diff --git a/Shorewall/accounting b/Shorewall/accounting index bfeb1654f..9a7998b92 100644 --- a/Shorewall/accounting +++ b/Shorewall/accounting @@ -1,105 +1,6 @@ # # Shorewall version 3.3 - Accounting File # -# /etc/shorewall/accounting -# -# Accounting rules exist simply to count packets and bytes in categories -# that you define in this file. You may display these rules and their -# packet and byte counters using the "shorewall show accounting" command. -# -# Please see http://shorewall.net/Accounting.html for examples and -# additional information about how to use this file. -# -# -# Columns are: -# -# ACTION - What to do when a match is found. -# -# COUNT - Simply count the match and continue -# with the next rule -# DONE - Count the match and don't attempt -# to match any other accounting rules -# in the chain specified in the CHAIN -# column. -# [:COUNT] -# - Where is the name of -# a chain. Shorewall will create -# the chain automatically if it -# doesn't already exist. Causes -# a jump to that chain. If :COUNT -# is including, a counting rule -# matching this record will be -# added to -# -# CHAIN - The name of a chain. If specified as "-" the -# 'accounting' chain is assumed. This is the chain -# where the accounting rule is added. The chain will -# be created if it doesn't already exist. -# -# SOURCE - Packet Source -# -# The name of an interface, an address (host or net) or -# an interface name followed by ":" -# and a host or net address. -# -# DESTINATION - Packet Destination -# -# Format the same as the SOURCE column. -# -# PROTOCOL A protocol name (from /etc/protocols), a protocol -# number, "ipp2p", "ipp2p:udp" or "ipp2p:all" -# -# DEST PORT(S) Destination Port number. If the PROTOCOL is "ipp2p" -# then this column must contain an ipp2p option -# ("iptables -m ipp2p --help") without the leading -# "--". If no option is given in this column, "ipp2p" -# is assumed. -# -# Service name from /etc/services or port number. May -# only be specified if the protocol is TCP or UDP (6 -# or 17). -# -# You may place a comma-separated list of port numbers in -# this column if your kernel and iptables include -# multiport match support. -# -# SOURCE PORT(S) Source Port number -# -# Service name from /etc/services or port number. May -# only be specified if the protocol is TCP or UDP (6 -# or 17). -# -# You may place a comma-separated list of port numbers in -# this column if your kernel and iptables include -# multiport match support. -# -# USER/GROUP This column may only be non-empty if the CHAIN is -# OUTPUT. -# -# The column may contain: -# -# [!][][:][+] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# +upnpd #program named upnpd (This feature was -# #removed from Netfilter in kernel -# #version 2.6.14). -# -# In all of the above columns except ACTION and CHAIN, the values "-", -# "any" and "all" may be used as wildcards. Omitted trailing columns are -# also treated as wildcards. -# # Please see http://shorewall.net/Accounting.html for examples and # additional information about how to use this file. # diff --git a/Shorewall/blacklist b/Shorewall/blacklist index c55a8f7c4..6c81c8965 100755 --- a/Shorewall/blacklist +++ b/Shorewall/blacklist @@ -1,58 +1,6 @@ # # Shorewall version 3.3 - Blacklist File # -# /etc/shorewall/blacklist -# -# This file contains a list of IP addresses, MAC addresses and/or -# subnetworks. -# -# Columns are: -# -# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address -# range (if your kernel and iptables contain iprange -# match support) or ipset name prefaced by "+" (if -# your kernel supports ipset match). -# -# MAC addresses must be prefixed with "~" and use "-" -# as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# A dash ("-") in this column means that any source -# address will match. This is useful if you want to -# blacklist a particular application. -# -# PROTOCOL - Optional. If specified, must be a protocol number -# or a protocol name from /etc/protocols. -# -# PORTS - Optional. May only be specified if the protocol -# is TCP (6) or UDP (17). A comma-separated list -# of destination port numbers or service names from -# /etc/services. -# -# When a packet arrives on an interface that has the 'blacklist' option -# specified in /etc/shorewall/interfaces, its source IP address is -# checked against this file and disposed of according to the -# BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in -# /etc/shorewall/shorewall.conf -# -# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching -# the protocol (and one of the ports if PORTS supplied) are blocked. -# -# Example: -# -# To block DNS queries from address 192.0.2.126: -# -# ADDRESS/SUBNET PROTOCOL PORT -# 192.0.2.126 udp 53 -# -# Example: -# -# To block DNS queries from addresses in the ipset 'dnsblack': -# -# ADDRESS/SUBNET PROTOCOL PORT -# +dnsblack udp 53 -# # Please see http://shorewall.net/blacklisting_support.htm for additional # information. # diff --git a/Shorewall/documentation.txt b/Shorewall/documentation.txt new file mode 100644 index 000000000..3bd08ec0d --- /dev/null +++ b/Shorewall/documentation.txt @@ -0,0 +1,2549 @@ +############################################################################### +# This documentation provides a quick reference to the configuration +# files. The documentation at +# http://www.shorewall.net/Documentation_Index.html should be +# considered to be the primary documentation. +############################################################################### +# /etc/shorewall/accounting +# +# Accounting rules exist simply to count packets and bytes in categories +# that you define in this file. You may display these rules and their +# packet and byte counters using the "shorewall show accounting" command. +# +# Please see http://shorewall.net/Accounting.html for examples and +# additional information about how to use this file. +# +# +# Columns are: +# +# ACTION - What to do when a match is found. +# +# COUNT - Simply count the match and continue +# with the next rule +# DONE - Count the match and don't attempt +# to match any other accounting rules +# in the chain specified in the CHAIN +# column. +# [:COUNT] +# - Where is the name of +# a chain. Shorewall will create +# the chain automatically if it +# doesn't already exist. Causes +# a jump to that chain. If :COUNT +# is including, a counting rule +# matching this record will be +# added to +# +# CHAIN - The name of a chain. If specified as "-" the +# 'accounting' chain is assumed. This is the chain +# where the accounting rule is added. The chain will +# be created if it doesn't already exist. +# +# SOURCE - Packet Source +# +# The name of an interface, an address (host or net) or +# an interface name followed by ":" +# and a host or net address. +# +# DESTINATION - Packet Destination +# +# Format the same as the SOURCE column. +# +# PROTOCOL A protocol name (from /etc/protocols), a protocol +# number, "ipp2p", "ipp2p:udp" or "ipp2p:all" +# +# DEST PORT(S) Destination Port number. If the PROTOCOL is "ipp2p" +# then this column must contain an ipp2p option +# ("iptables -m ipp2p --help") without the leading +# "--". If no option is given in this column, "ipp2p" +# is assumed. +# +# Service name from /etc/services or port number. May +# only be specified if the protocol is TCP or UDP (6 +# or 17). +# +# You may place a comma-separated list of port numbers in +# this column if your kernel and iptables include +# multiport match support. +# +# SOURCE PORT(S) Source Port number +# +# Service name from /etc/services or port number. May +# only be specified if the protocol is TCP or UDP (6 +# or 17). +# +# You may place a comma-separated list of port numbers in +# this column if your kernel and iptables include +# multiport match support. +# +# USER/GROUP This column may only be non-empty if the CHAIN is +# OUTPUT. +# +# The column may contain: +# +# [!][][:][+] +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective and/or specified (or is +# NOT running under that id if "!" is given). +# +# Examples: +# +# joe #program must be run by joe +# :kids #program must be run by a member of +# #the 'kids' group +# !:kids #program must not be run by a member +# #of the 'kids' group +# +upnpd #program named upnpd (This feature was +# #removed from Netfilter in kernel +# #version 2.6.14). +# +# In all of the above columns except ACTION and CHAIN, the values "-", +# "any" and "all" may be used as wildcards. Omitted trailing columns are +# also treated as wildcards. +# +# Please see http://shorewall.net/Accounting.html