shorewall_code/Shorewall/documentation.txt
2006-11-05 23:07:20 +00:00

2550 lines
89 KiB
Plaintext

###############################################################################
# This documentation provides a quick reference to the configuration
# files. The documentation at
# http://www.shorewall.net/Documentation_Index.html should be
# considered to be the primary documentation.
###############################################################################
# /etc/shorewall/accounting
#
# Accounting rules exist simply to count packets and bytes in categories
# that you define in this file. You may display these rules and their
# packet and byte counters using the "shorewall show accounting" command.
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#
# Columns are:
#
# ACTION - What to do when a match is found.
#
# COUNT - Simply count the match and continue
# with the next rule
# DONE - Count the match and don't attempt
# to match any other accounting rules
# in the chain specified in the CHAIN
# column.
# <chain>[:COUNT]
# - Where <chain> is the name of
# a chain. Shorewall will create
# the chain automatically if it
# doesn't already exist. Causes
# a jump to that chain. If :COUNT
# is including, a counting rule
# matching this record will be
# added to <chain>
#
# CHAIN - The name of a chain. If specified as "-" the
# 'accounting' chain is assumed. This is the chain
# where the accounting rule is added. The chain will
# be created if it doesn't already exist.
#
# SOURCE - Packet Source
#
# The name of an interface, an address (host or net) or
# an interface name followed by ":"
# and a host or net address.
#
# DESTINATION - Packet Destination
#
# Format the same as the SOURCE column.
#
# PROTOCOL A protocol name (from /etc/protocols), a protocol
# number, "ipp2p", "ipp2p:udp" or "ipp2p:all"
#
# DEST PORT(S) Destination Port number. If the PROTOCOL is "ipp2p"
# then this column must contain an ipp2p option
# ("iptables -m ipp2p --help") without the leading
# "--". If no option is given in this column, "ipp2p"
# is assumed.
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# You may place a comma-separated list of port numbers in
# this column if your kernel and iptables include
# multiport match support.
#
# SOURCE PORT(S) Source Port number
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
# or 17).
#
# You may place a comma-separated list of port numbers in
# this column if your kernel and iptables include
# multiport match support.
#
# USER/GROUP This column may only be non-empty if the CHAIN is
# OUTPUT.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd (This feature was
# #removed from Netfilter in kernel
# #version 2.6.14).
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards. Omitted trailing columns are
# also treated as wildcards.
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
###############################################################################
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or
# subnetworks.
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address
# range (if your kernel and iptables contain iprange
# match support) or ipset name prefaced by "+" (if
# your kernel supports ipset match).
#
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# A dash ("-") in this column means that any source
# address will match. This is useful if you want to
# blacklist a particular application.
#
# PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols.
#
# PORTS - Optional. May only be specified if the protocol
# is TCP (6) or UDP (17). A comma-separated list
# of destination port numbers or service names from
# /etc/services.
#
# When a packet arrives on an interface that has the 'blacklist' option
# specified in /etc/shorewall/interfaces, its source IP address is
# checked against this file and disposed of according to the
# BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
#
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
#
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
# Example:
#
# To block DNS queries from addresses in the ipset 'dnsblack':
#
# ADDRESS/SUBNET PROTOCOL PORT
# +dnsblack udp 53
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
# /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.
#
# This feature requires kernel 2.4.20 or later. If you run 2.4.20,
# you also need the patch found at http://www.shorewall.net/ecn/patch.
# That patch is included in kernels 2.4.21 and later.
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed. If your kernel and iptables
# include iprange match support then IP address ranges
# are also permitted.
#
# For additional information, see http://shorewall.net/Documentation.htm#ECN
#
###############################################################################
# /etc/shorewall/hosts
#
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
#
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
#------------------------------------------------------------------------------
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
# ZONE AND INTERFACE IN THIS FILE.
#------------------------------------------------------------------------------
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to
# (should not) place anything in this file.
#
# The order of entries in this file is not significant in
# determining zone composition. Rather, the order that the zones
# are defined in /etc/shorewall/zones determines the order in
# which the records in this file are interpreted.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones. You may
# not list the firewall zone in this column.
#
# HOST(S) - The name of an interface defined in the
# /etc/shorewall/interfaces file followed by a colon (":") and
# a comma-separated list whose elements are either:
#
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
# c) An IP address range of the form <low address>-<high
# address>. Your kernel and iptables must have iprange
# match support.
# d) A physical port name; only allowed when the
# interface names a bridge created by the
# brctl addbr command. This port must not
# be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a
# host or network IP or a range.
# See http://www.shorewall.net/bridge.html
# for details. Specifying a physical port
# name requires that you have BRIDGING=Yes in
# /etc/shorewall/shorewall.conf.
# e) The name of an ipset (preceded by "+").
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
# eth3:192.168.2.0/24,192.168.3.1
# br0:eth4
# br0:eth0:192.168.1.16/28
# eth4:192.168.1.44-192.168.1.49
# eth2:+Admin
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# routeback - Shorewall should set up the
# infrastructure to pass packets
# from this/these address(es) back
# to themselves. This is necessary if
# hosts in this group use the services
# of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
#
# norfc1918 - This option only makes sense for ports
# on a bridge.
#
# The port should not accept
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# blacklist - This option only makes sense for ports
# on a bridge.
#
# Check packets arriving on this port
# against the /etc/shorewall/blacklist
# file.
#
# tcpflags - Packets arriving from these hosts are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# nosmurfs - This option only makes sense for ports
# on a bridge.
#
# Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# ipsec - The zone is accessed via a
# kernel 2.6 ipsec SA. Note that if the
# zone named in the ZONE column is
# specified as an IPSEC zone in the
# /etc/shorewall/zones file then you
# do NOT need to specify the 'ipsec'
# option here.
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
###############################################################################
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the name of a
# zone defined in /etc/shorewall/zones. You may not
# list the firewall zone in this column.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# If there are multiple interfaces to the same zone,
# you must list them in separate entries:
#
# Example:
#
# loc eth1 -
# loc eth2 -
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# You may specify wildcards here. For example, if you
# want to make an entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left blank.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", Shorewall
# will detect the broadcast address(es) for you. If you
# select this option, the interface must be up before
# the firewall is started.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses). If packet mangling or
# connection-tracking match is enabled in
# your kernel, packets whose destination
# addresses are reserved by RFC 1918 are
# also rejected.
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
#
# logmartians - turn on kernel martian logging (logging
# of packets with impossible source
# addresses. It is suggested that if you
# set routefilter on an interface that
# you also set logmartians. This option
# may also be enabled globally in the
# /etc/shorewall/shorewall.conf file.
#
# blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
#
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow
# filtering traffic arriving on this
# interface back out that same interface.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
# addresses configured on the interface.
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# when Shorewall is started.
