mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 07:38:57 +01:00
b66929a65e
1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
87 lines
3.2 KiB
Plaintext
Executable File
87 lines
3.2 KiB
Plaintext
Executable File
##############################################################################
|
|
#
|
|
# Shorewall 2.6 -- Internet Service Providers
|
|
#
|
|
# /etc/shorewall/providers
|
|
#
|
|
# This file is used to define additional routing tables. You will
|
|
# want to define an additional table if:
|
|
#
|
|
# - You have connections to more than one ISP or multiple connections
|
|
# to the same ISP
|
|
#
|
|
# - You run Squid as a transparent proxy on a host other than the
|
|
# firewall.
|
|
#
|
|
# To omit a column, enter "-".
|
|
#
|
|
# Columns must be separated by white space and are:
|
|
#
|
|
# NAME The provider name.
|
|
#
|
|
# NUMBER The provider number -- a number between 1 and 15
|
|
#
|
|
# MARK A FWMARK value used in your /etc/shorewall/tcrules
|
|
# file to direct packets to this provider.
|
|
#
|
|
# DUPLICATE The name of an existing table to duplicate. May be
|
|
# 'main' or the name of a previous provider.
|
|
#
|
|
# INTERFACE The name of the network interface to the provider.
|
|
# Must be listed in /etc/shorewall/interfaces.
|
|
#
|
|
# GATEWAY The IP address of the provider's gateway router.
|
|
#
|
|
# You can enter "detect" here and Shorewall will
|
|
# attempt to detect the gateway automatically.
|
|
#
|
|
# OPTIONS A comma-separated list selected from the following:
|
|
#
|
|
# track If specified, connections FROM this interface are
|
|
# to be tracked so that responses may be routed back
|
|
# out this same interface.
|
|
#
|
|
# You want specify 'track' if internet hosts will be
|
|
# connecting to local servers through this provider.
|
|
#
|
|
# balance The providers that have 'default' specified will
|
|
# get outbound traffic load-balanced among them. By
|
|
# default, all interfaces with 'balance' specified
|
|
# will have the same weight (1). You can change the
|
|
# weight of an interface by specifiying balance=<weight>
|
|
# where <weight> is the weight of the route out of
|
|
# this interface.
|
|
#
|
|
# loose Normally, Shorewall adds routing rules to prohibit
|
|
# firewall marks from working with traffic generated
|
|
# on the firewall itself. By setting the 'loose'
|
|
# option, generation of these rules is avoided.
|
|
#
|
|
# COPY A comma-separated lists of other interfaces on your
|
|
# firewall. Only makes sense when DUPLICATE is 'main'.
|
|
# Only copy routes through INTERFACE and through
|
|
# interfaces listed here.
|
|
#
|
|
# Example: You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
|
|
# interface is eth2
|
|
#
|
|
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
|
|
# Squid 1 1 - eth2 192.168.2.99 -
|
|
#
|
|
# Example:
|
|
#
|
|
# eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and
|
|
# the ISP's gateway router has IP address 206.124.146.254.
|
|
#
|
|
# eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the
|
|
# ISP's gateway router has IP address 130.252.99.254.
|
|
#
|
|
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
|
# ISP1 1 1 main eth0 206.124.146.254 track,balance
|
|
# ISP2 2 2 main eth1 130.252.99.254 track,balance
|
|
#
|
|
# For additional information, see http://shorewall.net/Shorewall_and_Routing.html
|
|
##############################################################################################
|
|
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
|
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|