
+#				ACCEPT+
+#						Like ACCEPT but also excludes the
+#						connection from any subsequent
+#						DNAT[-] or REDIRECT[-] rules
+#				NONAT
+#						Excludes the connection from any
+#						subsequent DNAT[-] or REDIRECT[-]
+#						rules but doesn't generate a rule
+#						to accept the traffic.
 #				DROP
 #						Ignore the request
 #				REJECT
@@ -74,11 +83,34 @@
 #			log level (e.g, REJECT:info or DNAT:debug). This causes the
 #			packet to be logged at the specified level.
 #
+#			If the ACTION names an action defined in
+#			/etc/shorewall/actions or in
+#			/usr/share/shorewall/actions.std then:
+#
+#			- If the log level is followed by "!' then all rules
+#			  in the action are logged at the log level.
+#
+#			- If the log level is not followed by "!" then only
+#			  those rules in the action that do not specify
+#			  logging are logged at the specified level.
+#
+#			- The special log level 'none!' suppresses logging
+#			  by the action.
+#
 #			You may also specify ULOG (must be in upper case) as a 
 #			log level. This will log to the ULOG target for routing
 #			to a separate log through use of ulogd.
 #			(http://www.gnumonks.org/projects/ulogd).
 #
+#			Actions specifying logging may be followed by a
+#			log tag (a string of alphanumeric characters)
+#			are appended to the string generated by the
+#			LOGPREFIX (in /etc/shorewall/shorewall.conf).
+#
+#			Example: ACCEPT:info:ftp would include 'ftp '
+#			at the end of the log prefix generated by the
+#			LOGPREFIX setting.
+#
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #			defined in /etc/shorewall/zones, $FW to indicate the
 #			firewall itself, or "all" If the ACTION is DNAT or
@@ -86,6 +118,10 @@
 #			excluded from the rule by following the zone name with
 #			"!' and a comma-separated list of sub-zone names.
 #
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. You must add
+#			separate rules to handle that traffic.
+#
 #			Except when "all" is specified, clients may be further
 #			restricted to a list of subnets and/or hosts by
 #			appending ":" and a comma-separated list of subnets
@@ -93,6 +129,10 @@
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
+#			Hosts may be specified as an IP address range using the
+#			syntax <low address>-<high address>. This requires that
+#			your kernel and iptables contain iprange match support.
+#
 #		Some Examples:
 #
 #			net:155.186.235.1
@@ -110,6 +150,10 @@
 #						Host on the Local Network with
 #						MAC address 00:A0:C9:15:39:78.
 #
+#			net:192.0.2.11-192.0.2.17
+#						Hosts 192.0.2.11-192.0.2.17 in
+#						the net zone.
+#
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
 #			interface name. For example, net:eth0 specifies a
@@ -122,6 +166,10 @@
 #			/etc/shorewall/zones, $FW to indicate the firewall
 #			itself or "all"
 #
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. You must add
+#			separate rules to handle that traffic.
+#
 #			Except when "all" is specified, the server may be
 #			further restricted to a particular subnet, host or
 #			interface by appending ":" and the subnet, host or
@@ -136,7 +184,7 @@
 #			3	You may not specify both an interface and 
 #				an address.
 #
-#			Unlike in the SOURCE column, you may specify a range of
+#			Like in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
 #			the connections will be assigned to the addresses in the
@@ -157,14 +205,20 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number or
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
-#			"all".
+#			a number, or "all". "ipp2p" requires ipp2p match
+#			support in your kernel and iptables.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
+#			If the protocol is ipp2p, this column is interpreted
+#			as an ipp2p option without the leading "--" (example "bit"
+#			for bit-torrent). If no port is given, "ipp2p" is
+#			assumed.
+#
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
@@ -186,8 +240,8 @@
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
-#			specify an ADDRESS in the next column, then place "-"
+#			specify an ORIGINAL DEST in the next column, then place
-#			in this column.
+#			"-" in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
@@ -214,14 +268,6 @@
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
-#			The address may optionally be followed by
-#			a colon (":") and a second IP address. This causes
-#			Shorewall to use the second IP address as the source
-#			address in forwarded packets. See the Shorewall
-#			documentation for restrictions concerning this feature.
-#			If no source IP address is given, the original source
-#			address is not altered.
-#
 #	RATE LIMIT	You may rate-limit the rule by placing a value in this column:
 #
 #				<rate>/<interval>[:<burst>]

Samples/two-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# 	Shorewall 2.0 -- Sample Zone File For Two Interfaces
+# 	Shorewall 2.2 -- Sample Zone File For Two Interfaces
 # 	/etc/shorewall/zones
 #
 # This file determines your network zones. Columns are: