#	
# 	Shorewall version 1.4.8 - Sample Rules File For Two Interfaces
#
# 	/etc/shorewall/rules
#
#	Rules in this file govern connection establishment. Requests and
#	responses are automatically allowed using connection tracking.
#
#	In most places where an IP address or subnet is allowed, you
#	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
#	indicate that the rule matches all addresses except the address/subnet
#	given. Notice that no white space is permitted between "!" and the
#	address/subnet.
#
# Columns are:
#
#
#	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
#				REDIRECT-, CONTINUE, LOG Or QUEUE.
#
#				ACCEPT
#						Allow the connection request
#				DROP
#						Ignore the request
#				REJECT
#						Disallow the request and return an
#						icmp-unreachable or an RST packet.
#				DNAT
#						Forward the request to another
#						system (and optionally another
#						port).
#				DNAT-
#						Advanced users only.
#						Like DNAT but only generates the
#						DNAT iptables rule and not
#						the companion ACCEPT rule.
#				REDIRECT
#						Redirect the request to a local
#					    	port on the firewall.
#				REDIRECT-
#						Advanced users only.
#						Like REDIRECT but only generates the
#						REDIRECT iptables rule and not the
#						companion ACCEPT rule.
#				CONTINUE
#						(For experts only). Do Not Process
#						any of the following rules for this
#						(source zone,destination zone). If
#						the source and/or destination IP
#						address falls into a zone defined
#						later in /etc/shorewall/zones, this
#						connection request will be passed
#						to the rules defined for that
#						(those) zones(s).
#				LOG		
#						Simply log the packet and continue.
#				QUEUE   
#						Queue the packet to a user-space
#						application such as p2pwall.
#
#			You may rate-limit the rule by optionally following 
#			ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
#				< <rate>/<interval>[:<burst>] >
#
#			Where <rate> is the number of connections per 
#			<interval> ("sec" or "min") and <burst> is the largest
#			burst permitted. If no <burst> is given, a value of 5 
#			is assumed. There may be no whitespace embedded in the
#			specification.
#
#		Example:
#				ACCEPT<10/sec:20>
#
#			The ACTION (and rate limit) may optionally be followed by ":"
#			and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
#			This causes the packet to be logged at the specified level.
#
#	NOTE: For those of you who prefer to place the rate limit in a separate column, 
#	see the RATE LIMIT column below. If you specify a value in that column you must include
#	a rate limit in the action column.
#
#			You may also specify ULOG (must be in upper case) as a 
#			log level. This will log to the ULOG target for routing
#			to a separate log through use of ulogd.
#			(http://www.gnumonks.org/projects/ulogd).
#
#	SOURCE		Source hosts to which the rule applies. May be a zone
#			defined in /etc/shorewall/zones, $FW to indicate the
#			firewall itself, or "all" If the ACTION is DNAT or
#			REDIRECT, sub-zones of the specified zone may be
#			excluded from the rule by following the zone name with
#			"!' and a comma-separated list of sub-zone names.
#
#			Except when "all" is specified, clients may be further
#			restricted to a list of subnets and/or hosts by
#			appending ":" and a comma-separated list of subnets
#			and/or hosts. Hosts may be specified by IP or MAC
#			address; mac addresses must begin with "~" and must use
#			"-" as a separator.
#
#		Some Examples:
#
#			net:155.186.235.1
#						Host 155.186.235.1 on the Internet
#
#			loc:192.168.1.0/24
#						Subnet 192.168.1.0/24 on the
#						Local Network
#
#			net:155.186.235.1,155.186.235.2
#						Hosts 155.186.235.1 and
#						155.186.235.2 on the Internet.
#
#			loc:~00-A0-C9-15-39-78
#						Host on the Local Network with
#						MAC address 00:A0:C9:15:39:78.
#
#			Alternatively, clients may be specified by interface
#			by appending ":" to the zone name followed by the
#			interface name. For example, net:eth0 specifies a
#			client that communicates with the firewall system
#			through eth0. This may be optionally followed by
#			another colon (":") and an IP/MAC/subnet address
#			as described above (e.g., net:eth0:192.168.1.5).
#
#	DEST		Location of Server. May be a zone defined in
#			/etc/shorewall/zones, $FW to indicate the firewall
#			itself or "all"
#
#			Except when "all" is specified, the server may be
#			further restricted to a particular subnet, host or
#			interface by appending ":" and the subnet, host or
#			interface. See above.
#
#		Restrictions:
#
#			1.	MAC addresses are not allowed.
#			2. 	In DNAT rules, only IP addresses are
#				allowed; no FQDNs or subnet addresses
#				are permitted.
#			3	You may not specify both an interface and 
#				an address.
#
#			Unlike in the SOURCE column, you may specify a range of
#			up to 256 IP addresses using the syntax
#			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
#			the connections will be assigned to the addresses in the
#			range in a round-robin fashion.
#
#			The port that the server is listening on may be
#			included and separated from the server's IP address by
#			":". If omitted, the firewall will not modifiy the
#			destination port. A destination port may only be
#			included if the ACTION is DNAT or REDIRECT.
#
#			Example: net:155.186.235.1:25 specifies a Internet
#			server at IP address 155.186.235.1 and listening on port
#			25. The port number MUST be specified as an integer
#			and not as a name from /etc/services.
#
#			If the ACTION is REDIRECT, this column needs only to
#			contain the port number on the firewall that the
#			request should be redirected to.
#
#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number or