#
# arp_ignore[=<number>]
# - If specified, this interface will
# respond to arp requests based on the
# value of <number>.
#
# 1 - reply only if the target IP address
# is local address configured on the
# incoming interface
#
# 2 - reply only if the target IP address
# is local address configured on the
# incoming interface and both with the
# sender's IP address are part from same
# subnet on this interface
#
# 3 - do not reply for local addresses
# configured with scope host, only
# resolutions for global and link
# addresses are replied
#
# 4-7 - reserved
#
# 8 - do not reply for all local
# addresses
#
# If no <number> is given then the value
# 1 is assumed
#
# WARNING -- DO NOT SPECIFY arp_ignore
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based
# on the setting of SMURF_LOG_LEVEL in
# shorewall.conf. After logging, the
# packets are dropped.
#
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# sourceroute - If this option is not specified for an
# interface, then source-routed packets
# will not be accepted from that
# interface (sets /proc/sys/net/ipv4/
# conf/<interface>/
# accept_source_route to 1).
# Only set this option if you know what
# you are you doing. This might represent
# a security risk and is not usually
# needed.
#
# upnp - Incoming requests from this interface
# may be remapped via UPNP (upnpd).
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it's IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect dhcp
# loc eth1 detect
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections.
#
# net ppp0 -
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
# /etc/shorewall/maclist
#
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.
# The feature is enabled by using the maclist option in the interfaces
# or hosts configuration file.
#
# Columns are:
#
# DISPOSITION ACCEPT or DROP (if MACLIST_TABLE=filter, then REJECT
# is also allowed)
#
# INTERFACE Network interface to a host. If the interface
# names a bridge, it may be optionally followed by
# a colon (":") and a physical port name (e.g.,
# br0:eth4).
#
# MAC MAC address of the host -- you do not need to use
# the Shorewall format for MAC addresses here. If IP
# ADDRESSES is supplied then MAC can be supplied as
# a dash ("-")
#
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
# must match. This column can contain a comma-separated
# list of host and/or subnet addresses. If your kernel
# and iptables have iprange match support then IP
# address ranges are also allowed.
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
###############################################################################
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define
# Source NAT (SNAT).
#
# WARNING: The entries in this file are order-sensitive. The first
# entry that matches a particular connection will be the one that
# is used.
#
# WARNING: If you have more than one ISP, adding entries to this
# file will *not* force connections to go out through a particular
# ISP. You must use PREROUTING entries in /etc/shorewall/tcrules
# to do that.
#
# Columns are:
#
# INTERFACE -- Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
# If you wish to inhibit the action of ADD_SNAT_ALIASES
# for this entry then include the ":" but omit the digit:
#
# eth0:
# eth2::192.0.2.32/27
#
# Normally Masq/SNAT rules are evaluated after those for
# one-to-one NAT (/etc/shorewall/nat file). If you want
# the rule to be applied before one-to-one NAT rules,
# prefix the interface name with "+":
#
# +eth0
# +eth0:192.0.2.32/27
# +eth0:2
#
# This feature should only be required if you need to
# insert rules in this file that preempt entries in
# /etc/shorewall/nat.
#
# If you place COMMENT in this column, then the rest of the
# line will be attached as a comment to the Netfilter rule(s)
# generated by the following entry. The comment will appear
# delimited by "/* ... */" in the output of "shorewall show
# nat"
#
# SOURCE (formerly called SUBNET)
#
# Set of hosts that you wish to masquerade. You can specify this
# as an address (net or host) or as an interface. If you give
# the name of an interface, the interface must be up before you
# start the firewall (Shorewall will use your main routing table
# to determine the appropriate addresses to masquerade).
#
# In order to exclude a addrress of the specified SOURCE, you
# may append "!" and a comma-separated list of IP addresses
# (host or net) that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# You may also specify a range of up to 256
# IP addresses if you want the SNAT address to
# be assigned from that range in a round-robin
# range by connection. The range is specified by
# <first ip in range>-<last ip in range>.
#
# Example: 206.124.146.177-206.124.146.180
#
# You may also use the special value "detect"
# which causes Shorewall to determine the
# IP addresses configured on the interface named
# in the INTERFACES column and substitute them
# in this column.
#
# Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
#
# This column may not contain DNS Names.
#
# Normally, Netfilter will attempt to retain
# the source port number. You may cause
# netfilter to remap the source port by following
# an address or range (if any) by ":" and
# a port range with the format <low port>-
# <high port>. If this is done, you must
# specify "tcp" or "udp" in the PROTO column.
#
# Examples:
#
# 192.0.2.4:5000-6000
# :4000-5000
#
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses
# or "detect" as described above.
#
# SAME works like SNAT with the exception that
# the same local IP address is assigned to each
# connection from a local address to a given
# remote address.
#
# If the 'nodst:' option is included, then the
# same source address is used for a given
# internal system regardless of which remote
# system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
#
# Where a comma-separated list is given, your
# kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# listed.
#
# IPSEC -- (Optional) If you specify a value other than "-" in this
# column, you must be running kernel 2.6 and
# your kernel and iptables must include policy
# match support.
#
# Comma-separated list of options from the
# following. Only packets that will be encrypted
# via an SA that matches these options will have
# their source address changed.
#
# Yes or yes -- must be the only option
# listed and matches all outbound
# traffic that will be encrypted.
#
# reqid=<number> where <number> is
# specified using setkey(8) using the
# 'unique:<number> option for the SPD
# level.
#
# spi=<number> where <number> is the
# SPI of the SA.
#
# proto=ah|esp|ipcomp
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match
# all rules.
#
# next Separates rules; can only be
# used with strict..
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# eth0 eth1
#
# or
#
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176
#
# Example 5:
#
# You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address
# 206.124.146.176.
#
# eth0 eth1 206.124.146.177 tcp smtp
# eth0 eth1 206.124.146.176
#
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
# /etc/shorewall/nat
#
# This file is used to define one-to-one Network Address Translation
# (NAT).
#
# WARNING: If all you want to do is simple port forwarding, do NOT use this
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# cases, Proxy ARP is a better solution that one-to-one NAT.
