diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 81da9d4c1..38f151fc0 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 1.4 -- Sample Interface File For One Interface +# Shorewall 1.4.7.7.7.7.7.7.7 -- Sample Interface File For One Interface # # /etc/shorewall/interfaces # @@ -106,6 +106,13 @@ # /etc/shorewall/shorewall.conf. # # This option has no effect if NEWNOTSYN=Yes +# arp_filter +# If specified, this interface will only respond +# to ARP who-has requests for IP addresses +# configured on the interface. If not specified, +# the interface can respond to ARP who-has requests +# for IP addresses on any of the firewall's interface. +# The interface must be up when shorewall is started. # # The order in which you list the options is not # significant but the list should have no embedded white diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy index 9c2e73f60..316d50488 100644 --- a/Samples/one-interface/policy +++ b/Samples/one-interface/policy @@ -1,5 +1,5 @@ # -# Shorewall 1.4 -- Sample Policy File For One Interface +# Shorewall 1.4.7 -- Sample Policy File For One Interface # # /etc/shorewall/policy # @@ -75,5 +75,6 @@ #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT net all DROP info +# The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules index c0c7fe6d3..0e2b0f15e 100755 --- a/Samples/one-interface/rules +++ b/Samples/one-interface/rules @@ -1,5 +1,5 @@ # -# Shorewall version 1.4 - Sample Rules File For One Interface +# Shorewall version 1.4.7 - Sample Rules File For One Interface # # /etc/shorewall/rules # @@ -55,9 +55,27 @@ # LOG # Simply log the packet and continue. # -# May optionally be followed by ":" and a syslog log -# level (e.g, REJECT:info). This causes the packet to be -# logged at the specified level. +# You may rate-limit the rule by optionally following +# ACCEPT, DNAT[-], REDIRECT[-] or LOG with +# +# < /[:] > +# +# Where is the number of connections per +# ("sec" or "min") and is the largest +# burst permitted. If no is given, a value of 5 +# is assumed. There may be no whitespace embedded in the +# specification. +# +# Example: +# ACCEPT<10/sec:20> +# +# The ACTION (and rate limit) may optionally be followed by ":" +# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging) +# This causes the packet to be logged at the specified level. +# +# NOTE: For those of you who prefer to place the rate limit in a separate column, +# see the RATE LIMIT column below. If you specify a value in that column you must include +# a rate limit in the action column. # # You may also specify ULOG (must be in upper case) as a # log level. This will log to the ULOG target for routing @@ -207,6 +225,36 @@ # If no source IP address is given, the original source # address is not altered. # +# RATE LIMIT You may rate-limit the rule by placing a value in this column: +# +# /[:] +# +# Where is the number of connections per ("sec" +# or "min") and is the largest burst permitted. If no +# is given, a value of 5 is assummed. There may be no +# whitespace embedded in the specification. +# +# Example: +# 10/sec:20 +# +# If you place a rate limit in this column, you may not place +# a similiar limit in the ACTION column. +# +# USER SET This Column may only be non-empty if the SOURCE is the firewall +# itself and the ACTION is ACCEPT, DROP or REJECT. +# +# The column may contain a user set name defined in the +# /etc/shorewall/usersets file or it may contain: +# +# []:[] +# +# When this column is non-empty, the rule applies only if the +# program generating the output is running under the effective +# (s) and/or (s) specified. When a user set name is +# given, a log level may not be present in the ACTION column; +# logging for such rules is controlled by user set's entry in +# /etc/shorewall/usersets. +# # Note: Most one interface rules are of the type ACCEPT, REDIRECT or REJECT. # DNAT, DNAT-, CONTINUE rules are for multiple interface firewall. # Also by default all outbound fw -> net communications are allowed. @@ -214,17 +262,17 @@ # # Example: Accept www requests to the one interface server. # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET # ACCEPT net fw tcp http # # Example: Redirect port 88 Internet traffic to fw port 80 -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET # REDIRECT net 80 tcp 88 # ############################################################################## -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT PORT(S) DEST +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# PORT PORT(S) DEST LIMIT SET ACCEPT net fw icmp 8 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/one-interface/zones b/Samples/one-interface/zones index 7a1ca8461..5018e5a4b 100644 --- a/Samples/one-interface/zones +++ b/Samples/one-interface/zones @@ -1,5 +1,5 @@ # -# Shorewall 1.4 -- Sample Zone File For One Interface +# Shorewall 1.4.7 -- Sample Zone File For One Interface # /etc/shorewall/zones # # This file determines your network zones. Columns are: @@ -8,6 +8,13 @@ # DISPLAY Display name of the zone # COMMENTS Comments about the zone # +# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR +# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. +# +# See http://www.shorewall.net/Documentation.html#Nested +# +# Of Course This Is A Single Zone .. So The Above Does Not Apply +# #ZONE DISPLAY COMMENTS net Net Internet #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index 9f51c0e01..94515ee3c 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 1.4 -- Sample Interface File For Three Interfaces +# Shorewall 1.4.7 -- Sample Interface File For Three Interfaces # # /etc/shorewall/interfaces # @@ -106,6 +106,13 @@ # /etc/shorewall/shorewall.conf. # # This option has no effect if NEWNOTSYN=Yes. +# arp_filter +# If specified, this interface will only respond +# to ARP who-has requests for IP addresses +# configured on the interface. If not specified, +# the interface can respond to ARP who-has requests +# for IP addresses on any of the firewall's interface. +# The interface must be up when shorewall is started. # # The order in which you list the options is not # significant but the list should have no embedded white diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq index 688f32680..6c3f8df7d 100755 --- a/Samples/three-interfaces/masq +++ b/Samples/three-interfaces/masq @@ -1,5 +1,5 @@ # -# Shorewall 1.4 - Sample Masquerade file For Three Interfaces +# Shorewall 1.4.7 - Sample Masquerade file For Three Interfaces # # etc/shorewall/masq # diff --git a/Samples/three-interfaces/policy b/Samples/three-interfaces/policy index 3a5375d69..df2e79322 100644 --- a/Samples/three-interfaces/policy +++ b/Samples/three-interfaces/policy @@ -1,5 +1,5 @@ # -# Shorewall 1.4 -- Sample Policy File For Three Interfaces +# Shorewall 1.4.7 -- Sample Policy File For Three Interfaces # # /etc/shorewall/policy # @@ -81,5 +81,6 @@ loc net ACCEPT # remove the comment from the following line. #dmz net ACCEPT net all DROP info +# THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/routestopped b/Samples/three-interfaces/routestopped index 619754abe..7fb7362ae 100644 --- a/Samples/three-interfaces/routestopped +++ b/Samples/three-interfaces/routestopped @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 1.4 -- Sample Routestopped File For Three Interfaces. +# Shorewall 1.4.7 -- Sample Routestopped File For Three Interfaces. # # /etc/shorewall/routestopped # diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index 37371e9a6..9f28f5cd1 100755 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -1,5 +1,5 @@ # -# Shorewall version 1.4 - Sample Rules File For Three Interfaces +# Shorewall version 1.4.7 - Sample Rules File For Three Interfaces # # /etc/shorewall/rules # @@ -55,9 +55,27 @@ # LOG # Simply log the packet and continue. # -# May optionally be followed by ":" and a syslog log -# level (e.g, REJECT:info). This causes the packet to be -# logged at the specified level. +# You may rate-limit the rule by optionally following +# ACCEPT, DNAT[-], REDIRECT[-] or LOG with +# +# < /[:] > +# +# Where is the number of connections per +# ("sec" or "min") and is the largest +# burst permitted. If no is given, a value of 5 +# is assumed. There may be no whitespace embedded in the +# specification. +# +# Example: +# ACCEPT<10/sec:20> +# +# The ACTION (and rate limit) may optionally be followed by ":" +# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging) +# This causes the packet to be logged at the specified level. +# +# NOTE: For those of you who prefer to place the rate limit in a separate column, +# see the RATE LIMIT column below. If you specify a value in that column you must include +# a rate limit in the action column. # # You may also specify ULOG (must be in upper case) as a # log level. This will log to the ULOG target for routing @@ -207,45 +225,75 @@ # If no source IP address is given, the original source # address is not altered. # +# RATE LIMIT You may rate-limit the rule by placing a value in this column: +# +# /[:] +# +# Where is the number of connections per ("sec" +# or "min") and is the largest burst permitted. If no +# is given, a value of 5 is assummed. There may be no +# whitespace embedded in the specification. +# +# Example: +# 10/sec:20 +# +# If you place a rate limit in this column, you may not place +# a similiar limit in the ACTION column. +# +# USER SET This Column may