shorewall_code/Shorewall/shorewall.conf

##############################################################################
#  /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
#  match your setup
#
#  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]         
#
#  This file should be placed in /etc/shorewall
#
#  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw


# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
#

SUBSYSLOCK=/var/lock/subsys/shorewall

# This is the directory where the firewall maintains state information while
# it is running
#

STATEDIR=/var/lib/shorewall

#
# Set this to "yes" or "Yes" if you want to accept all connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#

ALLOWRELATED=yes

#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.

MODULESDIR=

#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second',  `/minute', `/hour', or `/day' suffix and specifies the maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# If BOTH variables are set empty then logging will not be rate-limited.
#

LOGRATE=
LOGBURST=


#
# This variable determines the level at which Mangled/Invalid packets are logged
# under the 'dropunclean' interface option. If you set this variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#

LOGUNCLEAN=info

# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
#          look for Shorewall messages.It does NOT control the destination for
#          these messages. For information about how to do that, see
#
#              http://www.shorewall.net/FAQ.htm#faq6

LOGFILE=/var/log/messages

#
# Enable nat support.
#
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED=Yes

#
# Enable mangle support.
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
# and will not initialize the mangle table when starting or stopping
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED=Yes

#
# Enable IP Forwarding
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
# say "Off" or "off", packet forwarding will be disabled. You would only want
# to disable packet forwarding if you are installing Shorewall on a
# standalone system or if you want all traffic through the Shorewall system
# to be handled by proxies.
#
# If you set this variable to "Keep" or "keep", Shorewall will neither
# enable nor disable packet forwarding.
#
IP_FORWARDING=On
#
# Automatically add IP Aliases
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
# for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES=Yes

#
# Automatically add SNAT Aliases
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_SNAT_ALIASES=No

#
# Enable Traffic Shaping
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
# you must enable packet mangling above.
#
TC_ENABLED=No

#
# Blacklisting
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP

#
# Blacklist Logging
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beward of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
BLACKLIST_LOGLEVEL=

#
# MSS Clamping
#
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
#    This option adds a `TCPMSS' target, which allows you to alter the
#    MSS value of TCP SYN packets, to control the maximum size for that
#    connection (usually limiting it to your outgoing interface's MTU
#    minus 40).
#
#    This is used to overcome criminally braindead ISPs or servers which
#    block ICMP Fragmentation Needed packets.  The symptoms of this
#    problem are that everything works fine from your Linux
#    firewall/router, but machines behind it can never exchange large
#    packets:
#        1) Web browsers connect, then hang with no data received.
#	 2) Small mail works fine, but large emails hang.
#	 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
CLAMPMSS=No

#
# Route Filtering
#
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.

ROUTE_FILTER=No

#
# NAT before RULES
#
# Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to "No".
#
# If this variable is not set or is set to the empty value, "Yes" is assumed.

NAT_BEFORE_RULES=Yes

# MULTIPORT
#
# If your kernel includes the multiport match option
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
# option is enabled by setting it's value to "Yes" or "yes":
#
#	1) If you list more that 15 ports in a comma-seperated list in
#	   /etc/shorewall/rules, Shorewall will not use the multiport option
#	   but will generate a separate rule for each element of each port
#	   list.
#	2) If you include a port range (<low port>:<high port>) in the
#	   rule, Shorewall will not use the multiport option but will generate
#	   a separate rule for each element of each port list.
#
# See the /etc/shorewall/rules file for additional information on this option.
#
# if this variable is not set or is set to the empty value, "No" is assumed.

MULTIPORT=No

# DNAT IP Address Detection
#
# Normally when Shorewall encounters the following rule:
#
#	DNAT	net	loc:192.168.1.3	tcp	80
#
# it will forward TCP port 80 connections from the net to 192.168.1.3
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is 
# convenient for two reasons:
#
#	a) If the the network interface has a dynamic IP address, the
#	   firewall configuration will work even when the address
#	   changes.
#
#	b) It saves having to configure the IP address in the rule 
#	   while still allowing the firewall to be started before the
#	   internet interface is brought up.
#
# This default behavior can also have a negative effect. If the
# internet interface has more than one IP address then the above 
# rule will forward connection requests on all of these addresses; 
# that may not be what is desired.
#
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
# only if the original destination address is the primary IP address of
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started. 

DETECT_DNAT_IPADDRS=No

# Merge Hosts File
#
# The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined 
# entirely in the hosts file. This is counter-intuitive and has caused 
# people some problems.
#
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
# are added to the contents described in the /etc/shorewall/interfaces file.
#
# Example: Suppose that we have the following interfaces and hosts files:
#
# Interfaces:
#
#	net	eth0
#	loc	eth1	
#	-	ppp+
#
# Hosts:
#
#	loc	ppp+:192.168.1.0/24
#	wrk	ppp+:!192.168.1.0/24
#
# With MERGE_HOSTS=No, the contents of the 'loc' zone would be just
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
#
# If this variable is not set or is set to the empty value, "No" is assumed.

MERGE_HOSTS=Yes

#
# Mutex Timeout
#
# The value of this variable determines the number of seconds that programs
# will wait for exclusive access to the Shorewall lock file. After the number
# of seconds corresponding to the value of this variable, programs will assume
# that the last program to hold the lock died without releasing the lock.
#
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.

MUTEX_TIMEOUT=60

#LAST LINE -- DO NOT REMOVE