#
# Columns are:
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column and must not be a DNS Name.
#
# If you put COMMENT in this column, the rest of the
# line will be attached as a comment to the Netfilter
# rule(s) generated by the following entries in the
# file. The comment will appear delimited by "/* ... */"
# in the output of "shorewall show nat"
#
# To stop the comment from being attached to further
# rules, simply include COMMENT on a line by itself.
#
# INTERFACE Interface that has the EXTERNAL address.
# If ADD_IP_ALIASES=Yes in shorewall.conf, Shorewall
# will automatically add the EXTERNAL address to this
# interface. Also if ADD_IP_ALIASES=Yes, you may
# follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to
# see the alias with ifconfig. THAT IS THE ONLY THING
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
#
# If you want to override ADD_IP_ALIASES=Yes for a
# particular entry, follow the interface name with
# ":" and no digit (e.g., "eth0:").
# INTERNAL Internal Address (must not be a DNS Name).
#
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE
# column
#
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
#
# For additional information, see http://shorewall.net/NAT.htm
#
###############################################################################
# /etc/shorewall/netmap
#
# This file is used to map addresses in one network to corresponding
# addresses in a second network.
#
# WARNING: To use this file, your kernel and iptables must have
# NETMAP support included.
#
# Columns are:
#
# TYPE Must be DNAT or SNAT.
#
# If DNAT, traffic entering INTERFACE and addressed to
# NET1 has it's destination address rewritten to the
# corresponding address in NET2.
#
# If SNAT, traffic leaving INTERFACE with a source
# address in NET1 has it's source address rewritten to
# the corresponding address in NET2.
#
# NET1 Network in CIDR format (e.g., 192.168.1.0/24)
#
# INTERFACE The name of a network interface. The interface must
# be defined in /etc/shorewall/interfaces.
#
# NET2 Network in CIDR format
#
# See http://shorewall.net/netmap.html for an example and usage
# information.
#
###############################################################################
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# INTRA-ZONE POLICIES ARE PRE-DEFINED
#
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
# the POLICY for connections from the zone to itself is ACCEPT (with no
# logging or TCP connection rate limiting but may be overridden by an
# entry in this file. The overriding entry must be explicit (cannot use
# "all" in the SOURCE or DEST).
#
# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then
# the implicit policy to/from any sub-zone is CONTINUE. These implicit
# CONTINUE policies may also be overridden by an explicit entry in this
# file.
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other,
# send "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or
# destination zone in those rules is
# a superset of the SOURCE or DEST
# in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set
# up any infrastructure to handle such
# packets and you may not have any
# rules with this SOURCE and DEST in
# the /etc/shorewall/rules file. If
# such a packet _is_ received, the
# result is undefined. NONE may not be
# used if the SOURCE or DEST columns
# contain the firewall zone ($FW) or
# "all".
#
# If the policy is DROP or REJECT then the policy should
# be followed by ":" and one of the following:
#
# a) The word "None" or "none". This causes any default
# action defined in /etc/shorewall/shorewall.conf to
# be omitted for this policy.
# b) The name of an action (requires that USE_ACTIONS=Yes
# in shorewall.conf). That action will be invoked
# before the policy is enforced.
# c) The name of a macro. The rules in that macro will
# be applied before the policy is enforced. This
# does not require USE_ACTIONS=Yes.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don't want to log but need to specify the
# following column, place "-" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# Example:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
#
# #SOURCE DEST POLICY LOG
# # LEVEL
# loc net ACCEPT
# net all DROP info
# #
# # THE FOLLOWING POLICY MUST BE LAST
# #
# all all REJECT info
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
# /etc/shorewall/providers
#
# This file is used to define additional routing tables. You will
# want to define an additional table if:
#
# - You have connections to more than one ISP or multiple connections
# to the same ISP
#
# - You run Squid as a transparent proxy on a host other than the
# firewall.
#
# To omit a column, enter "-".
#
# Columns are:
#
# NAME The provider name. Must be a valid shell variable name.
# The names 'local', 'main', 'default' and 'unspec' are
# reserved and may not be used as provider names.
#
# NUMBER The provider number -- a number between 1 and 15
#
# MARK A FWMARK value used in your /etc/shorewall/tcrules
# file to direct packets to this provider.
#
# If HIGH_ROUTE_MARKS=Yes in shorewall.conf, then the
# value must be a multiple of 256 between 256 and 65280
# or their hexadecimal equivalents (0x0100 and 0xff00
# with the low-order byte of the value being zero).
# Otherwise, the value must be between 1 and 255.
#
# DUPLICATE The name of an existing table to duplicate. May be
# 'main' or the name of a previous provider.
#
# INTERFACE The name of the network interface to the provider.
# Must be listed in /etc/shorewall/interfaces.
#
# GATEWAY The IP address of the provider's gateway router.
#
# You can enter "detect" here and Shorewall will
# attempt to detect the gateway automatically.
#
# [ EXPERIMENTAL ] For PPP devices, you may omit this
# column.
#
# OPTIONS A comma-separated list selected from the following:
#
# track If specified, inbound connections on this interface
# are to be tracked so that responses may be routed back
# out this same interface.
#
# You want to specify 'track' if internet hosts will be
# connecting to local servers through this provider.
#
# balance The providers that have 'balance' specified will
# get outbound traffic load-balanced among them. By
# default, all interfaces with 'balance' specified
# will have the same weight (1). You can change the
# weight of an interface by specifiying balance=<weight>
# where <weight> is the weight of the route out of
# this interface.
#
# loose Shorewall normally adds a routing rule for each
# IP address on an interface which forces traffic
# whose source is that IP address to be sent using
# the routing table for that interface. Setting
# 'loose' prevents creation of such rules on this
# interface.
#
# optional
# If the interface named in the INTERFACE column is not
# up and configured with an IPv4 address then ignore
# this provider.
#
# COPY A comma-separated lists of other interfaces on your
# firewall. Only makes sense when DUPLICATE is 'main'.
# Only copy routes through INTERFACE and through
# interfaces listed here. If you only wish to copy
# routes through INTERFACE, enter 'none' here.
#
# Example: You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
# interface is eth2
#
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
# Squid 1 1 - eth2 192.168.2.99 -
#
# Example:
#
# eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and
# the ISP's gateway router has IP address 206.124.146.254.
#
# eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the
# ISP's gateway router has IP address 130.252.99.254.
#
# eth2 connects to a local network.
#
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
# ISP1 1 1 main eth0 206.124.146.254 track,balance eth2
# ISP2 2 2 main eth1 130.252.99.254 track,balance eth2
#
# See http://www.shorewall.net/MultiISP.html for additional
# information.
#
###############################################################################
# /etc/shorewall/proxyarp
#
# This file is used to define Proxy ARP.
#
# Columns are:
#
# ADDRESS IP Address
#
# INTERFACE Local interface where system is connected.
#
# EXTERNAL External Interface to be used to access this system
#
# HAVEROUTE If there is already a route from the firewall to
# the host whose address is given, enter "Yes" or "yes"
# in this column. Otherwise, entry "no", "No" or leave
# the column empty and Shorewall will add the route for
# you. If Shorewall adds the route,the route will be
# persistent if the PERSISTENT column contains Yes;
# otherwise, "shorewall stop" or "shorewall clear" will
# delete the route.
#
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
# column determines if the route added by Shorewall
# persists after a "shorewall stop" or a "shorewall
# clear". If this column contains "Yes" or "yes" then
# the route persists; If the column is empty or contains
# "No"or "no" then the route is deleted at "shorewall
# stop" or "shorewall clear".
#
# Example: Host with IP 155.186.235.6 is connected to
# interface eth1 and we want hosts attached via eth0
# to be able to access it using that address.
#
# #ADDRESS INTERFACE EXTERNAL
# 155.186.235.6 eth1 eth0
#
# See http://shorewall.net/ProxyARP.htm for additional information.
#
###############################################################################
# /etc/shorewall/rfc1918
#
# Lists the subnetworks that are blocked by the 'norfc1918' interface
# option.
#
# The default list includes those IP addresses listed in RFC 1918.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNETS A comma-separated list of subnet addresses
# (host addresses also allowed as are IP
# address ranges provided that your kernel and iptables
# have iprange match support).
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
# By default, the RETURN target causes 'norfc1918' processing to cease
# for a packet if the packet's source IP address matches the rule. Thus,
# if you have:
#
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
#
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though
# you also have:
#
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
#
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic
# to be logged and dropped since while the packet's source matches the
# RETURN rule, the packet's destination matches the 'logdrop' rule.
###############################################################################
# /etc/shorewall/route_rules
#
# Entries in this file cause traffic to be routed to one of the
# providers listed in /etc/shorewall/providers.
#
# Columns are:
#
# SOURCE(optional)
# An ip address (network or host) that
# matches the source IP address in a packet.
# May also be specified as an interface
# name optionally followed by ":" and an
# address. If the device 'lo' is specified,
# the packet must originate from the firewall
# itself.
#
# DEST(optional) An ip address (network or host) that
# matches the destination IP address in a packet.
#
# If you choose to omit either SOURCE or DEST,
# place "-" in that column. Note that you
# may not omit both SOURCE and DEST.
#
# PROVIDER The provider to route the traffic through.
# May be expressed either as the provider name
# or the provider number. May also be 'main'
# or 254 for the main routing table. This can
# be used in combination with VPN tunnels, see
# example 2 below.
#
# PRIORITY
# The rule's priority which determines the order
# in which the rules are processed.
#
# 1000-1999 Before Shorewall-generated
# 'MARK' rules
#
# 11000- 11999 After 'MARK' rules but before
# Shorewall-generated rules for
# ISP interfaces.
#
# 26000-26999 After ISP interface rules but
# before 'default' rule.
#
# Rules with equal priority are applied in
# the order in which they appear in the file.
#
# Example 1: You want all traffic coming in on eth1 to be routed to the ISP1
# provider:
#
# #SOURCE DEST PROVIDER PRIORITY
# eth1 - ISP1 1000
#
# Example 2: You use OpenVPN (routed setup /tunX) in combination with multiple
# providers. In this case you have to set up a rule to ensure that
# the OpenVPN traffic is routed back through the tunX interface(s)
# rather than through any of the providers. 10.8.0.0/24 is the
# subnet choosen in your OpenVPN configuration (server 10.8.0.0
# 255.255.255.0)
#
# #SOURCE DEST PROVIDER PRIORITY
# - 10.8.0.0/24 main 1000
#
# For additional information, see
# http://www.shorewall.net/MultiISP.html
#
###############################################################################
# /etc/shorewall/routestopped
#
# This file is used to define the hosts that are accessible when the
# firewall is stopped or when it is in the process of being
# [re]started.
#
# Columns are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If your kernel and iptables include
# iprange match support, IP address ranges are also
# allowed.
#
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
# these hosts back to themselves.
#
# source - Allow traffic from these hosts to ANY
# destination. Without this option or the 'dest'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'source' is specified then 'routeback' is redundant.
#
# dest - Allow traffic to these hosts from ANY
# source. Without this option or the 'source'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'dest' is specified then 'routeback' is redundant.
