From 390ee5a4a0635881395114e140d5c2f807c4c111 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 29 May 2002 14:37:49 +0000 Subject: [PATCH] Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@38 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp/etc/shorewall/icmp.def | 22 ++++++++ Lrp/etc/shorewall/interfaces | 104 +++++++++++++++++++++++++++++++++++ 2 files changed, 126 insertions(+) create mode 100644 Lrp/etc/shorewall/icmp.def create mode 100644 Lrp/etc/shorewall/interfaces diff --git a/Lrp/etc/shorewall/icmp.def b/Lrp/etc/shorewall/icmp.def new file mode 100644 index 000000000..629b724d9 --- /dev/null +++ b/Lrp/etc/shorewall/icmp.def @@ -0,0 +1,22 @@ +############################################################################## +# Shorewall 1.3 /etc/shorewall/icmp.def +# +# This file defines the default rules for accepting ICMP packets. +# +# Do not modify this file -- if you wish to change these rules, create +# /etc/shorewall/icmpdef to replace it. It is suggested that you include +# the command "source /etc/shorewall/icmp.def" in your +# /etc/shorewall/icmpdef file so that you will continue to get the +# advantage of new releases of this file. +# +# For example, if you want to accept 'ping' everywhere then create +# /etc/shorewall/icmpdef with the following two lines: +# +# source /etc/shorewall/icmp.def +# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT +# +run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT +run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT +run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT +run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT +run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT diff --git a/Lrp/etc/shorewall/interfaces b/Lrp/etc/shorewall/interfaces new file mode 100644 index 000000000..555a8fd27 --- /dev/null +++ b/Lrp/etc/shorewall/interfaces @@ -0,0 +1,104 @@ +# +# Shorewall 1.3 -- Interfaces File +# +# /etc/shorewall/interfaces +# +# You must add an entry in this file for each network interface on your +# firewall system. +# +# Columns are: +# +# ZONE Zone for this interface. Must match the short name +# of a zone defined in /etc/shorewall/zones. +# +# If the interface serves multiple zones that will be +# defined in the /etc/shorewall/hosts file, you may +# place "-" in this column. +# +# INTERFACE Name of interface +# +# BROADCAST The broadcast address for the subnetwork to which the +# interface belongs. For P-T-P interfaces, this +# column is left black. +# +# If you use the special value "detect", the firewall +# will detect the broadcast address for you. If you +# select this option, the interface must be up before +# the firewall is started and you must have iproute +# installed. +# +# If you don't want to give a value for this column but +# you want to enter a value in the OPTIONS column, enter +# "-" in this column. +# +# OPTIONS A comma-separated list of options including the +# following: +# +# dhcp - interface is managed by DHCP or used by +# a DHCP server running on the firewall. +# noping - icmp echo-request (ping) packets +# addressed to the firewall should +# be ignored on this interface +# filterping - icmp echo-request (ping) packets +# addressed to the firewall should +# be controlled by the rules file and +# applicable policy. If neither 'noping' +# nor 'filterping' are specified then +# the firewall will respond to 'ping' +# requests. 'filterping' takes +# precedence over 'noping' if both are +# given. +# routestopped - When the firewall is stopped, allow +# and route traffic to and from this +# interface. +# norfc1918 - This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling is +# enabled in shorewall.conf, packets +# whose destination addresses are +# reserved by RFC 1918 are also rejected. +# multi - This interface has multiple IP +# addresses and you want to be able to +# route between them. +# routefilter - turn on kernel route filtering for this +# interface (anti-spoofing measure). +# dropunclean - Logs and drops mangled/invalid packets +# +# logunclean - Logs mangled/invalid packets but does +# not drop them. +# . . blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# +# Example 1: Suppose you have eth0 connected to a DSL modem and +# eth1 connected to your local network and that your +# local subnet is 192.168.1.0/24. The interface gets +# it's IP address via DHCP from subnet +# 206.191.149.192/27 and you want pings from the internet +# to be ignored. You interface a DMZ with subnet +# 192.168.2.0/24 using eth2. You want to be able to +# access the firewall from the local network when the +# firewall is stopped. +# +# Your entries for this setup would look like: +# +# net eth0 206.191.149.223 noping,dhcp +# local eth1 192.168.1.255 routestopped +# dmz eth2 192.168.2.255 +# +# Example 2: The same configuration without specifying broadcast +# addresses is: +# +# net eth0 detect noping,dhcp +# loc eth1 detect routestopped +# dmz eth2 detect +# +# Example 3: You have a simple dial-in system with no ethernet +# connections and you want to ignore ping requests. +# +# net ppp0 - noping +############################################################################## +#ZONE INTERFACE BROADCAST OPTIONS +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE