mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-24 00:23:28 +01:00
b66929a65e
1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
71 lines
2.1 KiB
Plaintext
71 lines
2.1 KiB
Plaintext
#
|
|
# Shorewall 2.6 /etc/shorewall/zones
|
|
#
|
|
# This file determines your network zones. Columns are:
|
|
#
|
|
# ZONE Short name of the zone (5 Characters or less in length).
|
|
# The names "all" and "none" are reserved and may not be
|
|
# used as zone names.
|
|
#
|
|
# IPSEC Yes -- Communication with all zone hosts is encrypted
|
|
# ONLY Your kernel and iptables must include policy
|
|
# match support.
|
|
# No -- Communication with some zone hosts may be encrypted.
|
|
# Encrypted hosts are designated using the 'ipsec'
|
|
# option in /etc/shorewall/hosts.
|
|
#
|
|
# OPTIONS, A comma-separated list of options as follows:
|
|
# IN OPTIONS,
|
|
# OUT OPTIONS reqid=<number> where <number> is specified
|
|
# using setkey(8) using the 'unique:<number>
|
|
# option for the SPD level.
|
|
#
|
|
# spi=<number> where <number> is the SPI of
|
|
# the SA used to encrypt/decrypt packets.
|
|
#
|
|
# proto=ah|esp|ipcomp
|
|
#
|
|
# mss=<number> (sets the MSS field in TCP packets)
|
|
#
|
|
# mode=transport|tunnel
|
|
#
|
|
# tunnel-src=<address>[/<mask>] (only
|
|
# available with mode=tunnel)
|
|
#
|
|
# tunnel-dst=<address>[/<mask>] (only
|
|
# available with mode=tunnel)
|
|
#
|
|
# strict Means that packets must match all rules.
|
|
#
|
|
# next Separates rules; can only be used with
|
|
# strict..
|
|
#
|
|
# Example:
|
|
# mode=transport,reqid=44
|
|
#
|
|
# The options in the OPTIONS column are applied to both incoming
|
|
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
|
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
|
# applied to outgoing traffic.
|
|
#
|
|
# If you wish to leave a column empty but need to make an entry
|
|
# in a following column, use "-".
|
|
#
|
|
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
|
|
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
|
|
#
|
|
# See http://www.shorewall.net/Documentation.htm#Nested
|
|
#--------------------------------------------------------------------------------
|
|
# Example zones:
|
|
#
|
|
# You have a three interface firewall with internet, local and DMZ interfaces.
|
|
#
|
|
# #ZONE IPSEC OPTIONS IN OUT
|
|
# net
|
|
# loc
|
|
# dmz
|
|
#
|
|
#ZONE IPSEC OPTIONS IN OUT
|
|
# ONLY OPTIONS OPTIONS
|
|
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|