#
# critical - Allow traffic between the firewall and
# these hosts throughout '[re]start', 'stop' and
# 'clear'. Specifying 'critical' on one or more
# entries will cause your firewall to be "totally
# open" for a brief window during each of those
# operations.
#
# NOTE: The 'source' and 'dest' options work best when used
# in conjunction with ADMINISABSENTMINDED=Yes in
# /etc/shorewall/shorewall.conf.
#
# Example:
#
# INTERFACE HOST(S) OPTIONS
# eth2 192.168.1.0/24
# eth0 192.0.2.44
# br0 - routeback
# eth3 - source
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
###############################################################################
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#------------------------------------------------------------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
# ESTABLISHED Packets in the ESTABLISHED state are processed
# by rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# RELATED Packets in the RELATED state are processed by
# rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# NEW Packets in the NEW and INVALID states are
# processed by rules in this section.
#
# Note: If you are not familiar with Netfilter to the point where you are
# comfortable with the differences between the various connection
# tracking states, then I suggest that you omit the ESTABLISHED and
# RELATED sections and place all of your rules in the NEW section
# (That's after the line that reads SECTION NEW').
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
# ESTABLISHED and RELATED sections must be empty.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE, COMMENT, a <macro>, or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# SAME -- Similar to DNAT except that the
# port may not be remapped and when
# multiple server addresses are
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
# COMMENT -- the rest of the line will be attached
# as a comment to the Netfilter rule(s)
# generated by the following entres.
# The comment will appear delimited by
# "/* ... */" in the output of
# "shorewall show <chain>". To stop
# the comment from being attached to
# further rules, simply include
# COMMENT on a line by itself.
# <action> -- The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
# <macro> -- The name of a macro defined in a
# file named macro.<macro-name>. If
# the macro accepts an action
# parameter (Look at the macro
# source to see if it has PARAM in
# the TARGET column) then the macro
# name is followed by "/" and the
# action (ACCEPT, DROP, REJECT, ...)
# to be substituted for the
# parameter. Example: FTP/ACCEPT.
#
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# If the ACTION names an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std then:
#
# - If the log level is followed by "!' then all rules
# in the action are logged at the log level.
#
# - If the log level is not followed by "!" then only
# those rules in the action that do not specify
# logging are logged at the specified level.
#
# - The special log level 'none!' suppresses logging
# by the action.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all", "all+", "all-", "all+-" or
# "none".
#
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# "all" means "All Zones", including the firewall itself.
# "all-" means "All Zones, except the firewall itself".
# When "all[-]" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+[-]" is
# "used, intra-zone traffic is affected.
#
# Except when "all[+][-]" is specified, clients may be
# further restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of source bindings to be
# matched.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in
# the net zone.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself, "all". "all+" or "none".
#
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. When "all+" is
# used, intra-zone traffic is affected.
#
# Except when "all[+]" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# Like in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of destination bindings
# to be matched. Only one of the SOURCE and DEST columns
# may specify an ipset name.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
# "ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
# "ipp2p*" requires ipp2p match support in your kernel
# and iptables.
#
# "tcp:syn" implies "tcp" plus the SYN flag must be
# set and the RST,ACK and FIN flags must be reset.
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no port is given, "ipp2p" is
# assumed.
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then
# place "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# then if included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# For other actions, this column may be included and may
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address
# matches one of the listed addresses. This feature is
# most useful when you want to generate a filter rule
# that corresponds to a DNAT- or REDIRECT- rule. In this
# usage, the list of addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
# user-defined action rule.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd (This feature was
# #removed from Netfilter in kernel
# #version 2.6.14).
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the
# internet to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 $FW \
# tcp 22
#
# See http://www.shorewall.net/Documentation.htm#Rules for additional
# information.
#
###############################################################################
# Based on tc4shorewall version 0.5 by Arne Bernin
#
# /etc/shorewall/tcclasses
#
# Define the classes used for traffic shaping in this file.
#
# A note on the rate/bandwidth definitions used in this file:
#
# - don't use a space between the integer value and
# the unit: 30kbit is valid while 30 kbit is NOT.
#
# - you can use one of the following units:
#
# kbps Kilobytes per second
# mbps Megabytes per second
# kbit Kilobits per second
# mbit Megabits per second
# bps or a
# bare number Bytes per second
#
# - if you want the values to be calculated for you depending
# on the output bandwidth setting defined for an interface
# in tcdevices, you can use expressions like the following:
#
# full/3 causes the bandwidth to be calculated
# as 3 of the the full outgoing
# speed that is defined.
#
# full*9/10 will set this bandwidth to 9/10 of
# the full bandwidth
#
# DO NOT add a unit to the rate if it is calculated !
#
# Columns are:
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# You may NOT specify wildcards here, e.g. if you
# have multiple ppp interfaces, you need to put
# them all in here!
#
# Please note that you can only use interface names
# in here that have a bandwidth defined in the tcdevices
# file
#
# MARK The mark value which is an integer in the range 1-255.
# You define this marks in the tcrules file, marking
# the traffic you want to fit in the classes defined
# in here.
#
# You can use the same marks for different interfaces.
#
# RATE The minimum bandwidth this class should get,
# when the traffic load rises.
#
# CEIL The maximum bandwidth this class is allowed to use
# when the link is idle. Useful if you have traffic
# which can get full speed when more needed services
# (e.g. ssh) are not used.
#
# You can use the value "full" in here for setting
# the maximum bandwidth to the defined output bandwidth
# of that interface
#
# PRIORITY The priority in which classes will be serviced by
# the packet shaping scheduler and also the priority
# in which bandwidth in excess of the rate will be
# given to each class.
#
# Higher priority classes will experience less delay
# since they are serviced first. Priority values
# are serviced in ascending order (e.g. 0 is higher
# priority than 1).
#
# Classes may be set to the same priority, in which
# case they will be serviced as equals.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# default - this is the default class for that