#			"all".
#
#	DEST PORT(S)	Destination Ports. A comma-separated list of Port
#			names (from /etc/services), port numbers or port
#			ranges; if the protocol is "icmp", this column is
#			interpreted as the destination icmp-type(s).
#
#			A port range is expressed as <low port>:<high port>.
#
#			This column is ignored if PROTOCOL = all but must be
#			entered if any of the following fields are supplied.
#			In that case, it is suggested that this field contain
#			 "-"
#
#			If your kernel contains multi-port match support, then
#			only a single Netfilter rule will be generated if in
#			this list and the CLIENT PORT(S) list below:
#			1. There are 15 or less ports listed.
#			2. No port ranges are included.
#			Otherwise, a separate rule will be generated for each
#			port.
#
#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
#			any source port is acceptable. Specified as a comma-
#			separated list of port names, port numbers or port
#			ranges.
#
#			If you don't want to restrict client ports but need to
#			specify an ADDRESS in the next column, then place "-"
#			in this column.
#
#			If your kernel contains multi-port match support, then
#			only a single Netfilter rule will be generated if in
#			this list and the DEST PORT(S) list above:
#			1. There are 15 or less ports listed.
#			2. No port ranges are included.
#			Otherwise, a separate rule will be generated for each
#			port.
#
#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT[-] or 
#			REDIRECT[-]) If included and different from the IP
#			address given in the SERVER column, this is an address
#			on some interface on the firewall and connections to
#			that address will be forwarded to the IP and port
#			specified in the DEST column.
#
#			A comma-separated list of addresses may also be used.
#			This is usually most useful with the REDIRECT target
#			where you want to redirect traffic destined for
#			a particular set of hosts.
#
#			Finally, if the list of addresses begins with "!" then
#			the rule will be followed only if the original
#			destination address in the connection request does not
#			match any of the addresses listed.
#
#			The address may optionally be followed by
#			a colon (":") and a second IP address. This causes
#			Shorewall to use the second IP address as the source
#			address in forwarded packets. See the Shorewall
#			documentation for restrictions concerning this feature.
#			If no source IP address is given, the original source
#			address is not altered.
#
#	RATE LIMIT	You may rate-limit the rule by placing a value in this column:
#
#				<rate>/<interval>[:<burst>]
#
#			Where <rate> is the number of connections per <interval> ("sec"
#			or "min") and <burst> is the largest burst permitted. If no
#			<burst> is given, a value of 5 is assummed. There may be no
#			whitespace embedded in the specification.
#
#		Example:
#				10/sec:20
#
#			If you place a rate limit in this column, you may not place
#			a similiar limit in the ACTION column.
#
#	USER SET	This Column may only be non-empty if the SOURCE is the firewall
#			itself and the ACTION is ACCEPT, DROP or REJECT.
#
#			The column may contain a user set name defined in the 
#			/etc/shorewall/usersets file or it may contain:
#
#				[<user name or number>]:[<group name or number>]
#
#			When this column is non-empty, the rule applies only if the 
#			program generating the output is running under the effective
#			<user>(s) and/or <group>(s) specified. When a user set name is 
#			given, a log level may not be present in the ACTION column;
#			logging for such rules is controlled by user set's entry in
#			/etc/shorewall/usersets.
#
#	Also by default all outbound loc -> net communications are allowed.
#	You can change this behavior in the sample policy file.
#
#	Example:	Accept www requests to the firewall.
#
#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
#	#							PORT	PORT(S)	DEST		LIMIT	SET
#	ACCEPT		net		fw	tcp	http
#
#	Example:	Accept SMTP requests from the Local Network to the Internet
#
#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
#	#							PORT	PORT(S)	DEST		LIMIT	SET
#	ACCEPT		loc		net		tcp	smtp
#
#	Example:	Forward all ssh and http connection requests from the Internet
#			to local system 192.168.1.3
#
#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
#	#							PORT	PORT(S)	DEST		LIMIT	SET
#	DNAT		net		loc:192.168.1.3	tcp	ssh,http
#
#	Example:	Redirect all locally-originating www connection requests to
#			port 3128 on the firewall (Squid running on the firewall
#			system) except when the destination address is 192.168.2.2
#
#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
#	#							PORT	PORT(S)	DEST		LIMIT	SET
#	REDIRECT	loc		3128		tcp	www	-	!192.168.2.2
#
#	Example:	All http requests from the Internet to address
#			130.252.100.69 are to be forwarded to 192.168.1.3
#
#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER	
#	#							PORT	PORT(S)	DEST		LIMIT	SET
#	DNAT		net		loc:192.168.1.3	tcp	80	-	130.252.100.69
##############################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL		RATE	USER
#							PORT	PORT(S)	DEST			LIMIT	SET
#
#	Accept DNS connections from the firewall to the network
#
ACCEPT		fw		net		tcp	53
ACCEPT		fw		net		udp	53
#
#	Accept SSH connections from the local network for administration
#
ACCEPT		loc		fw		tcp	22
#
#	Allow Ping To And From Firewall
#
ACCEPT		loc		fw		icmp	8
ACCEPT		net		fw		icmp	8
ACCEPT		fw		loc		icmp	
ACCEPT		fw		net		icmp	
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE