extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 16:13:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

More changes to my config docs

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1843 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-12-20 19:52:11 +00:00
parent 64dba9e73f
commit f26d2243f6
3 changed files with 868 additions and 5870 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Shorewall-docs2/images/network.png
View File

Binary file not shown.

6390
Shorewall-docs2/images/network.vdx
View File

File diff suppressed because it is too large Load Diff

348
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-12-18</pubdate>
<pubdate>2004-12-20</pubdate>
<copyright>
<year>2001-2004</year>
@ -29,8 +29,7 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -41,9 +40,9 @@
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of
which are relevant to a simple configuration with a single public IP
address. If you have just a single public IP address, most of what you
see here won't apply to your setup so beware of copying parts of this
configuration and expecting them to work for you. What you copy may or
may not work for you.</para>
see here won&#39;t apply to your setup so beware of copying parts of
this configuration and expecting them to work for you. What you copy may
or may not work for you.</para>
</caution>
<caution>
@ -58,9 +57,8 @@
(factory default). The modem is configured in <quote>bridge</quote> mode
so PPPoE is not involved. I have a local network connected to eth0 (subnet
192.168.1.0/24) and a DMZ connected to eth2 (206.124.146.176/32). Note
that I configure the same IP address on both <filename
class="devicefile">eth1</filename> and <filename
class="devicefile">eth2</filename>.</para>
that I configure the same IP address on both <filename class="devicefile">eth1</filename>
and <filename class="devicefile">eth2</filename>.</para>
<para>In this configuration:</para>
@ -78,20 +76,18 @@
</listitem>
<listitem>
<para>I use SNAT through 206.124.146.176 for&nbsp;my Wife's Windows XP
system <quote>Tarry</quote>, and our&nbsp; dual-booting (SuSE
9.2/Windows XP) laptop <quote>Tipper</quote> which connects through
the Wireless Access Point (wap) via a Wireless Bridge (wet).<note>
<para>While the distance between the WAP and where I usually use
the laptop isn't very far (50 feet or so), using a WAC11 (CardBus
wireless card) has proved very unsatisfactory (lots of lost
connections). By replacing the WAC11 with the WET11 wireless
bridge, I have virtually eliminated these problems (Being an old
radio tinkerer (K7JPV), I was also able to eliminate the
disconnects by hanging a piece of aluminum foil on the family room
wall. Needless to say, my wife Tarry rejected that as a permanent
solution :-).</para>
</note></para>
<para>I use SNAT through 206.124.146.176 for&#x00A0;my Wife&#39;s
Windows XP system <quote>Tarry</quote>, and our&#x00A0; dual-booting
(SuSE 9.2/Windows XP) laptop <quote>Tipper</quote> which connects
through the Wireless Access Point (wap) via a Wireless Bridge (wet).<note><para>While
the distance between the WAP and where I usually use the laptop
isn&#39;t very far (50 feet or so), using a WAC11 (CardBus wireless
card) has proved very unsatisfactory (lots of lost connections). By
replacing the WAC11 with the WET11 wireless bridge, I have virtually
eliminated these problems (Being an old radio tinkerer (K7JPV), I was
also able to eliminate the disconnects by hanging a piece of aluminum
foil on the family room wall. Needless to say, my wife Tarry rejected
that as a permanent solution :-).</para></note></para>
</listitem>
</itemizedlist>
@ -112,9 +108,9 @@
<para>Ursa runs Samba for file sharing with the Windows systems and is
configured as a Wins server.</para>
<para>The wireless network connects to Ursa's eth1 via a LinkSys
WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