# interface where all traffic should go,
# that is not classified otherwise.
#
# NOTE: defining default for exactly one
# class per interface is mandatory!
#
# tos=0x<value>[/0x<mask>] (mask defaults to 0xff)
# - this lets you define a classifier
# for the given <value>/<mask>
# combination of the IP packet's
# TOS/Precedence/DiffSrv octet (aka the
# TOS byte). Please note, classifiers
# override all mark settings, so if you
# define a classifer for a class, all
# traffic having that mark will go in it
# regardless of any mark set on the
# packet by a firewall/mangle filter.
#
# NOTE: multiple tos= statements may be
# applied per class and per interface,
# but a given value/mask pair is valid
# for only ONE class per interface.
#
# tos-<tosname> - aliases for the following TOS octet
# value and mask encodings. TOS
# encodings of the "TOS byte" have been
# deprecated in favor of diffserve
# classes, but programs like ssh,
# rlogin, and ftp still use them.
#
# tos-minimize-delay 0x10/0x10
# tos-maximize-throughput 0x08/0x08
# tos-maximize-reliability 0x04/0x04
# tos-minimize-cost 0x02/0x02
# tos-normal-service 0x00/0x1e
#
# NOTE: each of this options is only
# valid for ONE class per interface.
#
# tcp-ack - if defined causes an tc filter to
# be created that puts all tcp ack
# packets on that interface that have
# an size of <=64 Bytes to go in this
# class. This is useful for speeding up
# downloads. Please note that the size
# of the ack packets is limited to 64
# bytes as some applications (p2p for
# example) use to make every packet an
# ack packet which would cause them
# all into here. We want only packets
# WITHOUT payload to match, so the size
# limit.
#
# NOTE: This option is only valid for
# ONE class per interface.
#
#
#
# Example 1: Suppose you are using PPP over Ethernet (DSL)
# and ppp0 is the interface for this. You have 4 classes
# here, the first you can use for voice over IP
# traffic, the second interactive traffic (e.g.
# ssh/telnet but not scp), the third will be for all
# unclassified traffic, and the forth is for low
# priority traffic (e.g. peer-to-peer).
#
# The voice traffic in the first class will be
# guaranteed a minimum of 100kbps and always be
# serviced first (because of the low priority number,
# giving less delay) and will be granted excess
# bandwidth (up to 180kbps, the class ceiling) first,
# before any other traffic. A single VOIP stream,
# depending upon codecs, after encapsulation, can take
# up to 80kbps on a PPOE/DSL link, so we pad a little
# bit just in case. (TOS byte values 0xb8 and 0x68
# are DiffServ classes EF and AFF3-1 respectively and
# are often used by VOIP devices).
#
# Interactive traffic (tos-minimum-delay) and
# TCP acks (and ICMP echo traffic if you use the example
# in tcrules) and any packet with a mark of 2 will be
# guaranteed 1/4 of the link bandwidth, and may extend
# up to full speed of the link.
#
# Unclassified traffic and packets marked as 3 will be
# guaranteed 1/4th of the link bandwidth, and may extend
# to the full speed of the link.
#
# Packets marked with 4 will be treated as low priority
# packets. (The tcrules example marks p2p traffic as
# such.) If the link is congested, they're only
# guaranteed 1/8th of the speed, and even if the link is
# empty, can only expand to 80% of link bandwidth just
# as a precaution in case there are upstream queues we
# didn't account for. This is the last class to get
# additional bandwidth and the last to get serviced by
# the scheduler because of the low priority.
#
# ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc
# ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay
# ppp0 3 full/4 full 3 default
# ppp0 4 full/8 full*8/10 4
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
# Based on tc4shorewall version 0.5 by Arne Bernin
#
# /etc/shorewall/tcdevices
#
# Entries in this file define the bandwidth for interfaces
# on which you want traffic shaping to be enabled.
#
# If you do not plan to use traffic shaping for a device,
# don't put it in here as it limits the troughput of that
# device to the limits you set here.
#
# Columns are:
#
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# You man NOT specify wildcards here, e.g. if you
