mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-05 04:58:49 +01:00
48719a6621
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@182 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
228 lines
17 KiB
HTML
228 lines
17 KiB
HTML
<html>
|
||
|
||
<head>
|
||
<meta http-equiv="Content-Language" content="en-us">
|
||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||
<title>Configuration File Basics</title>
|
||
<meta name="Microsoft Theme" content="radial 011, default">
|
||
</head>
|
||
|
||
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
||
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Configuration Files<!--mstheme--></font></h1>
|
||
<p><b><font color="#FF0000">Warning: </font>If you copy or edit your
|
||
configuration files on a system running Microsoft Windows, you <u>must</u>
|
||
run them through <a href="http://www.megaloman.com/~hany/software/hd2u/">
|
||
dos2unix</a> before you use them with Shorewall.</b></p>
|
||
|
||
|
||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Files<!--mstheme--></font></h2>
|
||
|
||
|
||
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
|
||
|
||
|
||
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/shorewall.conf - used to set several firewall
|
||
parameters.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/params - use this file to set shell variables that you will
|
||
expand in other files.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/zones - partition the firewall's view of the world
|
||
into <i>zones.</i><!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/policy - establishes firewall high-level policy.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/interfaces - describes the interfaces on the
|
||
firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/hosts - allows defining zones in terms of individual
|
||
hosts and subnetworks.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/masq - directs the firewall where to use many-to-one
|
||
(dynamic) Network Address Translation (a.k.a. Masquerading) and Source
|
||
Network Address Translation (SNAT).<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/modules - directs the firewall to load kernel modules.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/rules - defines rules that are exceptions to the
|
||
overall policies established in /etc/shorewall/policy.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/nat - defines static NAT rules.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/proxyarp - defines use of Proxy ARP.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
|
||
accessible when Shorewall is stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tcrules - defines marking of packets for later use by
|
||
traffic control/shaping or policy routing.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tos - defines rules for setting the TOS field in packet
|
||
headers.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on
|
||
the firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Comments<!--mstheme--></font></h2>
|
||
|
||
|
||
<p>You may place comments in configuration files by making the first non-whitespace
|
||
character a pound sign ("#"). You may also place comments at the end of any line, again by
|
||
delimiting the comment from the rest of the line with a pound sign.</p>
|
||
|
||
|
||
<p>Examples:</p>
|
||
|
||
|
||
<!--mstheme--></font><pre># This is a comment</pre><!--mstheme--><font face="arial, Arial, Helvetica"><!--mstheme--></font><pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Line Continuation<!--mstheme--></font></h2>
|
||
|
||
|
||
<p>You may continue lines in the configuration files using the usual backslash ("\") followed
|
||
immediately by a new line character.</p>
|
||
|
||
|
||
<p>Example:</p>
|
||
|
||
|
||
<!--mstheme--></font><pre>ACCEPT net fw tcp \
|
||
smtp,www,pop3,imap #Services running on the firewall</pre><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Complementing an Address or Subnet<!--mstheme--></font></h2>
|
||
|
||
<p>Where specifying an IP address, a subnet or an interface, you can
|
||
precede the item with "!" to specify the complement of the item. For
|
||
example, !192.168.1.4 means "any host but 192.168.1.4".</p>
|
||
|
||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Comma-separated Lists<!--mstheme--></font></h2>
|
||
|
||
<p>Comma-separated lists are allowed in a number of contexts within the
|
||
configuration files. A comma separated list:</p>
|
||
|
||
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Must not have any embedded white space.<br>
|
||
Valid: routestopped,dhcp,norfc1918<br>
|
||
Invalid: routestopped, dhcp,
|
||
norfc1818<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you use line continuation to break a comma-separated list, the
|
||
continuation line(s) must begin in column 1 (or there would be embedded