(64-bit with the 24-bit preamble), I use <ulink
<para>The wireless network connects to Ursa&#39;s eth1 via a LinkSys
WAP11.&#x00A0; In additional to using the rather weak WEP 40-bit
encryption (64-bit with the 24-bit preamble), I use <ulink
url="MAC_Validation.html">MAC verification</ulink> and <ulink
url="IPSEC-2.6.html">Kernel 2.6 IPSEC</ulink>.</para>
@ -145,16 +141,16 @@
in the DMZ.</para>
<para>The ethernet interface in the Server is configured with IP address
206.124.146.177, netmask 255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same default gateway used
by the firewall itself). On the firewall, an entry in my
206.124.146.177, netmask 255.255.255.0. The server&#39;s default gateway
is 206.124.146.254 (Router at my ISP. This is the same default gateway
used by the firewall itself). On the firewall, an entry in my
/etc/network/interfaces file (see below) adds a host route to
206.124.146.177 through eth1 when that interface is brought up.</para>
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access from
my work laptop and the Firewall is configured with IPSEC for tunnel mode
access from our second home in <ulink
url="http://www.omakchamber.com/">Omak, Washington</ulink>.</para>
my work laptop and the Firewall is configured with OpenVPN for VPN access
from our second home in <ulink url="http://www.omakchamber.com/">Omak,
Washington</ulink> or when we are otherwise out of town.</para>
<para><graphic align="center" fileref="images/network.png" /></para>
</section>
@ -167,7 +163,7 @@
<blockquote>
<programlisting>LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s "
LOGFORMAT=&#34;Shorewall:%s:%s &#34;
LOGRATE=
LOGBURST=
LOGUNCLEAN=$LOG
@ -213,10 +209,9 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<title>Params File (Edited)</title>
<blockquote>
<para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&lt;ip address of gateway in Plano&gt;
OMAK=64.139.97.48
<para><programlisting>MIRRORS=&#60;list of shorewall mirror ip addresses&#62;
NTPSERVERS=&#60;list of the NTP servers I sync with&#62;
TEXAS=&#60;ip address of gateway in Plano&#62;
LOG=info
EXT_IF=eth1
INT_IF=eth2
@ -232,7 +227,7 @@ DMZ_IF=eth0</programlisting></para>
net Internet Internet
dmz DMZ Demilitarized zone
loc Local Local networks
omak Omak Our Laptop in Omak
road Roadwarrior Our Laptop on the Road
tx Texas Peer Network in Dallas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
@ -247,10 +242,11 @@ tx Texas Peer Network in Dallas
up my Ethernet interfaces.</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc $INT_IF detect dhcp
dmz $DMZ_IF -
- texas -
net $EXT_IF 206.124.146.255 dhcp,norfc1918,routefilter,logmartians,blacklist,tcpflags,nosmurfs
loc $INT_IF detect dhcp
dmz $DMZ_IF -
- texas -
road tun+ -
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -261,23 +257,10 @@ dmz $DMZ_IF -
<blockquote>
<programlisting>#ZONE HOST(S) OPTIONS
tx texas:192.168.8.0/22
omak $EXT_IF:$OMAK
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>Ipsec File</title>
<blockquote>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
omak yes mode=tunnel
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>Routestopped File</title>
@ -285,7 +268,6 @@ omak yes mode=tunnel
<programlisting>#INTERFACE HOST(S)
$DMZ_IF 206.124.146.177
$INT_IF -
$EXT_IF $OMAK
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -330,16 +312,9 @@ $EXT_IF $OMAK
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
fw fw ACCEPT
loc net ACCEPT
omak fw ACCEPT
fw omak ACCEPT
omak loc ACCEPT
loc omak ACCEPT
omak net NONE
net omak NONE
omak dmz NONE
dmz omak NONE
omak tx NONE
tx omak NONE
fw road ACCEPT
road loc ACCEPT
loc road ACCEPT
$FW loc ACCEPT
$FW tx ACCEPT
loc tx ACCEPT
@ -356,14 +331,15 @@ all all REJECT $LOG
<blockquote>
<para>Although most of our internal systems use one-to-one NAT, my
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as
does our laptop (192.168.1.8) and visitors with laptops.</para>
