diff --git a/Shorewall-docs/myfiles.htm b/Shorewall-docs/myfiles.htm
deleted file mode 100644
index f7eda70d1..000000000
--- a/Shorewall-docs/myfiles.htm
+++ /dev/null
@@ -1,253 +0,0 @@
-
-
-
-
- My Shorewall Configuration
-
-
-
-
-
-
-About My Network
-
-
-
-My Current Network
-
-
-
- Warning 1: I
-use a combination of One-to-one NAT and Proxy ARP, neither of which are
-relevant to a simple configuration with a single public IP address.
-If you have just a single public IP address, most of what you see here
-won't apply to your setup so beware of copying parts of this
-configuration and expecting them to work for you. What you copy may or
-may not work in your configuration.
-
- Warning 2: The
-configuration shown here corresponds to Shorewall version 1.4.9. It may
-use features not available in earlier Shorewall releases.
-
- I have DSL service and have 5 static IP addresses
-(206.124.146.176-180). My DSL "modem" (Fujitsu
-Speedport) is connected to eth0. I have a local network connected to
-eth2 (subnet 192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24)
-and a Wireless network connected to eth3 (192.168.3.0/24).
- I use:
-
-
- - One-to-one NAT for Ursa (my XP System that dual-boots Mandrake
-9.2) - Internal address
-192.168.1.5 and external address 206.124.146.178.
- - One-to-one NAT for EastepLaptop (My work system). Internal
-address
-192.168.1.7 and external address 206.124.146.180.
-
- - SNAT through 206.124.146.179 for my Linux system
-(Wookie), my Wife's system (Tarry), and our
-laptop
-(Tipper) which connects through the Wireless Access Point (wap) via
-a Wireless Bridge (bridge).
-
-Note: While the distance between the WAP and where I usually use
-the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
-wireless card) has proved very unsatisfactory (lots of lost
-connections). By replacing the WAC11 with the WET11 wireless bridge, I
-have virtually eliminated these problems (Being an old radio tinkerer
-(K7JPV), I was also able to eliminate the disconnects by hanging a
-piece of aluminum foil on the family room wall. Needless to say, my
-wife Tarry rejected that as a permanent solution :-).
-
- The firewall runs on a 256MB PII/233 with RH9.0.
- Wookie and the Firewall both run Samba and the Firewall acts as a
-WINS
-server.
-
- Wookie is in its own 'whitelist' zone called 'me' which is
-embedded
-in the local zone.
- The wireless network connects to eth3 via a LinkSys WAP11.
-In additional to using the rather weak WEP 40-bit encryption (64-bit
-with the 24-bit preamble), I use MAC
-verification. This is still a weak combination and if I lived near
-a wireless "hot spot", I would probably add IPSEC or something similar
-to my WiFi->local connections.
-
- The single system in the DMZ (address 206.124.146.177) runs
-postfix, Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and
-an FTP server (Pure-ftpd). The system also runs fetchmail to fetch our
-email from our old and current ISPs. That server is managed through
-Proxy ARP.
- The firewall system itself runs a DHCP server that serves the
-local network.
- All administration and publishing is done using ssh/scp. I have X
-installed on the firewall but no X server or desktop is installed. X
-applications tunnel through SSH to XWin.exe running on Ursa. The server
-does have a
-desktop environment installed and that desktop environment is available
-via XDMCP from the local zone. For the most part though, X tunneled
-through
-SSH is used for server administration and the server runs at run level
-3
-(multi-user console mode on RedHat).
- I run an SNMP server on my firewall to serve MRTG
-running in the DMZ.
- 
-
- The ethernet interface in the Server is configured with IP address
-206.124.146.177, netmask 255.255.255.0. The server's default gateway is
-206.124.146.254 (Router at my ISP. This is the same default gateway
-used by the firewall itself). On the firewall, my /sbin/ifup-local
-script (see below)
-adds a host route to 206.124.146.177 through eth1 when that interface
-is brought up.
- Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for
-Road
-Warrior access.