|
||
white space)<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Entries in a comma-separated list may appear in any order.<!--mstheme--></font><!--msthemelist--></td></tr>
|
||
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
|
||
|
||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Numbers/Service Names<!--mstheme--></font></h2>
|
||
|
||
<p>Unless otherwise specified, when giving a port number you can use
|
||
either an integer or a service name from /etc/services. </p>
|
||
|
||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Ranges<!--mstheme--></font></h2>
|
||
|
||
<p>If you need to specify a range of ports, the proper syntax is <<i>low
|
||
port number</i>>:<<i>high port number</i>>.</p>
|
||
|
||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Using Shell Variables<!--mstheme--></font></h2>
|
||
|
||
<p>You may use the file /etc/shorewall/params
|
||
file to set shell variables that you can then use in some of the other
|
||
configuration files.</p>
|
||
|
||
<p>It is suggested that variable names begin with an upper case letter<font size="1">
|
||
</font>to distinguish them from variables used internally within the
|
||
Shorewall programs</p>
|
||
|
||
<p>Example:</p>
|
||
|
||
<blockquote>
|
||
<p>NET_IF=eth0<br>
|
||
NET_BCAST=130.252.100.255<br>
|
||
NET_OPTIONS=noping,norfc1918</p>
|
||
</blockquote>
|
||
|
||
<p><br>
|
||
Example (/etc/shorewall/interfaces record):</p>
|
||
|
||
<font face="Century Gothic, Arial, Helvetica">
|
||
|
||
<blockquote>
|
||
<p><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></p>
|
||
</blockquote>
|
||
|
||
</font>
|
||
|
||
<p>The result will be the same as if the record had been written</p>
|
||
|
||
<font face="Century Gothic, Arial, Helvetica">
|
||
|
||
<blockquote>
|
||
<p>net eth0 130.252.100.255 noping,norfc1918</p>
|
||
</blockquote>
|
||
|
||
</font>
|
||
|
||
<p>Variables may be used anywhere in the
|
||
other configuration files.</p>
|
||
|
||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Using MAC Addresses<!--mstheme--></font></h2>
|
||
|
||
<p>Media Access Control (MAC)
|
||
addresses can be used to specify packet source in several of the
|
||
configuration files. To use this feature, your kernel must have MAC
|
||
Address Match support (CONFIG_IP_NF_MATCH_MAC) included.</p>
|
||
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
|
||
unique MAC address.<br>
|
||
<br>
|
||
In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers
|
||
separated by colons. Example:<br>
|
||
<br>
|
||
[root@gateway root]# ifconfig eth0<br>
|
||
eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
|
||
inet addr:206.124.146.176 Bcast:206.124.146.255
|
||
Mask:255.255.255.0<br>
|
||
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
|
||
RX packets:2398102 errors:0 dropped:0 overruns:0
|
||
frame:0<br>
|
||
TX packets:3044698 errors:0 dropped:0 overruns:0
|
||
carrier:0<br>
|
||
collisions:30394 txqueuelen:100<br>
|
||
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
|
||
(1582.8 Mb)<br>
|
||
Interrupt:11 Base address:0x1800<br>
|
||
<br>
|
||
Because Shorewall uses colons as a separator for address fields, Shorewall requires
|
||
MAC addresses to be written in another way. In Shorewall, MAC addresses
|
||
begin with a tilde ("~") and consist of 6 hex numbers separated by
|
||
hyphens. In Shorewall, the MAC address in the example above would be
|
||
written "~02-00-08-E3-FA-55".</p>
|
||
|
||
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Configurations<!--mstheme--></font></h2>
|
||
<p>
|
||
Shorewall allows you to have configuration
|
||
directories other than /etc/shorewall. The <a href="#Starting">shorewall start
|
||
and restart</a>
|
||
commands allow you to specify an alternate configuration directory and
|
||
Shorewall will use the files in the alternate directory rather than the corresponding
|
||
files in /etc/shorewall. The alternate directory need not contain a complete
|
||
configuration; those files not in the alternate directory will be read from
|
||
/etc/shorewall.</p>
|
||
<p>
|
||
This facility permits you to easily create a test or temporary configuration
|
||
by:</p>
|
||
<ol>
|
||
<li>
|
||
copying the files that need modification from /etc/shorewall to a separate
|
||
directory;</li>
|
||
<li>
|
||
modify those files in the separate directory; and</li>
|
||
<li>
|
||
specifying the separate directory in a shorewall start or shorewall
|
||
restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
|
||
).</li>
|
||
</ol>
|
||
|
||
|
||
|
||
<p><font size="2">
|
||
Updated 8/6/2002 - <a href="support.htm">Tom
|
||
Eastep</a>
|
||
</font></p>
|
||
|
||
|
||
|
||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||
<20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||
|
||
|
||
|
||
<!--mstheme--></font></body>
|
||
|
||
</html> |