############################################################################## # /etc/shorewall/shorewall.conf V1.3 - Change the following variables to # match your setup # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # This file should be placed in /etc/shorewall # # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) ############################################################################## # # PATH - Change this if you want to change the order in which Shorewall # searches directories for executable files. # PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # # NAME OF THE FIREWALL ZONE # # Name of the firewall zone -- if not set or if set to an empty string, "fw" # is assumed. # FW=fw # # SUBSYSTEM LOCK FILE # # Set this to the name of the lock file expected by your init scripts. For # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it # should be /var/state/shorewall. If your init scripts don't use lock files, # set this to "". # SUBSYSLOCK=/var/run/shorewall # # SHOREWALL TEMPORARY STATE DIRECTORY # # This is the directory where the firewall maintains state information while # it is running # STATEDIR=/tmp/shorewall # # ALLOW RELATED CONNECTIONS # # Set this to "yes" or "Yes" if you want to accept all connection requests # that are related to already established connections. For example, you want # to accept FTP data connections. If you say "no" here, then to accept # these connections between particular zones or hosts, you must include # explicit "related" rules in /etc/shorewall/rules. # ALLOWRELATED=yes # # KERNEL MODULE DIRECTORY # # If your netfilter kernel modules are in a directory other than # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that # directory in this variable. Example: MODULESDIR=/etc/modules. MODULESDIR= # # LOG RATE LIMITING # # The next two variables can be used to control the amount of log output # generated. LOGRATE is expressed as a number followed by an optional # `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum # rate at which a particular message will occur. LOGBURST determines the # maximum initial burst size that will be logged. If set empty, the default # value of 5 will be used. # # Example: # # LOGRATE=10/minute # LOGBURST=5 # # If BOTH variables are set empty then logging will not be rate-limited. # LOGRATE= LOGBURST= # # LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS # # This variable determines the level at which Mangled/Invalid packets are logged # under the 'dropunclean' interface option. If you set this variable to an # empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped # silently. # # The value of this variable also determines the level at which Mangled/Invalid # packets are logged under the 'logunclean' interface option. If the variable # is empty, these packets will still be logged at the 'info' level. # LOGUNCLEAN=info # # LOG FILE LOCATION # # This variable tells the /sbin/shorewall program where to look for Shorewall # log messages. If not set or set to an empty string (e.g., LOGFILE="") then # /var/log/messages is assumed. # # WARNING: The LOGFILE variable simply tells the 'shorewall' program where to # look for Shorewall messages.It does NOT control the destination for # these messages. For information about how to do that, see # # http://www.shorewall.net/FAQ.htm#faq6 LOGFILE=/var/log/messages # # ENABLE NAT SUPPORT # # You probally want yes here. Only gateways not doing NAT in any form, like # SNAT,DNAT masquerading, port forwading etc. should say "no" here. # NAT_ENABLED=Yes # # ENABLE MANGLE SUPPORT # # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file # and will not initialize the mangle table when starting or stopping # your firewall. You must enable mangling if you want Traffic Shaping # (see TC_ENABLED below). # MANGLE_ENABLED=Yes # # ENABLE IP FORWARDING # # If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you # say "Off" or "off", packet forwarding will be disabled. You would only want # to disable packet forwarding if you are installing Shorewall on a # standalone system or if you want all traffic through the Shorewall system # to be handled by proxies. # # If you set this variable to "Keep" or "keep", Shorewall will neither # enable nor disable packet forwarding. # IP_FORWARDING=On # # AUTOMATICALLY ADD NAT IP ADDRESSES # # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each NAT external address that you give in /etc/shorewall/nat. If you say # "No" or "no", you must add these aliases youself. # ADD_IP_ALIASES=Yes # # AUTOMATICALLY ADD SNAT IP ADDRESSES # # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses # for each SNAT external address that you give in /etc/shorewall/masq. If you say # "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless # you are sure that you need it -- most people don't!!! # ADD_SNAT_ALIASES=No # # ENABLE TRAFFIC SHAPING # # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic # shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and # you must enable packet mangling above. # TC_ENABLED=No # # BLACKLIST DISPOSITION # # Set this variable to the action that you want to perform on packets from # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, # DROP is assumed. # BLACKLIST_DISPOSITION=DROP # # BLACKLIST LOG LEVEL # # Set this variable to the syslogd level that you want blacklist packets logged # (beward of DOS attacks resulting from such logging). If not set, no logging # of blacklist packets occurs. # BLACKLIST_LOGLEVEL= # # MSS CLAMPING # # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" # option. This option is most commonly required when your internet # interface is some variant of PPP (PPTP or PPPoE). Your kernel must # have CONFIG_IP_NF_TARGET_TCPMSS set. # # [From the kernel help: # # This option adds a `TCPMSS' target, which allows you to alter the # MSS value of TCP SYN packets, to control the maximum size for that # connection (usually limiting it to your outgoing interface's MTU # minus 40). # # This is used to overcome criminally braindead ISPs or servers which # block ICMP Fragmentation Needed packets. The symptoms of this # problem are that everything works