for examples and +# additional information about how to use this file. +# +############################################################################### +# /etc/shorewall/blacklist +# +# This file contains a list of IP addresses, MAC addresses and/or +# subnetworks. +# +# Columns are: +# +# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address +# range (if your kernel and iptables contain iprange +# match support) or ipset name prefaced by "+" (if +# your kernel supports ipset match). +# +# MAC addresses must be prefixed with "~" and use "-" +# as a separator. +# +# Example: ~00-A0-C9-15-39-78 +# +# A dash ("-") in this column means that any source +# address will match. This is useful if you want to +# blacklist a particular application. +# +# PROTOCOL - Optional. If specified, must be a protocol number +# or a protocol name from /etc/protocols. +# +# PORTS - Optional. May only be specified if the protocol +# is TCP (6) or UDP (17). A comma-separated list +# of destination port numbers or service names from +# /etc/services. +# +# When a packet arrives on an interface that has the 'blacklist' option +# specified in /etc/shorewall/interfaces, its source IP address is +# checked against this file and disposed of according to the +# BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in +# /etc/shorewall/shorewall.conf +# +# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching +# the protocol (and one of the ports if PORTS supplied) are blocked. +# +# Example: +# +# To block DNS queries from address 192.0.2.126: +# +# ADDRESS/SUBNET PROTOCOL PORT +# 192.0.2.126 udp 53 +# +# Example: +# +# To block DNS queries from addresses in the ipset 'dnsblack': +# +# ADDRESS/SUBNET PROTOCOL PORT +# +dnsblack udp 53 +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +############################################################################### +# /etc/shorewall/ecn +# +# Use this file to list the destinations for which you want to +# disable ECN. +# +# This feature requires kernel 2.4.20 or later. If you run 2.4.20, +# you also need the patch found at http://www.shorewall.net/ecn/patch. +# That patch is included in kernels 2.4.21 and later. +# +# INTERFACE - Interface through which host(s) communicate with +# the firewall +# HOST(S) - (Optional) Comma-separated list of IP/subnet +# If left empty or supplied as "-", +# 0.0.0.0/0 is assumed. If your kernel and iptables +# include iprange match support then IP address ranges +# are also permitted. +# +# For additional information, see http://shorewall.net/Documentation.htm#ECN +# +############################################################################### +# /etc/shorewall/hosts +# +# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN +# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. +# +# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE. +#------------------------------------------------------------------------------ +# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN +# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT +# ZONE AND INTERFACE IN THIS FILE. +#------------------------------------------------------------------------------ +# This file is used to define zones in terms of subnets and/or +# individual IP addresses. Most simple setups don't need to +# (should not) place anything in this file. +# +# The order of entries in this file is not significant in +# determining zone composition. Rather, the order that the zones +# are defined in /etc/shorewall/zones determines the order in +# which the records in this file are interpreted. +# +# ZONE - The name of a zone defined in /etc/shorewall/zones. You may +# not list the firewall zone in this column. +# +# HOST(S) - The name of an interface defined in the +# /etc/shorewall/interfaces file followed by a colon (":") and +# a comma-separated list whose elements are either: +# +# a) The IP address of a host +# b) A subnetwork in the form +# / +# c) An IP address range of the form -. Your kernel and iptables must have iprange +# match support. +# d) A physical port name; only allowed when the +# interface names a bridge created by the +# brctl addbr command. This port must not +# be defined in /etc/shorewall/interfaces and may +# optionally followed by a colon (":") and a +# host or network IP or a range. +# See http://www.shorewall.net/bridge.html +# for details. Specifying a physical port +# name requires that you have BRIDGING=Yes in +# /etc/shorewall/shorewall.conf. +# e) The name of an ipset (preceded by "+"). +# +# Examples: +# +# eth1:192.168.1.3 +# eth2:192.168.2.0/24 +# eth3:192.168.2.0/24,192.168.3.1 +# br0:eth4 +# br0:eth0:192.168.1.16/28 +# eth4:192.168.1.44-192.168.1.49 +# eth2:+Admin +# +# OPTIONS - A comma-separated list of options. Currently-defined +# options are: +# +# maclist - Connection requests from these hosts +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# +# routeback - Shorewall should set up the +# infrastructure to pass packets +# from this/these address(es) back +# to themselves. This is necessary if +# hosts in this group use the services +# of a transparent proxy that is +# a member of the group or if DNAT is used +# to send requests originating from this +# group to a server in the group. +# +# norfc1918 - This option only makes sense for ports +# on a bridge. +# +# The port should not accept +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses. If packet mangling or +# connection-tracking match is enabled in +# your kernel, packets whose destination +# addresses are reserved by RFC 1918 are +# also rejected. +# +# blacklist - This option only makes sense for ports +# on a bridge. +# +# Check packets arriving on this port +# against the /etc/shorewall/blacklist +# file. +# +# tcpflags - Packets arriving from these hosts are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# +# nosmurfs - This option only makes sense for ports +# on a bridge. +# +# Filter packets for smurfs +# (packets with a broadcast +# address as the source). +# +# Smurfs will be optionally logged based +# on the setting of SMURF_LOG_LEVEL in +# shorewall.conf. After logging, the +# packets are dropped. +# +# ipsec - The zone is accessed via a +# kernel 2.6 ipsec SA. Note that if the +# zone named in the ZONE column is +# specified as an IPSEC zone in the +# /etc/shorewall/zones file then you +# do NOT need to specify the 'ipsec' +# option here. +# +# For additional information, see http://shorewall.net/Documentation.htm#Hosts +# +############################################################################### +# /etc/shorewall/interfaces +# +# You must add an entry in this file for each network interface on your +# firewall system. +# +# Columns are: +# +# ZONE Zone for this interface. Must match the name of a +# zone defined in /etc/shorewall/zones. You may not +# list the firewall zone in this column. +# +# If the interface serves multiple zones that will be +# defined in the /etc/shorewall/hosts file, you should +# place "-" in this column. +# +# If there are multiple interfaces to the same zone, +# you must list them in separate entries: +# +# Example: +# +# loc eth1 - +# loc eth2 - +# +# INTERFACE Name of interface. Each interface may be listed only +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 +# +# You may specify wildcards here. For example, if you +# want to make an entry that applies to all PPP +# interfaces, use 'ppp+'. +# +# There is no need to define the loopback interface (lo) +# in this file. +# +# BROADCAST The broadcast address for the subnetwork to which the +# interface belongs. For P-T-P interfaces, this +# column is left blank.If the interface has multiple +# addresses on multiple subnets then list the broadcast +# addresses as a comma-separated list. +# +# If you use the special value "detect", Shorewall +# will detect the broadcast address(es) for you. If you +# select this option, the interface must be up before +# the firewall is started. +# +# If you don't want to give a value for this column but +# you want to enter a value in the OPTIONS column, enter +# "-" in this column. +# +# OPTIONS A comma-separated list of options including the +# following: +# +# dhcp - Specify this option when any of +# the following are true: +# 1. the interface gets its IP address +# via DHCP +# 2. the interface is used by +# a DHCP server running on the firewall +# 3. you have a static IP but are on a LAN +# segment with lots of Laptop DHCP +# clients. +# 4. the interface is a bridge with +# a DHCP server on one port and DHCP +# clients on another port. +# +# norfc1918 - This interface should not receive +# any packets whose source is in one +# of the ranges reserved by RFC 1918 +# (i.e., private or "non-routable" +# addresses). If packet mangling or +# connection-tracking match is enabled in +# your kernel, packets whose destination +# addresses are reserved by RFC 1918 are +# also rejected. +# +# routefilter - turn on kernel route filtering for this +# interface (anti-spoofing measure). This +# option can also be enabled globally in +# the /etc/shorewall/shorewall.conf file. +# +# logmartians - turn on kernel martian logging (logging +# of packets with impossible source +# addresses. It is suggested that if you +# set routefilter on an interface that +# you also set logmartians. This option +# may also be enabled globally in the +# /etc/shorewall/shorewall.conf file. +# +# blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. +# +# maclist - Connection requests from this interface +# are compared against the contents of +# /etc/shorewall/maclist. If this option +# is specified, the interface must be +# an ethernet NIC and must be up before +# Shorewall is started. +# +# tcpflags - Packets arriving on this interface are +# checked for certain illegal combinations +# of TCP flags. Packets found to have +# such a combination of flags are handled +# according to the setting of +# TCP_FLAGS_DISPOSITION after having been +# logged according to the setting of +# TCP_FLAGS_LOG_LEVEL. +# +# proxyarp - +# Sets +# /proc/sys/net/ipv4/conf//proxy_arp. +# Do NOT use this option if you are +# employing Proxy ARP through entries in +# /etc/shorewall/proxyarp. This option is +# intended soley for use with Proxy ARP +# sub-networking as described at: +# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet +# +# routeback - If specified, indicates that Shorewall +# should include rules that allow +# filtering traffic arriving on this +# interface back out that same interface. +# +# arp_filter - If specified, this interface will only +# respond to ARP who-has requests for IP +# addresses configured on the interface. +# If not specified, the interface can +# respond to ARP who-has requests for +# IP addresses on any of the firewall's +# interface. The interface must be up +# when Shorewall is started. +# +# arp_ignore[=] +# - If specified, this interface will +# respond to arp requests based on the +# value of . +# +# 1 - reply only if the target IP address +# is local address configured on the +# incoming interface +# +# 2 - reply only if the target IP address +# is local address configured on the +# incoming interface and both with the +# sender's IP address are part from same +# subnet on this interface +# +# 3 - do not reply for local addresses +# configured with scope host, only +# resolutions for global and link +# addresses are replied +# +# 4-7 - reserved +# +# 8 - do not reply for all local +# addresses +# +# If no is given then the value +# 1 is assumed +# +# WARNING -- DO NOT SPECIFY arp_ignore +# FOR ANY INTERFACE INVOLVED IN PROXY ARP. +# +# nosmurfs - Filter packets for smurfs +# (packets with a broadcast +# address as the source). +# +# Smurfs will be optionally logged based +# on the setting of SMURF_LOG_LEVEL in +# shorewall.conf. After logging, the +# packets are dropped. +# +# detectnets - Automatically taylors the zone named +# in the ZONE column to include only those +# hosts routed through the interface. +# +# sourceroute - If this option is not specified for an +# interface, then source-routed packets +# will not be accepted from that +# interface (sets /proc/sys/net/ipv4/ +# conf// +# accept_source_route to 1). +# Only set this option if you know what +# you are you doing. This might represent +# a security risk and is not usually +# needed. +# +# upnp - Incoming requests from this interface +# may be remapped via UPNP (upnpd). +# +# WARNING: DO NOT SET THE detectnets OPTION ON YOUR +# INTERNET INTERFACE. +# +# The order in which you list the options is not +# significant but the list should have no embedded white +# space. +# +# Example 1: Suppose you have eth0 connected to a DSL modem and +# eth1 connected to your local network and that your +# local subnet is 192.168.1.0/24. The interface gets +# it's IP address via DHCP from subnet +# 206.191.149.192/27. You have a DMZ with subnet +# 192.168.2.0/24 using eth2. +# +# Your entries for this setup would look like: +# +# net eth0 206.191.149.223 dhcp +# local eth1 192.168.1.255 +# dmz eth2 192.168.2.255 +# +# Example 2: The same configuration without specifying broadcast +# addresses is: +# +# net eth0 detect dhcp +# loc eth1 detect +# dmz eth2 detect +# +# Example 3: You have a simple dial-in system with no ethernet +# connections. +# +# net ppp0 - +# +# For additional information, see +# http://shorewall.net/Documentation.htm#Interfaces +# +############################################################################### +# /etc/shorewall/maclist +# +# This file is used to define the MAC addresses and optionally their +# associated IP addresses to be allowed to use the specified interface. +# The feature is enabled by using the maclist option in the interfaces +# or hosts configuration file. +# +# Columns are: +# +# DISPOSITION ACCEPT or DROP (if MACLIST_TABLE=filter, then REJECT +# is also allowed) +# +# INTERFACE Network interface to a host. If the interface +# names a bridge, it may be optionally followed by +# a colon (":") and a physical port name (e.g., +# br0:eth4). +# +# MAC MAC address of the host -- you do not need to use +# the Shorewall format for MAC addresses here. If IP +# ADDRESSES is supplied then MAC can be supplied as +# a dash ("-") +# +# IP ADDRESSES Optional -- if specified, both the MAC and IP address +# must match. This column can contain a comma-separated +# list of host and/or subnet addresses. If your kernel +# and iptables have iprange match support then IP +# address ranges are also allowed. +# +# For additional information, see http://shorewall.net/MAC_Validation.html +# +############################################################################### +# /etc/shorewall/masq +# +# Use this file to define dynamic NAT (Masquerading) and to define +# Source NAT (SNAT). +# +# WARNING: The entries in this file are order-sensitive. The first +# entry that matches a particular connection will be the one that +# is used. +# +# WARNING: If you have more than one ISP, adding entries to this +# file will *not* force connections to go out through a particular +# ISP. You must use PREROUTING entries in /etc/shorewall/tcrules +# to do that. +# +# Columns are: +# +# INTERFACE -- Outgoing interface. This is usually your internet +# interface. If ADD_SNAT_ALIASES=Yes in +# /etc/shorewall/shorewall.conf, you may add ":" and +# a digit to indicate that you want the alias added with +# that name (e.g., eth0:0). This will allow the alias to +# be displayed with ifconfig. THAT IS THE ONLY USE FOR +# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER +# PLACE IN YOUR SHOREWALL CONFIGURATION. +# +# This may be qualified by adding the character +# ":" followed by a destination host or subnet. +# +# If you wish to inhibit the action of ADD_SNAT_ALIASES +# for this entry then include the ":" but omit the digit: +# +# eth0: +# eth2::192.0.2.32/27 +# +# Normally Masq/SNAT rules are evaluated after those for +# one-to-one NAT (/etc/shorewall/nat file). If you want +# the rule to be applied before one-to-one NAT rules, +# prefix the interface name with "+": +# +# +eth0 +# +eth0:192.0.2.32/27 +# +eth0:2 +# +# This feature should only be required if you need to +# insert rules in this file that preempt entries in +# /etc/shorewall/nat. +# +# If you place COMMENT in this column, then the rest of the +# line will be attached as a comment to the Netfilter rule(s) +# generated by the following entry. The comment will appear +# delimited by "/* ... */" in the output of "shorewall show +# nat" +# +# SOURCE (formerly called SUBNET) +# +# Set of hosts that you wish to masquerade. You can specify this +# as an address (net or host) or as an interface. If you give +# the name of an interface, the interface must be up before you +# start the firewall (Shorewall will use your main routing table +# to determine the appropriate addresses to masquerade). +# +# In order to exclude a addrress of the specified SOURCE, you +# may append "!" and a comma-separated list of IP addresses +# (host or net) that you wish to exclude. +# +# Example: eth1!192.168.1.4,192.168.32.0/27 +# +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 +# +# ADDRESS -- (Optional). If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. +# +# You may also specify a range of up to 256 +# IP addresses if you want the SNAT address to +# be assigned from that range in a round-robin +# range by connection. The range is specified by +# -. +# +# Example: 206.124.146.177-206.124.146.180 +# +# You may also use the special value "detect" +# which causes Shorewall to determine the +# IP addresses configured on the interface named +# in the INTERFACES column and substitute them +# in this column. +# +# Finally, you may also specify a comma-separated +# list of ranges and/or addresses in this column. +# +# This column may not contain DNS Names. +# +# Normally, Netfilter will attempt to retain +# the source port number. You may cause +# netfilter to remap the source port by following +# an address or range (if any) by ":" and +# a port range with the format - +# . If this is done, you must +# specify "tcp" or "udp" in the PROTO column. +# +# Examples: +# +# 192.0.2.4:5000-6000 +# :4000-5000 +# +# You can invoke the SAME target using the +# following in this column: +# +# SAME:[nodst:][,...] +# +# The may be single addresses +# or "detect" as described above. +# +# SAME works like SNAT with the exception that +# the same local IP address is assigned to each +# connection from a local address to a given +# remote address. +# +# If the 'nodst:' option is included, then the +# same source address is used for a given +# internal system regardless of which remote +# system is involved. +# +# If you want to leave this column empty +# but you need to specify the next column then +# place a hyphen ("-") here. +# +# PROTO -- (Optional) If you wish to restrict this entry to a +# particular protocol then enter the protocol +# name (from /etc/protocols) or number here. +# +# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) +# or UDP (protocol 17) then you may list one +# or more port numbers (or names from +# /etc/services) separated by commas or you +# may list a single port range +# (:). +# +# Where a comma-separated list is given, your +# kernel and iptables must have multiport match +# support and a maximum of 15 ports may be +# listed. +# +# IPSEC -- (Optional) If you specify a value other than "-" in this +# column, you must be running kernel 2.6 and +# your kernel and iptables must include policy +# match support. +# +# Comma-separated list of options from the +# following. Only packets that will be encrypted +# via an SA that matches these options will have +# their source address changed. +# +# Yes or yes -- must be the only option +# listed and matches all outbound +# traffic that will be encrypted. +# +# reqid= where is +# specified using setkey(8) using the +# 'unique: option for the SPD +# level. +# +# spi= where is the +# SPI of the SA. +# +# proto=ah|esp|ipcomp +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match +# all rules. +# +# next Separates rules; can only be +# used with strict.. +# +# Example 1: +# +# You have a simple masquerading setup where eth0 connects to +# a DSL or cable modem and eth1 connects to your local network +# with subnet 192.168.0.0/24. +# +# Your entry in the file can be either: +# +# eth0 eth1 +# +# or +# +# eth0 192.168.0.0/24 +# +# Example 2: +# +# You add a router to your local network to connect subnet +# 192.168.1.0/24 which you also want to masquerade. You then +# add a second entry for eth0 to this file: +# +# eth0 192.168.1.0/24 +# +# Example 3: +# +# You have an IPSEC tunnel through ipsec0 and you want to +# masquerade packets coming from 192.168.1.0/24 but only if +# these packets are destined for hosts in 10.1.1.0/24: +# +# ipsec0:10.1.1.0/24 196.168.1.0/24 +# +# Example 4: +# +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176 which is NOT the +# primary address of eth0. You want 206.124.146.176 added to +# be added to eth0 with name eth0:0. +# +# eth0:0 192.168.1.0/24 206.124.146.176 +# +# Example 5: +# +# You want all outgoing SMTP traffic entering the firewall +# on eth1 to be sent from eth0 with source IP address +# 206.124.146.177. You want all other outgoing traffic +# from eth1 to be sent from eth0 with source IP address +# 206.124.146.176. +# +# eth0 eth1 206.124.146.177 tcp smtp +# eth0 eth1 206.124.146.176 +# +# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! +# +# For additional information, see http://shorewall.net/Documentation.htm#Masq +# +############################################################################### +# /etc/shorewall/nat +# +# This file is used to define one-to-one Network Address Translation +# (NAT). +# +# WARNING: If all you want to do is simple port forwarding, do NOT use this +# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most +# cases, Proxy ARP is a better solution that one-to-one NAT. +# +# Columns are: +# +# EXTERNAL External IP Address - this should NOT be the primary +# IP address of the interface named in the next +# column and must not be a DNS Name. +# +# If you put COMMENT in this column, the rest of the +# line will be attached as a comment to the Netfilter +# rule(s) generated by the following entries in the +# file. The comment will appear delimited by "/* ... */" +# in the output of "shorewall show nat" +# +# To stop the comment from being attached to further +# rules, simply include COMMENT on a line by itself. +# +# INTERFACE Interface that has the EXTERNAL address. +# If ADD_IP_ALIASES=Yes in shorewall.conf, Shorewall +# will automatically add the EXTERNAL address to this +# interface. Also if ADD_IP_ALIASES=Yes, you may +# follow the interface name with ":" and a digit to +# indicate that you want Shorewall to add the alias +# with this name (e.g., "eth0:0"). That allows you to +# see the alias with ifconfig. THAT IS THE ONLY THING +# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT +# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION. +# +# If you want to override ADD_IP_ALIASES=Yes for a +# particular entry, follow the interface name with +# ":" and no digit (e.g., "eth0:"). +# INTERNAL Internal Address (must not be a DNS Name). +# +# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts. +# If No or no (or left empty) then NAT will be effective +# only through the interface named in the INTERFACE +# column +# +# LOCAL If Yes or yes, NAT will be effective from the firewall +# system +# +# For additional information, see http://shorewall.net/NAT.htm +# +############################################################################### +# /etc/shorewall/netmap +# +# This file is used to map addresses in one network to corresponding +# addresses in a second network. +# +# WARNING: To use this file, your kernel and iptables must have +# NETMAP support included. +# +# Columns are: +# +# TYPE Must be DNAT or SNAT. +# +# If DNAT, traffic entering INTERFACE and addressed to +# NET1 has it's destination address rewritten to the +# corresponding address in NET2. +# +# If SNAT, traffic leaving INTERFACE with a source +# address in NET1 has it's source address rewritten to +# the corresponding address in NET2. +# +# NET1 Network in CIDR format (e.g., 192.168.1.0/24) +# +# INTERFACE The name of a network interface. The interface must +# be defined in /etc/shorewall/interfaces. +# +# NET2 Network in CIDR format +# +# See http://shorewall.net/netmap.html for an example and usage +# information. +# +############################################################################### +# /etc/shorewall/policy +# +# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT +# +# This file determines what to do with a new connection request if we +# don't get a match from the /etc/shorewall/rules file . For each +# source/destination pair, the file is processed in order until a +# match is found ("all" will match any client or server). +# +# INTRA-ZONE POLICIES ARE PRE-DEFINED +# +# For $FW and for all of the zoned defined in /etc/shorewall/zones, +# the POLICY for connections from the zone to itself is ACCEPT (with no +# logging or TCP connection rate limiting but may be overridden by an +# entry in this file. The overriding entry must be explicit (cannot use +# "all" in the SOURCE or DEST). +# +# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then +# the implicit policy to/from any sub-zone is CONTINUE. These implicit +# CONTINUE policies may also be overridden by an explicit entry in this +# file. +# +# Columns are: +# +# SOURCE Source zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all". +# +# DEST Destination zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all" +# +# POLICY Policy if no match from the rules file is found. Must +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". +# +# ACCEPT - Accept the connection +# DROP - Ignore the connection request +# REJECT - For TCP, send RST. For all other, +# send "port unreachable" ICMP. +# QUEUE - Send the request to a user-space +# application using the QUEUE target. +# CONTINUE - Pass the connection request past +# any other rules that it might also +# match (where the source or +# destination zone in those rules is +# a superset of the SOURCE or DEST +# in this policy). +# NONE - Assume that there will never be any +# packets from this SOURCE +# to this DEST. Shorewall will not set +# up any infrastructure to handle such +# packets and you may not have any +# rules with this SOURCE and DEST in +# the /etc/shorewall/rules file. If +# such a packet _is_ received, the +# result is undefined. NONE may not be +# used if the SOURCE or DEST columns +# contain the firewall zone ($FW) or +# "all". +# +# If the policy is DROP or REJECT then the policy should +# be followed by ":" and one of the following: +# +# a) The word "None" or "none". This causes any default +# action defined in /etc/shorewall/shorewall.conf to +# be omitted for this policy. +# b) The name of an action (requires that USE_ACTIONS=Yes +# in shorewall.conf). That action will be invoked +# before the policy is enforced. +# c) The name of a macro. The rules in that macro will +# be applied before the policy is enforced. This +# does not require USE_ACTIONS=Yes. +# +# LOG LEVEL If supplied, each connection handled under the default +# POLICY is logged at that level. If not supplied, no +# log message is generated. See syslog.conf(5) for a +# description of log levels. +# +# Beginning with Shorewall version 1.3.12, you may +# also specify ULOG (must be in upper case). This will +# log to the ULOG target and sent to a separate log +# through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# If you don't want to log but need to specify the +# following column, place "-" here. +# +# LIMIT:BURST If passed, specifies the maximum TCP connection rate +# and the size of an acceptable burst. If not specified, +# TCP connections are not limited. +# +# Example: +# +# a) All connections from the local network to the internet are allowed +# b) All connections from the internet are ignored but logged at syslog +# level KERNEL.INFO. +# d) All other connection requests are rejected and logged at level +# KERNEL.INFO. +# +# #SOURCE DEST POLICY LOG +# # LEVEL +# loc net ACCEPT +# net all DROP info +# # +# # THE FOLLOWING POLICY MUST BE LAST +# # +# all all REJECT info +# +# See http://shorewall.net/Documentation.htm#Policy for additional information. +# +############################################################################### +# /etc/shorewall/providers +# +# This file is used to define additional routing tables. You will +# want to define an additional table if: +# +# - You have connections to more than one ISP or multiple connections +# to the same ISP +# +# - You run Squid as a transparent proxy on a host other than the +# firewall. +# +# To omit a column, enter "-". +# +# Columns are: +# +# NAME The provider name. Must be a valid shell variable name. +# The names 'local', 'main', 'default' and 'unspec' are +# reserved and may not be used as provider names. +# +# NUMBER The provider number -- a number between 1 and 15 +# +# MARK A FWMARK value used in your /etc/shorewall/tcrules +# file to direct packets to this provider. +# +# If HIGH_ROUTE_MARKS=Yes in shorewall.conf, then the +# value must be a multiple of 256 between 256 and 65280 +# or their hexadecimal equivalents (0x0100 and 0xff00 +# with the low-order byte of the value being zero). +# Otherwise, the value must be between 1 and 255. +# +# DUPLICATE The name of an existing table to duplicate. May be +# 'main' or the name of a previous provider. +# +# INTERFACE The name of the network interface to the provider. +# Must be listed in /etc/shorewall/interfaces. +# +# GATEWAY The IP address of the provider's gateway router. +# +# You can enter "detect" here and Shorewall will +# attempt to detect the gateway automatically. +# +# [ EXPERIMENTAL ] For PPP devices, you may omit this +# column. +# +# OPTIONS A comma-separated list selected from the following: +# +# track If specified, inbound connections on this interface +# are to be tracked so that responses may be routed back +# out this same interface. +# +# You want to specify 'track' if internet hosts will be +# connecting to local servers through this provider. +# +# balance The providers that have 'balance' specified will +# get outbound traffic load-balanced among them. By +# default, all interfaces with 'balance' specified +# will have the same weight (1). You can change the +# weight of an interface by specifiying balance= +# where is the weight of the route out of +# this interface. +# +# loose Shorewall normally adds a routing rule for each +# IP address on an interface which forces traffic +# whose source is that IP address to be sent using +# the routing table for that interface. Setting +# 'loose' prevents creation of such rules on this +# interface. +# +# optional +# If the interface named in the INTERFACE column is not +# up and configured with an IPv4 address then ignore +# this provider. +# +# COPY A comma-separated lists of other interfaces on your +# firewall. Only makes sense when DUPLICATE is 'main'. +# Only copy routes through INTERFACE and through +# interfaces listed here. If you only wish to copy +# routes through INTERFACE, enter 'none' here. +# +# Example: You run squid in your DMZ on IP address 192.168.2.99. Your DMZ +# interface is eth2 +# +# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS +# Squid 1 1 - eth2 192.168.2.99 - +# +# Example: +# +# eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and +# the ISP's gateway router has IP address 206.124.146.254. +# +# eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the +# ISP's gateway router has IP address 130.252.99.254. +# +# eth2 connects to a local network. +# +# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +# ISP1 1 1 main eth0 206.124.146.254 track,balance eth2 +# ISP2 2 2 main eth1 130.252.99.254 track,balance eth2 +# +# See http://www.shorewall.net/MultiISP.html for additional +# information. +# +############################################################################### +# /etc/shorewall/proxyarp +# +# This file is used to define Proxy ARP. +# +# Columns are: +# +# ADDRESS IP Address +# +# INTERFACE Local interface where system is connected. +# +# EXTERNAL External Interface to be used to access this system +# +# HAVEROUTE If there is already a route from the firewall to +# the host whose address is given, enter "Yes" or "yes" +# in this column. Otherwise, entry "no", "No" or leave +# the column empty and Shorewall will add the route for +# you. If Shorewall adds the route,the route will be +# persistent if the PERSISTENT column contains Yes; +# otherwise, "shorewall stop" or "shorewall clear" will +# delete the route. +# +# PERSISTENT If HAVEROUTE is No or "no", then the value of this +# column determines if the route added by Shorewall +# persists after a "shorewall stop" or a "shorewall +# clear". If this column contains "Yes" or "yes" then +# the route persists; If the column is empty or contains +# "No"or "no" then the route is deleted at "shorewall +# stop" or "shorewall clear". +# +# Example: Host with IP 155.186.235.6 is connected to +# interface eth1 and we want hosts attached via eth0 +# to be able to access it using that address. +# +# #ADDRESS INTERFACE EXTERNAL +# 155.186.235.6 eth1 eth0 +# +# See http://shorewall.net/ProxyARP.htm for additional information. +# +############################################################################### +# /etc/shorewall/rfc1918 +# +# Lists the subnetworks that are blocked by the 'norfc1918' interface +# option. +# +# The default list includes those IP addresses listed in RFC 1918. +# +# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE +# TO /etc/shorewall AND MODIFY THE COPY. +# +# Columns are: +# +# SUBNETS A comma-separated list of subnet addresses +# (host addresses also allowed as are IP +# address ranges provided that your kernel and iptables +# have iprange match support). +# TARGET Where to send packets to/from this subnet +# RETURN - let the packet be processed normally +# DROP - silently drop the packet +# logdrop - log then drop +# +# By default, the RETURN target causes 'norfc1918' processing to cease +# for a packet if the packet's source IP address matches the rule. Thus, +# if you have: +# +# SUBNETS TARGET +# 192.168.1.0/24 RETURN +# +# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though +# you also have: +# +# SUBNETS TARGET +# 10.0.0.0/8 logdrop +# +# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic +# to be logged and dropped since while the packet's source matches the +# RETURN rule, the packet's destination matches the 'logdrop' rule. +############################################################################### +# /etc/shorewall/route_rules +# +# Entries in this file cause traffic to be routed to one of the +# providers listed in /etc/shorewall/providers. +# +# Columns are: +# +# SOURCE(optional) +# An ip address (network or host) that +# matches the source IP address in a packet. +# May also be specified as an interface +# name optionally followed by ":" and an +# address. If the device 'lo' is specified, +# the packet must originate from the firewall +# itself. +# +# DEST(optional) An ip address (network or host) that +# matches the destination IP address in a packet. +# +# If you choose to omit either SOURCE or DEST, +# place "-" in that column. Note that you +# may not omit both SOURCE and DEST. +# +# PROVIDER The provider to route the traffic through. +# May be expressed either as the provider name +# or the provider number. May also be 'main' +# or 254 for the main routing table. This can +# be used in combination with VPN tunnels, see +# example 2 below. +# +# PRIORITY +# The rule's priority which determines the order +# in which the rules are processed. +# +# 1000-1999 Before Shorewall-generated +# 'MARK' rules +# +# 11000- 11999 After 'MARK' rules but before +# Shorewall-generated rules for +# ISP interfaces. +# +# 26000-26999 After ISP interface rules but +# before 'default' rule. +# +# Rules with equal priority are applied in +# the order in which they appear in the file. +# +# Example 1: You want all traffic coming in on eth1 to be routed to the ISP1 +# provider: +# +# #SOURCE DEST PROVIDER PRIORITY +# eth1 - ISP1 1000 +# +# Example 2: You use OpenVPN (routed setup /tunX) in combination with multiple +# providers. In this case you have to set up a rule to ensure that +# the OpenVPN traffic is routed back through the tunX interface(s) +# rather than through any of the providers. 10.8.0.0/24 is the +# subnet choosen in your OpenVPN configuration (server 10.8.0.0 +# 255.255.255.0) +# +# #SOURCE DEST PROVIDER PRIORITY +# - 10.8.0.0/24 main 1000 +# +# For additional information, see +# http://www.shorewall.net/MultiISP.html +# +############################################################################### +# /etc/shorewall/routestopped +# +# This file is used to define the hosts that are accessible when the +# firewall is stopped or when it is in the process of being +# [re]started. +# +# Columns are: +# +# INTERFACE - Interface through which host(s) communicate with +# the firewall +# HOST(S) - (Optional) Comma-separated list of IP/subnet +# addresses. If your kernel and iptables include +# iprange match support, IP address ranges are also +# allowed. +# +# If left empty or supplied as "-", +# 0.0.0.0/0 is assumed. +# OPTIONS - (Optional) A comma-separated list of +# options. The currently-supported options are: +# +# routeback - Set up a rule to ACCEPT traffic from +# these hosts back to themselves. +# +# source - Allow traffic from these hosts to ANY +# destination. Without this option or the 'dest' +# option, only traffic from this host to other +# listed hosts (and the firewall) is allowed. If +# 'source' is specified then 'routeback' is redundant. +# +# dest - Allow traffic to these hosts from ANY +# source. Without this option or the 'source' +# option, only traffic from this host to other +# listed hosts (and the firewall) is allowed. If +# 'dest' is specified then 'routeback' is redundant. +# +# critical - Allow traffic between the firewall and +# these hosts throughout '[re]start', 'stop' and +# 'clear'. Specifying 'critical' on one or more +# entries will cause your firewall to be "totally +# open" for a brief window during each of those +# operations. +# +# NOTE: The 'source' and 'dest' options work best when used +# in conjunction with ADMINISABSENTMINDED=Yes in +# /etc/shorewall/shorewall.conf. +# +# Example: +# +# INTERFACE HOST(S) OPTIONS +# eth2 192.168.1.0/24 +# eth0 192.0.2.44 +# br0 - routeback +# eth3 - source +# +# See http://shorewall.net/Documentation.htm#Routestopped and +# http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# information. +# +############################################################################### +# /etc/shorewall/rules +# +# Rules in this file govern connection establishment. Requests and +# responses are automatically allowed using connection tracking. For any +# particular (source,dest) pair of zones, the rules are evaluated in the +# order in which they appear in this file and the first match is the one +# that determines the disposition of the request. +# +# In most places where an IP address or subnet is allowed, you +# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to +# indicate that the rule matches all addresses except the address/subnet +# given. Notice that no white space is permitted between "!" and the +# address/subnet. +#------------------------------------------------------------------------------ +# WARNING: If you masquerade or use SNAT from a local system to the internet, +# you cannot use an ACCEPT rule to allow traffic from the internet to +# that system. You *must* use a DNAT rule instead. +#------------------------------------------------------------------------------ +# +# The rules file is divided into sections. Each section is introduced by +# a "Section Header" which is a line beginning with SECTION followed by the +# section name. +# +# Sections are as follows and must appear in the order listed: +# +# ESTABLISHED Packets in the ESTABLISHED state are processed +# by rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# RELATED Packets in the RELATED state are processed by +# rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# NEW Packets in the NEW and INVALID states are +# processed by rules in this section. +# +# Note: If you are not familiar with Netfilter to the point where you are +# comfortable with the differences between the various connection +# tracking states, then I suggest that you omit the ESTABLISHED and +# RELATED sections and place all of your rules in the NEW section +# (That's after the line that reads SECTION NEW'). +# +# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the +# ESTABLISHED and RELATED sections must be empty. +# +# You may omit any section that you don't need. If no Section Headers appear +# in the file then all rules are assumed to be in the NEW section. +# +# Columns are: +# +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, +# LOG, QUEUE, COMMENT, a , or an . +# +# ACCEPT -- allow the connection request +# ACCEPT+ -- like ACCEPT but also excludes the +# connection from any subsequent +# DNAT[-] or REDIRECT[-] rules +# NONAT -- Excludes the connection from any +# subsequent DNAT[-] or REDIRECT[-] +# rules but doesn't generate a rule +# to accept the traffic. +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# DNAT- -- Advanced users only. +# Like DNAT but only generates the +# DNAT iptables rule and not +# the companion ACCEPT rule. +# SAME -- Similar to DNAT except that the +# port may not be remapped and when +# multiple server addresses are +# listed, all requests from a given +# remote system go to the same +# server. +# SAME- -- Advanced users only. +# Like SAME but only generates the +# NAT iptables rule and not +# the companion ACCEPT rule. +# REDIRECT -- Redirect the request to a local +# port on the firewall. +# REDIRECT- +# -- Advanced users only. +# Like REDIRET but only generates the +# REDIRECT iptables rule and not +# the companion ACCEPT rule. +# +# CONTINUE -- (For experts only). Do not process +# any of the following rules for this +# (source zone,destination zone). If +# The source and/or destination IP +# address falls into a zone defined +# later in /etc/shorewall/zones, this +# connection request will be passed +# to the rules defined for that +# (those) zone(s). +# LOG -- Simply log the packet and continue. +# QUEUE -- Queue the packet to a user-space +# application such as ftwall +# (http://p2pwall.sf.net). +# COMMENT -- the rest of the line will be attached +# as a comment to the Netfilter rule(s) +# generated by the following entres. +# The comment will appear delimited by +# "/* ... */" in the output of +# "shorewall show ". To stop +# the comment from being attached to +# further rules, simply include +# COMMENT on a line by itself. +# -- The name of an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std. +# -- The name of a macro defined in a +# file named macro.. If +# the macro accepts an action +# parameter (Look at the macro +# source to see if it has PARAM in +# the TARGET column) then the macro +# name is followed by "/" and the +# action (ACCEPT, DROP, REJECT, ...) +# to be substituted for the +# parameter. Example: FTP/ACCEPT. +# +# The ACTION may optionally be followed +# by ":" and a syslog log level (e.g, REJECT:info or +# DNAT:debug). This causes the packet to be +# logged at the specified level. +# +# If the ACTION names an action defined in +# /etc/shorewall/actions or in +# /usr/share/shorewall/actions.std then: +# +# - If the log level is followed by "!' then all rules +# in the action are logged at the log level. +# +# - If the log level is not followed by "!" then only +# those rules in the action that do not specify +# logging are logged at the specified level. +# +# - The special log level 'none!' suppresses logging +# by the action. +# +# You may also specify ULOG (must be in upper case) as a +# log level.This will log to the ULOG target for routing +# to a separate log through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# Actions specifying logging may be followed by a +# log tag (a string of alphanumeric characters) +# are appended to the string generated by the +# LOGPREFIX (in /etc/shorewall/shorewall.conf). +# +# Example: ACCEPT:info:ftp would include 'ftp ' +# at the end of the log prefix generated by the +# LOGPREFIX setting. +# +# SOURCE Source hosts to which the rule applies. May be a zone +# defined in /etc/shorewall/zones, $FW to indicate the +# firewall itself, "all", "all+", "all-", "all+-" or +# "none". +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. +# +# "all" means "All Zones", including the firewall itself. +# "all-" means "All Zones, except the firewall itself". +# When "all[-]" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+[-]" is +# "used, intra-zone traffic is affected. +# +# Except when "all[+][-]" is specified, clients may be +# further restricted to a list of subnets and/or hosts by +# appending ":" and a comma-separated list of subnets +# and/or hosts. Hosts may be specified by IP or MAC +# address; mac addresses must begin with "~" and must use +# "-" as a separator. +# +# Hosts may be specified as an IP address range using the +# syntax -. This requires that +# your kernel and iptables contain iprange match support. +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of source bindings to be +# matched. +# +# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# +# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the +# Internet +# +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. +# +# net:192.0.2.11-192.0.2.17 +# Hosts 192.0.2.11-192.0.2.17 in +# the net zone. +# +# Alternatively, clients may be specified by interface +# by appending ":" to the zone name followed by the +# interface name. For example, loc:eth1 specifies a +# client that communicates with the firewall system +# through eth1. This may be optionally followed by +# another colon (":") and an IP/MAC/subnet address +# as described above (e.g., loc:eth1:192.168.1.5). +# +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones, $FW to indicate the firewall +# itself, "all". "all+" or "none". +# +# When "none" is used either in the SOURCE or DEST +# column, the rule is ignored. +# +# When "all" is used either in the SOURCE or DEST column +# intra-zone traffic is not affected. When "all+" is +# used, intra-zone traffic is affected. +# +# Except when "all[+]" is specified, the server may be +# further restricted to a particular subnet, host or +# interface by appending ":" and the subnet, host or +# interface. See above. +# +# Restrictions: +# +# 1. MAC addresses are not allowed. +# 2. In DNAT rules, only IP addresses are +# allowed; no FQDNs or subnet addresses +# are permitted. +# 3. You may not specify both an interface and +# an address. +# +# Like in the SOURCE column, you may specify a range of +# up to 256 IP addresses using the syntax +# -. When the ACTION is DNAT or DNAT-, +# the connections will be assigned to addresses in the +# range in a round-robin fashion. +# +# If you kernel and iptables have ipset match support +# then you may give the name of an ipset prefaced by "+". +# The ipset name may be optionally followed by a number +# from 1 to 6 enclosed in square brackets ([]) to +# indicate the number of levels of destination bindings +# to be matched. Only one of the SOURCE and DEST columns +# may specify an ipset name. +# +# The port that the server is listening on may be +# included and separated from the server's IP address by +# ":". If omitted, the firewall will not modifiy the +# destination port. A destination port may only be +# included if the ACTION is DNAT or REDIRECT. +# +# Example: loc:192.168.1.3:3128 specifies a local +# server at IP address 192.168.1.3 and listening on port +# 3128. The port number MUST be specified as an integer +# and not as a name from /etc/services. +# +# if the ACTION is REDIRECT, this column needs only to +# contain the port number on the firewall that the +# request should be redirected to. +# +# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp", +# "ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all". +# "ipp2p*" requires ipp2p match support in your kernel +# and iptables. +# +# "tcp:syn" implies "tcp" plus the SYN flag must be +# set and the RST,ACK and FIN flags must be reset. +# +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# If the protocol is ipp2p, this column is interpreted +# as an ipp2p option without the leading "--" (example +# "bit" for bit-torrent). If no port is given, "ipp2p" is +# assumed. +# +# A port range is expressed as :. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following ields are supplied. +# In that case, it is suggested that this field contain +# "-" +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the CLIENT PORT(S) list below: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# If you don't want to restrict client ports but need to +# specify an ORIGINAL DEST in the next column, then +# place "-" in this column. +# +# If your kernel contains multi-port match support, then +# only a single Netfilter rule will be generated if in +# this list and the DEST PORT(S) list above: +# 1. There are 15 or less ports listed. +# 2. No port ranges are included. +# Otherwise, a separate rule will be generated for each +# port. +# +# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] +# then if included and different from the IP +# address given in the SERVER column, this is an address +# on some interface on the firewall and connections to +# that address will be forwarded to the IP and port +# specified in the DEST column. +# +# A comma-separated list of addresses may also be used. +# This is usually most useful with the REDIRECT target +# where you want to redirect traffic destined for +# particular set of hosts. +# +# Finally, if the list of addresses begins with "!" then +# the rule will be followed only if the original +# destination address in the connection request does not +# match any of the addresses listed. +# +# For other actions, this column may be included and may +# contain one or more addresses (host or network) +# separated by commas. Address ranges are not allowed. +# When this column is supplied, rules are generated +# that require that the original destination address +# matches one of the listed addresses. This feature is +# most useful when you want to generate a filter rule +# that corresponds to a DNAT- or REDIRECT- rule. In this +# usage, the list of addresses should not begin with "!". +# +# See http://shorewall.net/PortKnocking.html for an +# example of using an entry in this column with a +# user-defined action rule. +# +# RATE LIMIT You may rate-limit the rule by placing a value in +# this colume: +# +# /[:] +# +# where is the number of connections per +# ("sec" or "min") and is the +# largest burst permitted. If no is given, +# a value of 5 is assumed. There may be no +# no whitespace embedded in the specification. +# +# Example: 