-
-
-
-Shorewall.conf
-
- LOGFILE=/var/log/messages
LOGRATE=
LOGBURST=
LOGUNCLEAN=$LOG
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/ash
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/state/shorewall
MODULESDIR=
FW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
SHARED_DIR=/usr/share/shorewall
-
-Params File (Edited):
-
- MIRRORS=<list of shorewall mirror ip addresses>
NTPSERVERS=<list of the NTP servers I sync with>
-TEXAS=<ip address of gateway in Dallas>
LOG=info
-
-Zones File
-
- #ZONE DISPLAY COMMENTS
net Internet Internet
WiFi Wireless Wireless Network on eth3
me Wookie My Linux Workstation
dmz DMZ Demilitarized zone
loc Local Local networks
tx Texas Peer Network in Dallas
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-Interfaces File:
-
- This is set up so that I can start the firewall before bringing
-up
-my Ethernet interfaces.
-
-
- #ZONE INERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp,newnotsyn
dmz eth1 192.168.2.255 newnotsyn
WiFi eth3 192.168.3.255 dhcp,maclist,newnotsyn
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-Hosts File:
-
- #ZONE HOST(S) OPTIONS
me eth2:192.168.1.3
tx texas:192.168.8.0/22
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-Routestopped File:
-
- #INTERFACQ HOST(S)
eth1 206.124.146.177
eth2 -
eth3 192.168.3.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-Blacklist File (Partial):
-#ADDRESS/SUBNET PROTOCOL PORT
0.0.0.0/0 udp 1434
0.0.0.0/0 tcp 1433
0.0.0.0/0 tcp 8081
0.0.0.0/0 tcp 57
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-Policy File:
-
- #SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
me loc NONE # 'me' and 'loc' are in the same network
me all ACCEPT # Allow my workstation unlimited access
tx me ACCEPT # Alow Texas access to my workstation
WiFi loc ACCEPT # Allow the wireless new access
all me CONTINUE # Use all->loc rules for my WS also
loc net ACCEPT # Allow all net traffic from local net
$FW loc ACCEPT # Allow local access from the firewall
$FW tx ACCEPT # Allow firewall access to texas
loc tx ACCEPT # Allow local net access to texas
loc fw REJECT $LOG # Reject loc->fw and log
WiFi net ACCEPT # Allow internet access from wirless
net all DROP $LOG 10/sec:40 # Rate limit and
# DROP net->dmz
all all REJECT $LOG # Reject and log the rest
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-Masq File:
-
- Although most of our internal systems use one-to-one NAT, my
-wife's
-system (192.168.1.4) uses IP Masquerading (actually SNAT) as does my
-personal system (192.168.1.3), our laptop (192.168.3.8) and
-visitors with laptops.
-
-
-
- #INTERFACE SUBNET ADDRESS
eth0 eth2 206.124.146.179
eth0 eth3 206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-
-NAT File:
-
- #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
206.124.146.178 eth0:0 192.168.1.5 No No
206.124.146.180 eth0:2 192.168.1.7 No No
#
# The following entry allows the server to be accessed through an address in
# the local network. This is convenient when I'm on the road and connected
# to the PPTP server. By doing this, I don't need to set my client's default
# gateway to route through the tunnel.
#
192.168.1.193 eth2:0 206.124.146.177 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE\
-
-Proxy ARP File:
-
- #ADDRESS INTERFACE EXTERNAL HAVEROUTE
206.124.146.177 eth1 eth0 Yes
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):
-
- #TYPE ZONE GATEWAY GATEWAY ZONE PORT
gre net $TEXAS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-
-Actions File
-#ACTION
Mirrors #Action that accepts traffic from our mirrors
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-/etc/shorewall/action.Mirrors
-
-#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-Rules File (The shell variables are set in /etc/shorewall/params):
-
- ################################################################################################################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL DEST:SNAT
################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:$LOG loc net tcp 6667
#
# Stop NETBIOS crap since our policy is ACCEPT
#
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
################################################################################################################################################################
# Local Network to Firewall
#
DROP loc:!192.168.1.0/24 fw
ACCEPT loc fw tcp ssh,time,10000,swat,137,139,445
ACCEPT loc fw udp snmp,ntp,445
ACCEPT loc fw udp 137:139
ACCEPT loc fw udp 1024: 137
################################################################################################################################################################
# Local Network to DMZ
#
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,pop3 -
################################################################################################################################################################
# Me to DMZ (This compensates for the broken RH kernel running in the DMZ -- that kernel's REJECT target is broken and Evolution requires a REJECT from smtps).