wife&#39;s system (192.168.1.4) uses IP Masquerading (actually SNAT)
as does our laptop (192.168.1.8) and visitors with laptops.</para>
<para>The first entry allows access to the DSL modem and uses features
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
rule to be placed before rules generated by the /etc/shorewall/nat
file below. The double colons ("::") causes the entry to be exempt
from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
introduced in Shorewall 2.1.1. The leading plus sign (&#34;+_&#34;)
causes the rule to be placed before rules generated by the
/etc/shorewall/nat file below. The double colons (&#34;::&#34;) causes
the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf
file above.</para>
<programlisting>#INTERFACE SUBNET ADDRESS
+$EXT_IF::192.168.1.1 0.0.0.0/0 192.168.1.254
@ -401,13 +377,12 @@ $EXT_IF:2 eth2 206.124.146.176
</section>
<section>
<title>Tunnels File (Shell variables TEXAS and OMAK set in
/etc/shorewall/params)</title>
<title>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)</title>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
gre net $TEXAS
ipsec:noah net $OMAK omak
openvpn:1194 net 0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -428,8 +403,7 @@ Mirrors #Accept traffic from the Shorewall Mirror sites
<blockquote>
<para>The $MIRRORS variable expands to a list of approximately 10 IP
addresses. So moving these checks into a separate chain reduces the
number of rules that most net-&gt;dmz traffic needs to
traverse.</para>
number of rules that most net-&#62;dmz traffic needs to traverse.</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
@ -456,7 +430,7 @@ RejectSMB
DropUPnP
dropNotSyn
DropDNSrep
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn&#39;t flood my log
#with NTP requests with a source address in 16.0.0.0/8 (address of
#its PPTP tunnel to HP).</programlisting>
</blockquote>
@ -486,7 +460,7 @@ spdadd 206.124.146.176/32 64.139.97.48/32 any -P out ipsec esp/tunnel/206.12
<blockquote>
<para>SA parameters for communication with our second home.</para>
<programlisting> path certificate "/etc/certs" ;
<programlisting> path certificate &#34;/etc/certs&#34; ;
listen
{
isakmp 206.124.146.176;
@ -495,7 +469,7 @@ spdadd 206.124.146.176/32 64.139.97.48/32 any -P out ipsec esp/tunnel/206.12
remote 64.139.97.48
{
exchange_mode main ;
certificate_type x509 "gateway.pem" "gateway_key.pem";
certificate_type x509 &#34;gateway.pem&#34; &#34;gateway_key.pem&#34;;
verify_cert on;
my_identifier asn1dn ;
peers_identifier asn1dn ;
@ -531,8 +505,7 @@ sainfo address 206.124.146.176/32 any address 64.139.97.48/32 any
</section>
<section>
<title>Rules File (The shell variables are set in
/etc/shorewall/params)</title>
<title>Rules File (The shell variables are set in /etc/shorewall/params)</title>
<blockquote>
<programlisting>###############################################################################################################################################################################
@ -589,13 +562,13 @@ ACCEPT net dmz tcp
ACCEPT net dmz udp domain
ACCEPT net dmz udp 33434:33436
Mirrors net dmz tcp rsync
ACCEPT net:$OMAK dmz tcp 22 #SSH from Omak
ACCEPT net dmz tcp 22
AllowPing net dmz
###############################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
# When I&#39;m &#34;on the road&#34;, the following two rules allow me VPN access back home.
#
DNAT net loc:192.168.1.4 tcp 1723 -
DNAT net:!$TEXAS loc:192.168.1.4 gre -
@ -626,12 +599,12 @@ REJECT:$LOG dmz net udp
ACCEPT dmz net:$POPSERVERS tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# that is sending a PORT command which that code doesn&#39;t understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG dmz net tcp 1024: 20
###############################################################################################################################################################################
