############################################################################## # /etc/shorewall/shorewall.conf V1.2 - Change the following variables to # match your setup # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # This file should be placed in /etc/shorewall # # (c) 1999, 2000, 2001 - Tom Eastep (teastep@evergo.net) ############################################################################## # Set this to the name of the lock file expected by your init scripts. For # RedHat, this should be /var/lock/subsys/firewall. On Debian, it # should be /var/state/shorewall. If your init scripts don't use lock files, # set -this to "". # SUBSYSLOCK=/var/lock/subsys/shorewall # This is the directory where the firewall maintains state information while # it is running # STATEDIR=/var/lib/firewall # # Set this to "yes" or "Yes" if you want to accept all connection requests # that are related to already established connections. For example, you want # to accept FTP data connections. If you say "no" here, then to accept # these connections between particular zones or hosts, you must include # explicit "related" rules in /etc/shorewall/rules. # ALLOWRELATED="yes" # # If your netfilter kernel modules are in a directory other than # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that # directory in this variable. Example: MODULESDIR=/etc/modules. MODULESDIR="" # # The next two variables can be used to control the amount of log output # generated. LOGRATE is expressed as a number followed by an optional # `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum # rate at which a particular message will occur. LOGBURST determines the # maximum initial burst size that will be logged. If set empty, the default # value of 5 will be used. # # If BOTH variables are set empty then the rate of logging will not be # rate-limited. # LOGRATE="10/hour" LOGBURST=5 # # Enable nat support. # # You probally want yes here. Only gateways not doing NAT in any form, like # SNAT,DNAT masquerading, port forwading etc. should say "no" here. # NAT_ENABLED="No" # # Enable mangle support. # # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file # and will not initialize the mangle table when starting or stopping # your firewall. # MANGLE_ENABLED="Yes" # # Enable IP Forwarding # # If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you # say "Off" or "off", packet forwarding will be disabled. You would only want # to disable packet forwarding if you are installing Shorewall on a # standalone system or if you want all traffic through the Shorewall system # to be handled by proxies. # # If you set this variable to "Keep" or "keep", Shorewall will neither # enable nor disable packet forwarding. # IP_FORWARDING="Off" # # Automatically add IP Aliases # # If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases # for each NAT external address that you give in /etc/shorewall/nat. If you say # "No" or "no", you must add these aliases youself. # ADD_IP_ALIASES="Yes" # # Automatically add SNAT Aliases # # If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases # for each SNAT external address that you give in /etc/shorewall/masq. If you say # "No" or "no", you must add these aliases youself. # ADD_SNAT_ALIASES="No" # # Enable Traffic Shaping # # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic # shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and # you must enable packet mangling above. # TC_ENABLED="No" # # Blacklisting # # Set this variable to the action that you want to perform on packets from # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, # DROP is assumed. # BLACKLIST_DISPOSITION=DROP # # Blacklist Logging # # Set this variable to the syslogd level that you want blacklist packets logged # (beward of DOS attacks resulting from such logging). If not set, no logging # of blacklist packets occurs. # BLACKLIST_LOGLEVEL= # # MSS Clamping # # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" # option. This option is most commonly required when your internet # interface is some variant of PPP (PPTP or PPPoE). Your kernel must # # If left blank, or set to "No" or "no", the option is not enabled. # CLAMPMSS="No" # # Route Filtering # # Set this variable to "Yes" or "yes" if you want kernel route filtering on all # interfaces. # ROUTE_FILTER="No" #LAST LINE -- DO NOT REMOVE