#
REJECT me dmz tcp 465
################################################################################################################################################################
# Internet to DMZ
#
ACCEPT net dmz tcp smtp,www,ftp,imaps,domain,cvspserver,https -
ACCEPT net dmz udp domain
Mirrors net dmz tcp rsync
################################################################################################################################################################
#
# Net to Local
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
ACCEPT net loc:192.168.1.5 tcp 1723
ACCEPT net loc:192.168.1.5 gre
#
# ICQ
#
ACCEPT net loc:192.168.1.5 tcp 4000:4100
#
# Real Audio
#
ACCEPT net loc:192.168.1.5 udp 6970:7170
DNAT net loc:192.168.1.3 udp 6970:7170 - 206.124.146.179
################################################################################################################################################################
# Net to me
#
ACCEPT net loc:192.168.1.3 tcp 4000:4100
################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh
ACCEPT dmz net udp domain
#ACCEPT dmz net:$POPSERVERS tcp pop3
#ACCEPT dmz net:206.191.151.2 tcp pop3
#ACCEPT dmz net:66.216.26.115 tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG dmz net tcp 1024: 20
################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp snmp,ssh
ACCEPT dmz fw udp snmp
REJECT dmz fw tcp auth
################################################################################################################################################################
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
################################################################################################################################################################
#
# DMZ to Me -- NFS
#
ACCEPT dmz me tcp 111
ACCEPT dmz me udp 111
ACCEPT dmz me udp 2049
ACCEPT dmz me udp 32700:
################################################################################################################################################################
# Internet to Firewall
#
REJECT net fw tcp www
DROP net fw tcp 1433
################################################################################################################################################################
# WiFi to Firewall (SMB and NTP)
#
ACCEPT WiFi fw tcp ssh,137,139,445
ACCEPT WiFi fw udp 137:139,445
ACCEPT
###############################################################################################################################################################
# WIFI to loc
#
ACCEPT WiFi loc udp 137:139
ACCEPT WiFi loc tcp 22,80,137,139,445,3389
ACCEPT WiFi loc udp 1024: 137
ACCEPT WiFi loc udp 177
###############################################################################################################################################################
# loc to WiFi
#
ACCEPT loc WiFi udp 137:139
ACCEPT loc WiFi tcp 137,139,445
ACCEPT loc WiFi udp 1024: 137
ACCEPT loc WiFi tcp 6000:6010
WiFi fw udp 1024: 137
ACCEPT WiFi fw udp ntp ntp
################################################################################################################################################################
# Firewall to WiFi (SMB)
#
ACCEPT fw WiFi tcp 137,139,445
ACCEPT fw WiFi udp 137:139,445
ACCEPT fw WiFi udp 1024: 137
###############################################################################################################################################################
# WiFi to DMZ
#
DNAT- WiFi dmz:206.124.146.177 all - - 192.168.1.193
ACCEPT WiFi dmz tcp smtp,www,ftp,imaps,domain,https,ssh -
ACCEPT WiFi dmz udp domain
################################################################################################################################################################
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp ntp
ACCEPT fw net:$POPSERVERS tcp pop3
ACCEPT fw net udp domain
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT fw net udp 33435:33535
ACCEPT fw net icmp 8
################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp www,ftp,ssh,smtp
ACCEPT fw dmz udp domain
ACCEPT fw dmz icmp 8
REJECT fw dmz udp 137:139
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-The next three files deal with redirecting html requests to Squid on
-the DMZ server.
-
-Tcrules file:
-
-#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
#
# In the PREROUTING chain, mark all HTML connection requests to external
# servers with value 1
#
1:P eth2 !192.168.0.0/16 tcp 80
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-Init file:
-
-#
# Add a second routing table with my server as the default gateway
# Use this routing table with all packets marked with value 1
#
if [ -z "`ip route list table 202 2> /dev/null`" ] ; then
run_ip rule add fwmark 1 table www.out
run_ip route add default via 206.124.146.177 dev eth1 table www.out
run_ip route flush cache
fi
-/etc/iproute2/rt_tables:
-#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
#
# local -- I added the entry below
#
202 www.out
-
-Tcstart file:
-
-
-
-My tcstart file is just the HTB version
-of WonderShaper.
-
-
-Newnotsyn file (/etc/shorewall/newnotsyn):
-I prefer to allow SYN, FIN and RST
-packets unconditionally rather than just on 'newnotsyn' interfaces as
-is the case with the standard Shorewall ruleset. This file deletes the
-Shorewall-generated rules for these packets and creates my own.
-
#!/bin/sh
for interface in `find_interfaces_by_option newnotsyn`; do
run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT
done
run_iptables -A newnotsyn -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A newnotsyn -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -p tcp --tcp-flags FIN FIN -j ACCEPT
-
/sbin/ifup-local
-This
-file is Redhat specific and adds a route to my DMZ server when eth1 is
-brought up.
-It allows me to enter "Yes" in the HAVEROUTE column of my Proxy ARP
-file.
-
-#!/bin/sh
case $1 in
eth1)
ip route add 206.124.146.177 dev eth1
;;
esac
-
-Last updated 12/06/2003 - Tom
-Eastep
-Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-
-
-
diff --git a/Shorewall-docs/myfiles.xml b/Shorewall-docs/myfiles.xml
new file mode 100644
index 000000000..9d348a4de
--- /dev/null
+++ b/Shorewall-docs/myfiles.xml
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+ About My Network
+
+
+
+ Tom
+
+ Eastep
+
+
+
+ 2003-12-06
+
+
+ 2001-2003
+
+ Thomas M. Eastep
+
+
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU Free Documentation License, Version
+ 1.2 or any later version published by the Free Software Foundation; with
+ no Invariant Sections, with no Front-Cover, and with no Back-Cover
+ Texts. A copy of the license is included in the section entitled
+ GNU Free Documentation License
.
+
+
+
+
+ My Current Network
+
+
+ I use a combination of One-to-one NAT and Proxy ARP, neither of
+ which are relevant to a simple configuration with a single public IP
+ address. If you have just a single public IP address, most of what you
+ see here won't apply to your setup so beware of copying parts of
+ this configuration and expecting them to work for you. What you copy may
+ or may not work in your configuration.
+
+
+
+ The configuration shown here corresponds to Shorewall version
+ 1.4.9. It may use features not available in earlier Shorewall releases.
+
+
+ I have DSL service and have 5 static IP addresses
+ (206.124.146.176-180). My DSL "modem" (Fujitsu Speedport) is
+ connected to eth0. I have a local network connected to eth2 (subnet
+ 192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless
+ network connected to eth3 (192.168.3.0/24).
+
+ I use:
+
+
+
+ One-to-one NAT for Ursa (my XP System that dual-boots Mandrake
+ 9.2) - Internal address 192.168.1.5 and external address
+ 206.124.146.178.
+
+
+
+ One-to-one NAT for EastepLaptop (My work system). Internal
+ address 192.168.1.7 and external address 206.124.146.180.
+
+
+
+ SNAT through 206.124.146.179 for my Linux system
+ (Wookie), my Wife's system (Tarry), and our laptop
+ (Tipper) which connects through the Wireless Access Point (wap) via a
+ Wireless Bridge (bridge).While the distance between the
+ WAP and where I usually use the laptop isn't very far (25 feet or
+ so), using a WAC11 (CardBus wireless card) has proved very
+ unsatisfactory (lots of lost connections). By replacing the WAC11 with
+ the WET11 wireless bridge, I have virtually eliminated these problems
+ (Being an old radio tinkerer (K7JPV), I was also able to eliminate the
+ disconnects by hanging a piece of aluminum foil on the family room
+ wall. Needless to say, my wife Tarry rejected that as a permanent
+ solution :-).
+
+
+
+ The firewall runs on a 256MB PII/233 with RH9.0.
+
+ Wookie and the Firewall both run Samba and the Firewall acts as a
+ WINS server.
+
+ Wookie is in its own 'whitelist' zone called 'me'
+ which is embedded in the local zone.
+
+ The wireless network connects to eth3 via a LinkSys WAP11.
+ In additional to using the rather weak WEP 40-bit encryption (64-bit with
+ the 24-bit preamble), I use MAC
+ verification. This is still a weak combination and if I lived near
+ a wireless "hot spot", I would probably add IPSEC or something
+ similar to my WiFi->local connections.
+
+ The single system in the DMZ (address 206.124.146.177) runs postfix,
+ Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
+ server (Pure-ftpd). The system also runs fetchmail to fetch our email from
+ our old and current ISPs. That server is managed through Proxy ARP.
+
+ The firewall system itself runs a DHCP server that serves the local
+ network.
+
+ All administration and publishing is done using ssh/scp. I have X
+ installed on the firewall but no X server or desktop is installed. X
+ applications tunnel through SSH to XWin.exe running on Ursa. The server
+ does have a desktop environment installed and that desktop environment is
+ available via XDMCP from the local zone. For the most part though, X
+ tunneled through SSH is used for server administration and the server runs
+ at run level 3 (multi-user console mode on RedHat).
+
+ I run an SNMP server on my firewall to serve MRTG running
+ in the DMZ.![]()
The
+ ethernet interface in the Server is configured with IP address
+ 206.124.146.177, netmask 255.255.255.0. The server's default gateway
+ is 206.124.146.254 (Router at my ISP. This is the same default gateway
+ used by the firewall itself). On the firewall, my /sbin/ifup-local script
+ (see below) adds a host route to 206.124.146.177 through eth1 when that
+ interface is brought up.
+
+ Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for
+ Road Warrior access.
+
+
+ Shorewall.conf
+
+
+ LOGFILE=/var/log/messages
+LOGRATE=
+LOGBURST=
+LOGUNCLEAN=$LOG
+BLACKLIST_LOGLEVEL=
+LOGNEWNOTSYN=
+MACLIST_LOG_LEVEL=$LOG
+TCP_FLAGS_LOG_LEVEL=$LOG
+RFC1918_LOG_LEVEL=$LOG
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+SHOREWALL_SHELL=/bin/ash
+SUBSYSLOCK=/var/lock/subsys/shorewall
+STATEDIR=/var/state/shorewall
+MODULESDIR=
+FW=fw
+IP_FORWARDING=On
+ADD_IP_ALIASES=Yes
+ADD_SNAT_ALIASES=Yes
+TC_ENABLED=Yes
+CLEAR_TC=No
+MARK_IN_FORWARD_CHAIN=No
+CLAMPMSS=Yes
+ROUTE_FILTER=No
+NAT_BEFORE_RULES=No
+DETECT_DNAT_IPADDRS=Yes
+MUTEX_TIMEOUT=60
+NEWNOTSYN=No
+BLACKLIST_DISPOSITION=DROP
+MACLIST_DISPOSITION=REJECT
+TCP_FLAGS_DISPOSITION=DROP
+SHARED_DIR=/usr/share/shorewall
+
+
+
+
+ Params File (Edited)
+
+
+ MIRRORS=<list of shorewall mirror ip addresses>
+ NTPSERVERS=<list of the NTP servers I sync with> TEXAS=<ip
+ address of gateway in Dallas> LOG=info
+
+
+
+
+ Zones File
+
+
+ #ZONE DISPLAY COMMENTS
+net Internet Internet
+WiFi Wireless Wireless Network on eth3
+me Wookie My Linux Workstation
+dmz DMZ Demilitarized zone
+loc Local Local networks
+tx Texas Peer Network in Dallas
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+
+
+
+ Interfaces File
+
+
+ This is set up so that I can start the firewall before bringing
+ up my Ethernet interfaces.