only be non-empty if the SOURCE is the firewall +# itself and the ACTION is ACCEPT, DROP or REJECT. +# +# The column may contain a user set name defined in the +# /etc/shorewall/usersets file or it may contain: +# +# []:[] +# +# When this column is non-empty, the rule applies only if the +# program generating the output is running under the effective +# (s) and/or (s) specified. When a user set name is +# given, a log level may not be present in the ACTION column; +# logging for such rules is controlled by user set's entry in +# /etc/shorewall/usersets. +# # Also by default all outbound loc -> net communications are allowed. # You can change this behavior in the sample policy file. # # Example: Accept www requests to the firewall. # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT net fw tcp http +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET +# ACCEPT net fw tcp http # # Example: Accept SMTP requests from the Local Network to the Internet # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET # ACCEPT loc net tcp smtp # # Example: Forward all ssh and http connection requests from the Internet # to dmz system 192.168.2.3 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET # DNAT net dmz:192.168.2.3 tcp ssh,http # # Example: Redirect all locally-originating www connection requests to # port 3128 on the firewall (Squid running on the firewall # system) except when the destination address is 192.168.2.2 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET # REDIRECT loc 3128 tcp www - !192.168.2.2 # # Example: All http requests from the Internet to address # 130.252.100.69 are to be forwarded to 192.168.1.3 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET # DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT PORT(S) DEST +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# PORT PORT(S) DEST LIMIT SET # # Accept DNS connections from the firewall to the Internet # diff --git a/Samples/three-interfaces/zones b/Samples/three-interfaces/zones index 4cb4abd63..0bbbe7ad9 100644 --- a/Samples/three-interfaces/zones +++ b/Samples/three-interfaces/zones @@ -1,5 +1,5 @@ # -# Shorewall 1.4 -- Sample Zone File For Two Interfaces +# Shorewall 1.4.7 -- Sample Zone File For Two Interfaces # /etc/shorewall/zones # # This file determines your network zones. Columns are: @@ -8,6 +8,11 @@ # DISPLAY Display name of the zone # COMMENTS Comments about the zone # +# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR +# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. +# +# See http://www.shorewall.net/Documentation.html#Nested +# #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Networks diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index 1eba6e15b..b689a98b8 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -1,5 +1,5 @@ # -# Shorewall 1.4 -- Sample Interface File For Two Interfaces +# Shorewall 1.4.7 -- Sample Interface File For Two Interfaces # # /etc/shorewall/interfaces # @@ -110,6 +110,13 @@ # /etc/shorewall/shorewall.conf. # # This option has no effect if NEWNOTSYN=Yes. +# arp_filter +# If specified, this interface will only respond +# to ARP who-has requests for IP addresses +# configured on the interface. If not specified, +# the interface can respond to ARP who-has requests +# for IP addresses on any of the firewall's interface. +# The interface must be up when shorewall is started. # # The order in which you list the options is not # significant but the list should have no embedded white diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq index 591db6d0c..1c240c026 100755 --- a/Samples/two-interfaces/masq +++ b/Samples/two-interfaces/masq @@ -1,5 +1,5 @@ # -# Shorewall 1.4 - Sample Masquerade file For Two Interfaces +# Shorewall 1.4.7 - Sample Masquerade file For Two Interfaces # # etc/shorewall/masq # diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy index 09f59f217..6e5df6b1c 100644 --- a/Samples/two-interfaces/policy +++ b/Samples/two-interfaces/policy @@ -1,5 +1,5 @@ # -# Shorewall 1.4 -- Sample Policy File For Two Interfaces +# Shorewall 1.4.7 -- Sample Policy File For Two Interfaces # # /etc/shorewall/policy # @@ -78,5 +78,6 @@ loc net ACCEPT # remove the comment from the following line. #fw net ACCEPT net all DROP info +# THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/routestopped b/Samples/two-interfaces/routestopped index 590452ba5..0ede19d9f 100644 --- a/Samples/two-interfaces/routestopped +++ b/Samples/two-interfaces/routestopped @@ -1,6 +1,6 @@ ############################################################################## # -# Shorewall 1.4 -- Sample Routestopped file for two interfaces. +# Shorewall 1.4.7 -- Sample Routestopped file for two