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
# DMZ to Firewall -- ntp &#38; snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp 161,ssh
@ -672,6 +645,40 @@ ACCEPT tx loc:192.168.1.5 all
</blockquote>
</section>
<section>
<title>/etc/openvpn/server.conf</title>
<para>This is my OpenVPN server configuration file:</para>
<blockquote>
<programlisting>dev tun
server 192.168.2.0 255.255.255.0
dh /etc/openvpn/dh1024.pem
ca /etc/certs/cacert.pem
cert /etc/certs/gateway.pem
key /etc/certs/gateway_key.pem
port 1194
comp-lzo
user nobody
group nogroup
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3</programlisting>
</blockquote>
</section>
<section>
<title>/etc/network/interfaces</title>
@ -684,7 +691,7 @@ ACCEPT tx loc:192.168.1.5 all
auto lo
iface lo inet loopback
# DMZ interface -- after the interface is up, add a host route to the server. This allows 'Yes' in the
# DMZ interface -- after the interface is up, add a host route to the server. This allows &#39;Yes&#39; in the
# HAVEROUTE column of the /etc/shorewall/proxyarp file. Note that the DMZ interface has
# the same IP address as the Internet interface but has no broadcast address or network.
@ -695,7 +702,7 @@ iface eth0 inet static
broadcast 0.0.0.0
up ip route add 206.124.146.177 dev eth0
# Internet interface -- after the interface is up, add a host route to the DSL 'Modem' (Westell 2200).
# Internet interface -- after the interface is up, add a host route to the DSL &#39;Modem&#39; (Westell 2200).
auto eth1
iface eth1 inet static
@ -704,7 +711,7 @@ iface eth1 inet static
gateway 206.124.146.254
up ip route add 192.168.1.1 dev eth1
# Local LAN interface -- after the interface is up, add a net route to the Wireless network through 'Ursa'.
# Local LAN interface -- after the interface is up, add a net route to the Wireless network through &#39;Ursa&#39;.
auto eth2
iface eth2 inet static
@ -720,20 +727,20 @@ iface eth2 inet static
<title>Wireless IPSEC Gateway (Ursa) Configuration</title>
<para>As mentioned above, Ursa acts as an IPSEC gateway for the wireless
network. It's view of the network is diagrammed in the following
network. It&#39;s view of the network is diagrammed in the following
figure.</para>
<graphic align="center" fileref="images/network1.png" valign="middle" />
<para>I've included the files that I used to configure that system.</para>
<para>I&#39;ve included the files that I used to configure that system.</para>
<section>
<title>zones</title>
<blockquote>
<para>Because <emphasis role="bold">loc</emphasis> is a sub-zone of
<emphasis role="bold">net</emphasis>, <emphasis
role="bold">loc</emphasis> must be defined first.</para>
<emphasis role="bold">net</emphasis>, <emphasis role="bold">loc</emphasis>
must be defined first.</para>
<programlisting>#ZONE DISPLAY COMMENTS
loc Local Local networks
@ -789,17 +796,17 @@ WiFi eth1 192.168.3.255 nobogons,blacklist,maclist,routeback
<title>ipsec</title>
<blockquote>
<para>The mss=1400 in the OUT OPTIONS of the 'net' zone uses a feature
added in 2.1.12 and sets the MSS field in TCP SYN packets forwarded to
the 'net' zone to 1400. This works around a problem whereby ICMP
fragmentation-needed packets are being dropped somewhere between my
main firewall and the IMAP server at my work.</para>
<para>The mss=1400 in the OUT OPTIONS of the &#39;net&#39; zone uses a
feature added in 2.1.12 and sets the MSS field in TCP SYN packets
forwarded to the &#39;net&#39; zone to 1400. This works around a
problem whereby ICMP fragmentation-needed packets are being dropped
somewhere between my main firewall and the IMAP server at my work.</para>
<programlisting>#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
sec yes mode=tunnel
net no - - <emphasis
role="bold">mss=1400</emphasis>
role="bold">mss=1400</emphasis>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
</blockquote>
@ -853,8 +860,7 @@ eth1 00:0b:c1:53:cc:97 192.168.3.8 #TIPPER
<title>/etc/racoon/setkey.conf</title>
<blockquote>
<para>This defines encryption policies to/from the wireless
network.</para>
<para>This defines encryption policies to/from the wireless network.</para>
<programlisting>flush;
spdflush;
@ -871,7 +877,7 @@ spdadd 192.168.3.8/32 0.0.0.0/0 any -P in ipsec esp/tunnel/192.16
<para>SA parameters for communication with our wireless network
(Tipper is currently the only Wireless host).</para>
<programlisting>path certificate "/etc/certs";
<programlisting>path certificate &#34;/etc/certs&#34;;
listen
{
@ -881,7 +887,7 @@ listen
remote 192.168.3.8
{
exchange_mode main ;
certificate_type x509 "ursa.pem" "ursa_key.pem";
certificate_type x509 &#34;ursa.pem&#34; &#34;ursa_key.pem&#34;;
verify_cert on;
my_identifier asn1dn ;
peers_identifier asn1dn ;
@ -908,19 +914,18 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
</section>
<section>
<title>Tipper Configuration</title>
<title>Tipper Configuration while at Home</title>
<para>This laptop is either configured on our wireless network
(192.168.3.8) or as a standalone system in our second home (64.139.97.48).