+
+ #ZONE INERFACE BROADCAST OPTIONS
+net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
+loc eth2 192.168.1.255 dhcp,newnotsyn
+dmz eth1 192.168.2.255 newnotsyn
+WiFi eth3 192.168.3.255 dhcp,maclist,newnotsyn
+- texas 192.168.9.255
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+
+
+
+ Hosts File
+
+
+ #ZONE HOST(S) OPTIONS
+me eth2:192.168.1.3
+tx texas:192.168.8.0/22
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+
+
+
+ Routestopped File
+
+
+ #INTERFACE HOST(S)
+eth1 206.124.146.177
+eth2 -
+eth3 192.168.3.0/24
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+
+
+
+ Blacklist File (Partial)
+
+
+ #ADDRESS/SUBNET PROTOCOL PORT
+0.0.0.0/0 udp 1434
+0.0.0.0/0 tcp 1433
+0.0.0.0/0 tcp 8081
+0.0.0.0/0 tcp 57
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+
+
+
+ Policy File
+
+
+ #SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
+me loc NONE # 'me' and 'loc' are in the same network
+me all ACCEPT # Allow my workstation unlimited access
+tx me ACCEPT # Alow Texas access to my workstation
+WiFi loc ACCEPT # Allow the wireless new access
+all me CONTINUE # Use all->loc rules for my WS also
+loc net ACCEPT # Allow all net traffic from local net
+$FW loc ACCEPT # Allow local access from the firewall
+$FW tx ACCEPT # Allow firewall access to texas
+loc tx ACCEPT # Allow local net access to texas
+loc fw REJECT $LOG # Reject loc->fw and log
+WiFi net ACCEPT # Allow internet access from wirless
+net all DROP $LOG 10/sec:40 # Rate limit and
+ # DROP net->all
+all all REJECT $LOG # Reject and log the rest
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+
+
+
+ Masq File
+
+
+ Although most of our internal systems use one-to-one NAT, my
+ wife's system (192.168.1.4) uses IP Masquerading (actually SNAT)
+ as does my personal system (192.168.1.3), our laptop (192.168.3.8) and
+ visitors with laptops.
+
+ #INTERFACE SUBNET ADDRESS
+eth0 eth2 206.124.146.179
+eth0 eth3 206.124.146.179
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
+
+
+ NAT File
+
+
+ #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
+206.124.146.178 eth0:0 192.168.1.5 No No
+206.124.146.180 eth0:2 192.168.1.7 No No
+#
+# The following entry allows the server to be accessed through an address in
+# the local network. This is convenient when I'm on the road and connected
+# to the PPTP server. By doing this, I don't need to set my client's default
+# gateway to route through the tunnel.
+#
+192.168.1.193 eth2:0 206.124.146.177 No No
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+
+
+ Proxy ARP File
+
+
+ #ADDRESS INTERFACE EXTERNAL HAVEROUTE
+206.124.146.177 eth1 eth0 Yes
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+
+
+ Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)
+
+
+ #TYPE ZONE GATEWAY GATEWAY ZONE PORT
+gre net $TEXAS
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+
+
+ Actions File
+
+
+ #ACTION
+Mirrors #Action that accepts traffic from our mirrors
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
+
+
+
+
+ action.Mirrors File
+
+
+ The $MIRRORS variable expands to a list of approximately 10 IP
+ addresses. So moving these checks into a separate chain reduces the
+ number of rules that most net->dmz traffic needs to traverse.