# have multiple ppp interfaces, you need to put
# them all in here!
#
# If the device doesn't exist, a warning message will
# be issued during "shorewall [re]start" and "shorewall
# refresh" and traffic shaping configuration will be
# skipped for that device.
#
# IN-BANDWIDTH The incoming Bandwidth of that interface. Please
# note that you are not able to do traffic shaping
# on incoming traffic, as the traffic is already
# received before you could do so. But this allows
# you to define the maximum traffic allowed for
# this interface in total, if the rate is exceeded,
# the packets are dropped.
# You want this mainly if you have a DSL or Cable
# connection to avoid queuing at your providers side.
#
# If you don't want any traffic to be dropped set this
# to a value faster than your interface.
#
# Use kbit or kbps(for Kilobytes per second) for
# speed, and make sure there is NO space between the
# number and the unit.
#
# OUT-BANDWIDTH The outgoing Bandwidth of that interface.
# This is the maximum speed you connection can handle.
# It is also the speed you can refer as "full" if
# you define the tc classes.
# Outgoing traffic above this rate will be dropped.
#
# Use kbit or kbps(for Kilobytes per second) for
# speed, and make sure there is NO space between the
# number and the unit.
#
# Example 1: Suppose you are using PPP over Ethernet (DSL)
# and ppp0 is the interface for this. The
# device has an outgoing bandwidth of 500kbit and an
# incoming bandwidth of 6000kbit
# ppp0 6000kbit 500kbit
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
# /etc/shorewall/tcrules
#
# Entries in this file cause packets to be marked as a means of
# classifying them for traffic control or policy routing.
#
# I M P O R T A N T ! ! ! !
#
# Unlike rules in the /etc/shorewall/rules file, evaluation
# of rules in this file will continue after a match. So the
# final mark for each packet will be the one assigned by the
# LAST tcrule that matches.
#
# If you use multiple internet providers with the 'track' option,
# in /etc/shorewall/providers be sure to read the restrictions at
# http://shorewall.net/MultiISP.html.
#
# Columns are:
#
#
# MARK/ a) A mark value which is an integer in the range 1-255.
# CLASSIFY
# Normally will set the mark value. If preceded by
# a vertical bar ("|"), the mark value will be
# logically ORed with the current mark value to
# produce a new mark value. If preceded by an
# ampersand ("&"), will be logically ANDed with the
# current mark value to produce a new mark value.
#
# Both "|" and "&" require Extended MARK Target
# support in your kernel and iptables; neither may
# be used with connection marks (see below).
#
# If HIGH_ROUTE_MARKS=Yes in shorewall.conf then
# you may also specify a value in the range 0x0100-
# 0xFF00 with the low-order byte being zero. Such
# values may only be used in the PREROUTING chain
# (value followed by :F or you have set
# MARK_IN_FORWARD_CHAIN=Yes in shorewall conf and have
# not followed the value with :P) or the OUTPUT chain
# (SOURCE is $FW).
#
# May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the chain
# is determined by the setting of
# MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf.
#
# If your kernel and iptables include CONNMARK support
# then you can also mark the connection rather than
# the packet.
#
# The mark value may be optionally followed by "/"
# and a mask value (used to determine those bits of
# the connection mark to actually be set). The
# mark and optional mask are then followed by one of:
#
# C - Mark the connection in the chain determined
# by the setting of MARK_IN_FORWARD_CHAIN
#
# CF: Mark the connection in the FORWARD chain
#
# CP: Mark the connection in the PREROUTING
# chain.
#
# b) A classification (classid) of the form
# <major>:<minor> where <major> and <minor> are
# integers. Corresponds to the 'class' specification
# in these traffic shaping modules:
#
# - atm
# - cbq
# - dsmark
# - pfifo_fast
# - htb
# - prio
#
# Classification occurs in the POSTROUTING chain except
# when the SOURCE is $FW[:<address>] in which case
# marking occurs in the OUTPUT chain.
#
# c) RESTORE[/mask] -- restore the packet's mark from the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK
# support.
#
# As in a) above, may be followed by ":P" or ":F
#
# c) SAVE[/mask] -- save the packet's mark to the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK
# support.
#
# As in a) above, may be followed by ":P" or ":F
#
# d) CONTINUE -- don't process any more marking rules in
# the table.
#
# As in a) above, may be followed by ":P" or ":F".
#
# e) COMMENT -- the rest of the line will be attached as
# a comment to the Netfilter rule(s) generated by the
# following entries. The comment will appear delimited
# by "/* ... */" in the output of "shorewall show
# mangle"
#
# To stop the comment from being attached to further
# rules, simply include COMMENT on a line by itself.
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses and/or
# subnets for packets being routed through a common path.
# List elements may also consist of an interface name
# followed by ":" and an address
# (e.g., eth1:192.168.1.0/24). For example, all packets
# for connections masqueraded to eth0 from other
# interfaces can be matched in a single rule with
# several alternative SOURCE criteria. However, a
# connection whose packets gets to eth0 in a
# different way, e.g., direct from the firewall itself,
# needs a different rule.
#
# Accordingly, use $FW in its own separate rule for
# packets originating on the firewall. In such a rule,
# the MARK column may NOT specify either ":P" or ":F"
# because marking for firewall-originated packets
# always occurs in the OUTPUT chain.
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# DEST Destination of the packet. Comma separated list of
# IP addresses and/or subnets. If your kernel and
# iptables include iprange match support, IP address
# ranges are also allowed. List elements may also
# consist of an interface name followed by ":" and an
# address (e.g., eth1:192.168.1.0/24).
# If the MARK column specificies a classification of
# the form <major>:<minor> then this column may also
# contain an interface name.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# "ipp2p:udp", "ipp2p:all" a number, or "all".
# "ipp2p" requires ipp2p match support in your kernel
# and iptables.
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no PORT is given, "ipp2p" is
# assumed.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following field is supplied.
# In that case, it is suggested that this field contain
# "-"
#
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# USER This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective user and/or group.
#
# It may contain :
#
# [<user name or number>]:[<group name or number>][+<program name>]
#
# The colon is optionnal when specifying only a user
# or a program name.
# Examples : john: , john , :users , john:users ,
# +mozilla-bin (Support for program names
# was removed from Netfilter in Kernel
# version 2.6.14).
#
# TEST Defines a test on the existing packet or connection
# mark. The rule will match only if the test returns
# true. Tests have the format [!]<value>[/<mask>][:C]
#
# Where:
#
# ! Inverts the test (not equal)
# <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If
# omitted, the packet mark's value is
# tested.
#
# If you don't want to define a test but need to specify
# anything in the following columns, place a "-" in this
# field.
#
# LENGTH (Optional) Packet Length. This field, if present
# allow you to match the length of a packet against
# a specific value or range of values. You must have
# iptables length support for this to work.
# A range is specified in the form <min>:<max>
# where either <min> or <max> (but not both) may be
# omitted. If <min> is omitted, then 0 is assumed; if
# <max> is omitted, than any packet that is <min> or
# longer will match.
#
# Examples: 1024, 64:1500, :100 (packet of length
# 100 bytes or less)
#
# If you don't want to define a test but need to specify
# anything in the following columns, place a "-" in this
# field.
#
# TOS Type of service. Either a standard name, or a numeric
# value to match.
#
# Minimize-Delay (16)
# Maximize-Throughput (8)
# Maximize-Reliability (4)
# Minimize-Cost (2)
# Normal-Service (0)
#
# Example 1:
#
# Mark all ICMP echo traffic with packet mark 1.
# Mark all peer to peer traffic with packet mark 4.
#
# This is a little more complex than otherwise expected. Since
# the ipp2p module is unable to determine all packets in a
# connection are P2P packets, we mark the entire connection as
# P2P if any of the packets are determined to match.
#
# We assume packet/connection mark 0 to means unclassified.
#
# 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request
# 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
#
# RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
# CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
# 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all
# SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0
#
# "If a packet hasn't been classifed (packet mark is 0), copy
# the connection mark to the packet mark. If the packet mark
# is set, we're done. If the packet is P2P, set the packet
# mark to 4. If the packet mark has been set, save it to the
# connection mark."
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
# For usage in selecting among multiple ISPs, see
# http://shorewall.net/MultiISP.html
#
###############################################################################
# /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
# Columns are:
#
# SOURCE Name of a zone declared in /etc/shorewall/zones, "all"
# or $FW.
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address, a MAC address, a subnet
# specification or the name of an interface.
#
# Example: loc:192.168.2.3
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# DEST Name of a zone declared in /etc/shorewall/zones, "all"
# or $FW.
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address or a subnet specification