The Shorewall and Racoon configurations are the same regardless of where
Tipper is connected -- only the IP configuration changes.</para>
(192.168.3.8) or as a standalone system on the road. While this system is
connected via our wireless network, it uses IPSEC tunnel mode for all
access.</para>
<para>Tipper's view of the work is shown in the following diagram:</para>
<para>Tipper&#39;s view of the world is shown in the following diagram:</para>
<graphic align="center" fileref="images/network2.png" valign="middle" />
<para>The key configuration files are shown in the following
sections.</para>
<para>The key configuration files are shown in the following sections.</para>
<section>
<title>zones</title>
@ -1002,14 +1007,7 @@ ACCEPT net fw tcp 4000:4100
<programlisting>flush;
spdflush;
# Policies for while we are in Omak
spdadd 64.139.97.48/32 206.124.146.176/32 any -P out ipsec esp/tunnel/64.139.97.48-206.124.146.176/require;
spdadd 206.124.146.176/32 64.139.97.48/32 any -P in ipsec esp/tunnel/206.124.146.176-64.139.97.48/require;
spdadd 192.168.1.0/24 64.139.97.48/32 any -P in ipsec esp/tunnel/206.124.146.176-64.139.97.48/require;
spdadd 64.139.97.48/32 192.168.1.0/24 any -P out ipsec esp/tunnel/64.139.97.48-206.124.146.176/require;
# Policies for while we're connected via Wireless at home
# Policies for while we&#39;re connected via Wireless at home
spdadd 192.168.3.8/32 192.168.3.8/32 any -P in none;
spdadd 192.168.3.8/32 192.168.3.8/32 any -P out none;
@ -1025,35 +1023,17 @@ spdadd 192.168.3.8/32 0.0.0.0/0 any -P out ipsec esp/tunnel/192.168
<title>/etc/racoon/racoon.conf</title>
<blockquote>
<programlisting>path certificate "/etc/certs";
<programlisting>path certificate &#34;/etc/certs&#34;;
listen
{
isakmp 64.139.97.48;
isakmp 192.168.3.8;
}
remote 206.124.146.176
{
exchange_mode main ;
certificate_type x509 "tipper.pem" "tipper_key.pem";
verify_cert on;
my_identifier asn1dn ;
peers_identifier asn1dn ;
verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
}
remote 192.168.3.254
{
exchange_mode main ;
certificate_type x509 "tipper.pem" "tipper_key.pem";
certificate_type x509 &#34;tipper.pem&#34; &#34;tipper_key.pem&#34;;
verify_cert on;
my_identifier asn1dn ;
peers_identifier asn1dn ;
@ -1067,24 +1047,6 @@ remote 192.168.3.254
}
}
sainfo address 64.139.97.48/32 any address 192.168.1.0/24 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
sainfo address 64.139.97.48/32 any address 206.124.146.176/32 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
{
pfs_group 2;
@ -1096,4 +1058,76 @@ sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
</blockquote>
</section>
</section>
</article>
<section>
<title>Tipper Configuration on the Road</title>
<para>When Tipper is on the road, it&#39;s world view is the same as in
the diagram above.</para>
<section>
<title>zones</title>
<blockquote>
<programlisting>#ZONE DISPLAY COMMENTS
home Home Shorewall Network
net Net Internet
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
</blockquote>
</section>
<section>
<title>policy</title>
<blockquote>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
fw home ACCEPT
home fw ACCEPT
net home NONE
home net NONE
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>interfaces</title>
<blockquote>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags
home tun0 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>rules</title>
<blockquote>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT net fw tcp 22
ACCEPT net fw tcp 4000:4100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
<section>
<title>/etc/openvpn/home.conf</title>
<para></para>
<blockquote>
<para></para>
<programlisting></programlisting>
</blockquote>
</section>
</section>
</article>