+
+ #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
+# PORT PORT(S) DEST LIMIT
+ACCEPT $MIRRORS
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+
+
+ Rules File (The shell variables are set in /etc/shorewall/params)
+
+
+ ################################################################################################################################################################
+#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT ORIGINAL DEST:SNAT
+################################################################################################################################################################
+# Local Network to Internet - Reject attempts by Trojans to call home
+#
+REJECT:$LOG loc net tcp 6667
+#
+# Stop NETBIOS crap since our policy is ACCEPT
+#
+REJECT loc net tcp 137,445
+REJECT loc net udp 137:139
+################################################################################################################################################################
+# Local Network to Firewall
+#
+DROP loc:!192.168.1.0/24 fw
+ACCEPT loc fw tcp ssh,time,10000,swat,137,139,445
+ACCEPT loc fw udp snmp,ntp,445
+ACCEPT loc fw udp 137:139
+ACCEPT loc fw udp 1024: 137
+################################################################################################################################################################
+# Local Network to DMZ
+#
+ACCEPT loc dmz udp domain,xdmcp
+ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,pop3 -
+################################################################################################################################################################
+# Me to DMZ (This compensates for the broken RH kernel running in the DMZ -- that kernel's REJECT target is broken and Evolution requires a REJECT from smtps).
+#
+REJECT me dmz tcp 465
+################################################################################################################################################################
+# Internet to DMZ
+#
+ACCEPT net dmz tcp smtp,www,ftp,imaps,domain,cvspserver,https -
+ACCEPT net dmz udp domain
+Mirrors net dmz tcp rsync
+################################################################################################################################################################
+#
+# Net to Local
+#
+# When I'm "on the road", the following two rules allow me VPN access back home.
+#
+ACCEPT net loc:192.168.1.5 tcp 1723
+ACCEPT net loc:192.168.1.5 gre
+#
+# ICQ
+#
+ACCEPT net loc:192.168.1.5 tcp 4000:4100
+#
+# Real Audio
+#
+ACCEPT net loc:192.168.1.5 udp 6970:7170
+DNAT net loc:192.168.1.3 udp 6970:7170 - 206.124.146.179
+################################################################################################################################################################
+# Net to me
+#
+ACCEPT net loc:192.168.1.3 tcp 4000:4100
+################################################################################################################################################################
+# DMZ to Internet
+#
+ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh
+ACCEPT dmz net udp domain
+#ACCEPT dmz net:$POPSERVERS tcp pop3
+#ACCEPT dmz net:206.191.151.2 tcp pop3
+#ACCEPT dmz net:66.216.26.115 tcp pop3
+#
+# Something is wrong with the FTP connection tracking code or there is some client out there
+# that is sending a PORT command which that code doesn't understand. Either way,
+# the following works around the problem.
+#
+ACCEPT:$LOG dmz net tcp 1024: 20
+################################################################################################################################################################
+# DMZ to Firewall -- ntp & snmp, Silently reject Auth
+#
+ACCEPT dmz fw udp ntp ntp
+ACCEPT dmz fw tcp snmp,ssh
+ACCEPT dmz fw udp snmp
+REJECT dmz fw tcp auth
+################################################################################################################################################################
+#
+# DMZ to Local Network
+#
+ACCEPT dmz loc tcp smtp,6001:6010
+################################################################################################################################################################
+#
+# DMZ to Me -- NFS
+#
+ACCEPT dmz me tcp 111
+ACCEPT dmz me udp 111
+ACCEPT dmz me udp 2049
+ACCEPT dmz me udp 32700:
+################################################################################################################################################################
+# Internet to Firewall
+#
+REJECT net fw tcp www
+DROP net fw tcp 1433