fine from your Linux # firewall/router, but machines behind it can never exchange large # packets: # 1) Web browsers connect, then hang with no data received. # 2) Small mail works fine, but large emails hang. # 3) ssh works fine, but scp hangs after initial handshaking. # ] # # If left blank, or set to "No" or "no", the option is not enabled. # CLAMPMSS=No # # ROUTE FILTERING # # Set this variable to "Yes" or "yes" if you want kernel route filtering on all # interfaces (anti-spoofing measure). # # If this variable is not set or is set to the empty value, "No" is assumed. # In that case, you can still enable route filtering on individual interfaces # in the /etc/shorewall/interfaces file. ROUTE_FILTER=No # # NAT BEFORE RULES # # Shorewall has traditionally processed static NAT rules before port forwarding # rules. If you would like to reverse the order, set this variable to "No". # # If this variable is not set or is set to the empty value, "Yes" is assumed. NAT_BEFORE_RULES=Yes # MULTIPORT support # # If your kernel includes the multiport match option # (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this # option is enabled by setting it's value to "Yes" or "yes": # # 1) If you list more that 15 ports in a comma-seperated list in # /etc/shorewall/rules, Shorewall will not use the multiport option # but will generate a separate rule for each element of each port # list. # 2) If you include a port range (:) in the # rule, Shorewall will not use the multiport option but will generate # a separate rule for each element of each port list. # # See the /etc/shorewall/rules file for additional information on this option. # # if this variable is not set or is set to the empty value, "No" is assumed. MULTIPORT=No # DNAT IP ADDRESS DETECTION # # Normally when Shorewall encounters the following rule: # # DNAT net loc:192.168.1.3 tcp 80 # # it will forward TCP port 80 connections from the net to 192.168.1.3 # REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is # convenient for two reasons: # # a) If the the network interface has a dynamic IP address, the # firewall configuration will work even when the address # changes. # # b) It saves having to configure the IP address in the rule # while still allowing the firewall to be started before the # internet interface is brought up. # # This default behavior can also have a negative effect. If the # internet interface has more than one IP address then the above # rule will forward connection requests on all of these addresses; # that may not be what is desired. # # By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply # only if the original destination address is the primary IP address of # one of the interfaces associated with the source zone. Note that this # requires all interfaces to the source zone to be up when the firewall # is [re]started. DETECT_DNAT_IPADDRS=No # # MERGE HOSTS FILE # # The traditional behavior of the /etc/shorewall/hosts file has been that # if that file has ANY entry for a zone then the zone must be defined # entirely in the hosts file. This is counter-intuitive and has caused # people some problems. # # By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file # is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file # are added to the contents described in the /etc/shorewall/interfaces file. # # Example: Suppose that we have the following interfaces and hosts files: # # Interfaces: # # net eth0 # loc eth1 # - ppp+ # # Hosts: # # loc ppp+:192.168.1.0/24 # wrk ppp+:!192.168.1.0/24 # # With MERGE_HOSTS=No, the contents of the 'loc' zone would be just # ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be # ppp+:192.168.1.0 and eth1:0.0.0.0/0 # # If this variable is not set or is set to the empty value, "No" is assumed. MERGE_HOSTS=Yes # # MUTEX TIMEOUT # # The value of this variable determines the number of seconds that programs # will wait for exclusive access to the Shorewall lock file. After the number # of seconds corresponding to the value of this variable, programs will assume # that the last program to hold the lock died without releasing the lock. # # If not set or set to the empty value, a value of 60 (60 seconds) is assumed. # # An appropriate value for this parameter would be twice the length of time # that it takes your firewall system to process a "shorewall restart" command. MUTEX_TIMEOUT=60 # # LOGGING 'New not SYN' rejects # # This variable only has an effect when NEWNOTSYN=No (see below). # # When a TCP packet that does not have the SYN flag set and the ACK and RST # flags clear then unless the packet is part of an established connection, # it will be rejected by the firewall. If you want these rejects logged, # then set LOGNEWNOTSYN to the syslog log level at which you want them logged. # # Example: LOGNEWNOTSYN=debug LOGNEWNOTSYN= # # Forward "Ping" # # If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are # forwarded by the firewall. FORWARDPING=Yes # # NEWNOTSYN # # If this variable is set to "No" or "no", then When a TCP packet that does # not have the SYN flag set and the ACK and RST flags clear then unless the # packet is part of an established connection, it will be dropped by the # firewall # # If this variable is set to "Yes" or "yes" then such packets will not be # dropped but will pass through the normal rule processing. # # Users with a High-availability setup with two firewall's and one acting # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # also need to select NEWNOTSYN=Yes. NEWNOTSYN=No # # MAC List Disposition # # This variable determines the disposition of connection requests arriving # on interfaces that have the 'maclist' option and that are from a device # that is not listed for that interface in /etc/shorewall/maclist. Valid # values are ACCEPT, DROP and REJECT. If not specified or specified as # empty (MACLIST_DISPOSITION="") then REJECT is assumed MACLIST_DISPOSITION=REJECT # # MAC List Log Level # # Specifies the logging level for connection requests that fail MAC # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then # such connection requests will not be logged. # MACLIST_LOG_LEVEL=info #LAST LINE -- DO NOT REMOVE