#
# Example: loc:192.168.2.3
#
# PROTOCOL Protocol.
#
# SOURCE PORTS Source port or port range. If all ports, use "-".
#
# DEST PORTS Destination port or port range. If all ports, use "-"
#
# TOS Type of service. Must be one of the following:
#
# Minimize-Delay (16)
# Maximize-Throughput (8)
# Maximize-Reliability (4)
# Minimize-Cost (2)
# Normal-Service (0)
#
# See http://shorewall.net/Documentation.htm#TOS for additional
# information.
#
###############################################################################
# /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
# IPIP, GRE and OPENVPN tunnels must be configured on the
# firewall/gateway itself. IPSEC endpoints may be defined
# on the firewall/gateway or on an internal system.
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat",
# "ipip", "gre", "6to4", "pptpclient", "pptpserver",
# "openvpn", "openvpnclient", "openvpnserver" or
# "generic"
#
# If the type is "ipsec" or "ipsecnat", it may be
# followed by ":noah" to indicate that the Authentication
# Header protocol (51) is not used by the tunnel.
#
# If type is "openvpn", "openvpnclient" or
# "openvpnserver" it may optionally be followed by ":"
# and "tcp" or "udp" to specify the protocol to be
# used. If not specified, "udp" is assumed.
#
# If type is "openvpn", "openvpnclient" or
# "openvpnserver" it may optionally be followed
# by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port
# of 1194 will be used. . Where both the protocol and port
# are specified, the protocol must be given first (e.g.,
# openvpn:tcp:4444).
#
# If type is "generic", it must be followed by ":" and
# a protocol name (from /etc/protocols) or a protocol
# number. If the protocol is "tcp" or "udp" (6 or 17),
# then it may optionally be followed by ":" and a
# port number.
#
# ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet
# zone.
#
# GATEWAY -- The IP address of the remote tunnel gateway. If the
# remote gateway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0. May be
# specified as a network address and if your kernel and
# iptables include iprange match support then IP address
# ranges are also allowed.
#
# GATEWAY
# ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should
# contain a comma-separated list of the names of the
# zones that the host might be in. This column only
# applies to IPSEC tunnels where it enables ISAKMP
# traffic to flow through the tunnel to the remote
# gateway.
#
# Example 1:
#
# IPSec tunnel. The remote gateway is 4.33.99.124 and
# the remote subnet is 192.168.9.0/24. The tunnel does
# not use the AH protocol
#
# ipsec:noah net 4.33.99.124
#
# Example 2:
#
# Road Warrior (LapTop that may connect from anywhere)
# where the "gw" zone is used to represent the remote
# LapTop.
#
# ipsec net 0.0.0.0/0 gw
#
# Example 3:
#
# Host 4.33.99.124 is a standalone system connected
# via an ipsec tunnel to the firewall system. The host
# is in zone gw.
#
# ipsec net 4.33.99.124 gw
#
# Example 4:
#
# Road Warriors that may belong to zones vpn1, vpn2 or
# vpn3. The FreeS/Wan _updown script will add the
# host to the appropriate zone using the "shorewall add"
# command on connect and will remove the host from the
# zone at disconnect time.
#
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
#
# Example 5:
#
# You run the Linux PPTP client on your firewall and
# connect to server 192.0.2.221.
#
# pptpclient net 192.0.2.221
#
# Example 6:
#
# You run a PPTP server on your firewall.
#
# pptpserver net
#
# Example 7:
#
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
# openvpn uses port 7777.
#
# openvpn:7777 net 4.33.99.124
#
# Example 8:
#
# You have a tunnel that is not one of the supported
# types. Your tunnel uses UDP port 4444. The other end
# of the tunnel is 4.3.99.124.
#
# generic:udp:4444 net 4.3.99.124
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional
# information.
#
###############################################################################
# /etc/shorewall/zones
#
# This file declares your network zones. You specify the hosts in
# each zone through entries in /etc/shorewall/interfaces or
# /etc/shorewall/hosts.
#
# WARNING: The format of this file changed in Shorewall 3.0.0. You can
# continue to use your old records provided that you set
# IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will
# signal Shorewall that the IPSEC-related zone options are
# still specified in /etc/shorewall/ipsec rather than in this
# file.
#
# To use records in the format described below, you must have
# IPSECFILE=zones specified in /etc/shorewall/shorewall.conf
# AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!!
#
# Columns are:
#
# ZONE Short name of the zone. The names "all" and "none" are reserved
# and may not be used as zone names. The maximum length of a
# zone name is determined by the setting of the LOGFORMAT option
# in shorewall.conf. With the default LOGFORMAT, zone names can
# be at most 5 characters long.
#
# Where a zone is nested in one or more other zones,
# you may follow the (sub)zone name by ":" and a
# comma-separated list of the parent zones. The parent
# zones must have been defined in earlier records in this
# file.
#
# Example:
#
# #ZONE TYPE OPTIONS
# a ipv4
# b ipv4
# c:a,b ipv4
#
# Currently, Shorewall uses this information to reorder the
# zone list so that parent zones appear after their subzones in
# the list. The IMPLICIT_CONTINUE option in shorewall.conf can
# also create implicit CONTINUE policies to/from the subzone.
#
# In the future, Shorewall may make additional use
# of nesting information.
#
# TYPE ipv4 - This is the standard Shorewall zone type and is the
# default if you leave this column empty or if you enter
# "-" in the column. Communication with some zone hosts
# may be encrypted. Encrypted hosts are designated using
# the 'ipsec'option in /etc/shorewall/hosts.
# ipsec - Communication with all zone hosts is encrypted
# Your kernel and iptables must include policy
# match support.
# firewall
# - Designates the firewall itself. You must have
# exactly one 'firewall' zone. No options are
# permitted with a 'firewall' zone. The name that you
# enter in the ZONE column will be stored in the shell
# variable $FW which you may use in other configuration
# files to designate the firewall zone.
#
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
#
# spi=<number> where <number> is the SPI of
# the SA used to encrypt/decrypt packets.
#
# proto=ah|esp|ipcomp
#
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel
#
# tunnel-src=<address>[/<mask>] (only
# available with mode=tunnel)
#
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict
#
# Example:
# mode=transport,reqid=44
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
# applied to outgoing traffic.
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
#------------------------------------------------------------------------------
# Example zones:
#
# You have a three interface firewall with internet, local and DMZ
# interfaces.
#
# #ZONE TYPE OPTIONS IN OUT
# # OPTIONS OPTIONS
# fw firewall
# net ipv4
# loc ipv4
# dmz ipv4
#
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
#
###############################################################################