+################################################################################################################################################################
+# WiFi to Firewall (SMB and NTP)
+#
+ACCEPT WiFi fw tcp ssh,137,139,445
+ACCEPT WiFi fw udp 137:139,445
+ACCEPT
+###############################################################################################################################################################
+# WIFI to loc
+#
+ACCEPT WiFi loc udp 137:139
+ACCEPT WiFi loc tcp 22,80,137,139,445,3389
+ACCEPT WiFi loc udp 1024: 137
+ACCEPT WiFi loc udp 177
+###############################################################################################################################################################
+# loc to WiFi
+#
+ACCEPT loc WiFi udp 137:139
+ACCEPT loc WiFi tcp 137,139,445
+ACCEPT loc WiFi udp 1024: 137
+ACCEPT loc WiFi tcp 6000:6010
+ WiFi fw udp 1024: 137
+ACCEPT WiFi fw udp ntp ntp
+################################################################################################################################################################
+# Firewall to WiFi (SMB)
+#
+ACCEPT fw WiFi tcp 137,139,445
+ACCEPT fw WiFi udp 137:139,445
+ACCEPT fw WiFi udp 1024: 137
+###############################################################################################################################################################
+# WiFi to DMZ
+#
+DNAT- WiFi dmz:206.124.146.177 all - - 192.168.1.193
+ACCEPT WiFi dmz tcp smtp,www,ftp,imaps,domain,https,ssh -
+ACCEPT WiFi dmz udp domain
+################################################################################################################################################################
+# Firewall to Internet
+#
+ACCEPT fw net:$NTPSERVERS udp ntp ntp
+ACCEPT fw net:$POPSERVERS tcp pop3
+ACCEPT fw net udp domain
+ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
+ACCEPT fw net udp 33435:33535
+ACCEPT fw net icmp 8
+################################################################################################################################################################
+# Firewall to DMZ
+#
+ACCEPT fw dmz tcp www,ftp,ssh,smtp
+ACCEPT fw dmz udp domain
+ACCEPT fw dmz icmp 8
+REJECT fw dmz udp 137:139
+
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+
+
+ Tcrules File
+
+ This file deals with redirecting html requests to Squid on the DMZ
+ server.
+
+
+ #TYPE ZONE GATEWAY GATEWAY ZONE PORT
+gre net $TEXAS
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+
+
+ Init File
+
+ This file deals with redirecting html requests to Squid on the DMZ
+ server.
+
+
+ #
+# Add a second routing table with my server as the default gateway
+# Use this routing table with all packets marked with value 1
+#
+if [ -z "`ip route list table 202 2> /dev/null`" ] ; then
+ run_ip rule add fwmark 1 table www.out
+ run_ip route add default via 206.124.146.177 dev eth1 table www.out
+ run_ip route flush cache
+fi
+
+
+
+
+ /etc/iproute2/rt_tables
+
+ This file deals with redirecting html requests to Squid on the DMZ
+ server.
+
+
+ #
+# reserved values
+#
+#255 local
+#254 main
+#253 default
+#0 unspec
+
+#
+# local -- I added the entry below
+#
+202 www.out
+
+
+
+
+ Tcrules File
+
+ This file deals with redirecting html requests to Squid on the DMZ
+ server.
+
+
+ #TYPE ZONE GATEWAY GATEWAY ZONE PORT
+gre net $TEXAS
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+
+
+ Tcstart File
+
+ My tcstart file is just the HTB version of WonderShaper.
+
+
+
+ Newnotsyn file (/etc/shorewall/newnotsyn):
+
+
+ I prefer to allow SYN, FIN and RST packets unconditionally
+ rather than just on 'newnotsyn' interfaces as is the case with
+ the standard Shorewall ruleset. This file deletes the
+ Shorewall-generated rules for these packets and creates my own.
+
+ #!/bin/sh
+
+for interface in `find_interfaces_by_option newnotsyn`; do
+ run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j ACCEPT
+ run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT
+ run_iptables -D newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT
+done
+
+run_iptables -A newnotsyn -p tcp --tcp-flags ACK ACK -j ACCEPT
+run_iptables -A newnotsyn -p tcp --tcp-flags RST RST -j ACCEPT
+run_iptables -A newnotsyn -p tcp --tcp-flags FIN FIN -j ACCEPT
+
+
+
+
+ /sbin/ifup-local
+
+
+ This file is Redhat specific and adds a route to my DMZ server
+ when eth1 is brought up. It allows me to enter "Yes" in the
+ HAVEROUTE column of my Proxy ARP file.
+
+ #!/bin/sh
+
+case $1 in
+ eth1)
+ ip route add 206.124.146.177 dev eth1
+ ;;
+esac
+
+
+
+
\ No newline at end of file