interfaces. # # /etc/shorewall/routestopped # diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index 45a0719ee..d632e4e7b 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -1,5 +1,5 @@ # -# Shorewall version 1.4 - Sample Rules File For Two Interfaces +# Shorewall version 1.4.7 - Sample Rules File For Two Interfaces # # /etc/shorewall/rules # @@ -55,9 +55,27 @@ # LOG # Simply log the packet and continue. # -# May optionally be followed by ":" and a syslog log -# level (e.g, REJECT:info). This causes the packet to be -# logged at the specified level. +# You may rate-limit the rule by optionally following +# ACCEPT, DNAT[-], REDIRECT[-] or LOG with +# +# < /[:] > +# +# Where is the number of connections per +# ("sec" or "min") and is the largest +# burst permitted. If no is given, a value of 5 +# is assumed. There may be no whitespace embedded in the +# specification. +# +# Example: +# ACCEPT<10/sec:20> +# +# The ACTION (and rate limit) may optionally be followed by ":" +# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging) +# This causes the packet to be logged at the specified level. +# +# NOTE: For those of you who prefer to place the rate limit in a separate column, +# see the RATE LIMIT column below. If you specify a value in that column you must include +# a rate limit in the action column. # # You may also specify ULOG (must be in upper case) as a # log level. This will log to the ULOG target for routing @@ -207,45 +225,75 @@ # If no source IP address is given, the original source # address is not altered. # +# RATE LIMIT You may rate-limit the rule by placing a value in this column: +# +# /[:] +# +# Where is the number of connections per ("sec" +# or "min") and is the largest burst permitted. If no +# is given, a value of 5 is assummed. There may be no +# whitespace embedded in the specification. +# +# Example: +# 10/sec:20 +# +# If you place a rate limit in this column, you may not place +# a similiar limit in the ACTION column. +# +# USER SET This Column may only be non-empty if the SOURCE is the firewall +# itself and the ACTION is ACCEPT, DROP or REJECT. +# +# The column may contain a user set name defined in the +# /etc/shorewall/usersets file or it may contain: +# +# []:[] +# +# When this column is non-empty, the rule applies only if the +# program generating the output is running under the effective +# (s) and/or (s) specified. When a user set name is +# given, a log level may not be present in the ACTION column; +# logging for such rules is controlled by user set's entry in +# /etc/shorewall/usersets. +# # Also by default all outbound loc -> net communications are allowed. # You can change this behavior in the sample policy file. # # Example: Accept www requests to the firewall. # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT net fw tcp http +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET +# ACCEPT net fw tcp http # # Example: Accept SMTP requests from the Local Network to the Internet # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET # ACCEPT loc net tcp smtp # # Example: Forward all ssh and http connection requests from the Internet # to local system 192.168.1.3 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET # DNAT net loc:192.168.1.3 tcp ssh,http # # Example: Redirect all locally-originating www connection requests to # port 3128 on the firewall (Squid running on the firewall # system) except when the destination address is 192.168.2.2 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET # REDIRECT loc 3128 tcp www - !192.168.2.2 # # Example: All http requests from the Internet to address # 130.252.100.69 are to be forwarded to 192.168.1.3 # -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# # PORT PORT(S) DEST LIMIT SET # DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# PORT PORT(S) DEST +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER +# PORT PORT(S) DEST LIMIT SET # # Accept DNS connections from the firewall to the network # diff --git a/Samples/two-interfaces/zones b/Samples/two-interfaces/zones index 98c9cf1f3..5a9ce1462 100644 --- a/Samples/two-interfaces/zones +++ b/Samples/two-interfaces/zones @@ -1,5 +1,5 @@ # -# Shorewall 1.4 -- Sample Zone File For Two Interfaces +# Shorewall 1.4.7 -- Sample Zone File For Two Interfaces # /etc/shorewall/zones # # This file determines your network zones. Columns are: @@ -8,6 +8,11 @@ # DISPLAY Display name of the zone # COMMENTS Comments about the zone # +# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR +# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. +# +# See http://www.shorewall.net/Documentation.html#Nested +# #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Networks