10/sec:20 +# +# USER/GROUP This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# The column may contain: +# +# [!][][:][+] +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective and/or specified (or is +# NOT running under that id if "!" is given). +# +# Examples: +# +# joe #program must be run by joe +# :kids #program must be run by a member of +# #the 'kids' group +# !:kids #program must not be run by a member +# #of the 'kids' group +# +upnpd #program named upnpd (This feature was +# #removed from Netfilter in kernel +# #version 2.6.14). +# +# Example: Accept SMTP requests from the DMZ to the internet +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT dmz net tcp smtp +# +# Example: Forward all ssh and http connection requests from the +# internet to local system 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http +# +# Example: Forward all http connection requests from the internet +# to local system 192.168.1.3 with a limit of 3 per second and +# a maximum burst of 10 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE +# # PORT PORT(S) DEST LIMIT +# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 +# +# Example: Redirect all locally-originating www connection requests to +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 +# +# Example: You want to accept SSH connections to your firewall only +# from internet IP addresses 130.252.100.69 and 130.252.100.70 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT net:130.252.100.69,130.252.100.70 $FW \ +# tcp 22 +# +# See http://www.shorewall.net/Documentation.htm#Rules for additional +# information. +# +############################################################################### +# Based on tc4shorewall version 0.5 by Arne Bernin +# +# /etc/shorewall/tcclasses +# +# Define the classes used for traffic shaping in this file. +# +# A note on the rate/bandwidth definitions used in this file: +# +# - don't use a space between the integer value and +# the unit: 30kbit is valid while 30 kbit is NOT. +# +# - you can use one of the following units: +# +# kbps Kilobytes per second +# mbps Megabytes per second +# kbit Kilobits per second +# mbit Megabits per second +# bps or a +# bare number Bytes per second +# +# - if you want the values to be calculated for you depending +# on the output bandwidth setting defined for an interface +# in tcdevices, you can use expressions like the following: +# +# full/3 causes the bandwidth to be calculated +# as 3 of the the full outgoing +# speed that is defined. +# +# full*9/10 will set this bandwidth to 9/10 of +# the full bandwidth +# +# DO NOT add a unit to the rate if it is calculated ! +# +# Columns are: +# +# INTERFACE Name of interface. Each interface may be listed only +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 +# +# You may NOT specify wildcards here, e.g. if you +# have multiple ppp interfaces, you need to put +# them all in here! +# +# Please note that you can only use interface names +# in here that have a bandwidth defined in the tcdevices +# file +# +# MARK The mark value which is an integer in the range 1-255. +# You define this marks in the tcrules file, marking +# the traffic you want to fit in the classes defined +# in here. +# +# You can use the same marks for different interfaces. +# +# RATE The minimum bandwidth this class should get, +# when the traffic load rises. +# +# CEIL The maximum bandwidth this class is allowed to use +# when the link is idle. Useful if you have traffic +# which can get full speed when more needed services +# (e.g. ssh) are not used. +# +# You can use the value "full" in here for setting +# the maximum bandwidth to the defined output bandwidth +# of that interface +# +# PRIORITY The priority in which classes will be serviced by +# the packet shaping scheduler and also the priority +# in which bandwidth in excess of the rate will be +# given to each class. +# +# Higher priority classes will experience less delay +# since they are serviced first. Priority values +# are serviced in ascending order (e.g. 0 is higher +# priority than 1). +# +# Classes may be set to the same priority, in which +# case they will be serviced as equals. +# +# OPTIONS A comma-separated list of options including the +# following: +# +# default - this is the default class for that +# interface where all traffic should go, +# that is not classified otherwise. +# +# NOTE: defining default for exactly one +# class per interface is mandatory! +# +# tos=0x[/0x] (mask defaults to 0xff) +# - this lets you define a classifier +# for the given / +# combination of the IP packet's +# TOS/Precedence/DiffSrv octet (aka the +# TOS byte). Please note, classifiers +# override all mark settings, so if you +# define a classifer for a class, all +# traffic having that mark will go in it +# regardless of any mark set on the +# packet by a firewall/mangle filter. +# +# NOTE: multiple tos= statements may be +# applied per class and per interface, +# but a given value/mask pair is valid +# for only ONE class per interface. +# +# tos- - aliases for the following TOS octet +# value and mask encodings. TOS +# encodings of the "TOS byte" have been +# deprecated in favor of diffserve +# classes, but programs like ssh, +# rlogin, and ftp still use them. +# +# tos-minimize-delay 0x10/0x10 +# tos-maximize-throughput 0x08/0x08 +# tos-maximize-reliability 0x04/0x04 +# tos-minimize-cost 0x02/0x02 +# tos-normal-service 0x00/0x1e +# +# NOTE: each of this options is only +# valid for ONE class per interface. +# +# tcp-ack - if defined causes an tc filter to +# be created that puts all tcp ack +# packets on that interface that have +# an size of <=64 Bytes to go in this +# class. This is useful for speeding up +# downloads. Please note that the size +# of the ack packets is limited to 64 +# bytes as some applications (p2p for +# example) use to make every packet an +# ack packet which would cause them +# all into here. We want only packets +# WITHOUT payload to match, so the size +# limit. +# +# NOTE: This option is only valid for +# ONE class per interface. +# +# +# +# Example 1: Suppose you are using PPP over Ethernet (DSL) +# and ppp0 is the interface for this. You have 4 classes +# here, the first you can use for voice over IP +# traffic, the second interactive traffic (e.g. +# ssh/telnet but not scp), the third will be for all +# unclassified traffic, and the forth is for low +# priority traffic (e.g. peer-to-peer). +# +# The voice traffic in the first class will be +# guaranteed a minimum of 100kbps and always be +# serviced first (because of the low priority number, +# giving less delay) and will be granted excess +# bandwidth (up to 180kbps, the class ceiling) first, +# before any other traffic. A single VOIP stream, +# depending upon codecs, after encapsulation, can take +# up to 80kbps on a PPOE/DSL link, so we pad a little +# bit just in case. (TOS byte values 0xb8 and 0x68 +# are DiffServ classes EF and AFF3-1 respectively and +# are often used by VOIP devices). +# +# Interactive traffic (tos-minimum-delay) and +# TCP acks (and ICMP echo traffic if you use the example +# in tcrules) and any packet with a mark of 2 will be +# guaranteed 1/4 of the link bandwidth, and may extend +# up to full speed of the link. +# +# Unclassified traffic and packets marked as 3 will be +# guaranteed 1/4th of the link bandwidth, and may extend +# to the full speed of the link. +# +# Packets marked with 4 will be treated as low priority +# packets. (The tcrules example marks p2p traffic as +# such.) If the link is congested, they're only +# guaranteed 1/8th of the speed, and even if the link is +# empty, can only expand to 80% of link bandwidth just +# as a precaution in case there are upstream queues we +# didn't account for. This is the last class to get +# additional bandwidth and the last to get serviced by +# the scheduler because of the low priority. +# +# ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc +# ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay +# ppp0 3 full/4 full 3 default +# ppp0 4 full/8 full*8/10 4 +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +# Based on tc4shorewall version 0.5 by Arne Bernin +# +# /etc/shorewall/tcdevices +# +# Entries in this file define the bandwidth for interfaces +# on which you want traffic shaping to be enabled. +# +# If you do not plan to use traffic shaping for a device, +# don't put it in here as it limits the troughput of that +# device to the limits you set here. +# +# Columns are: +# +# +# INTERFACE Name of interface. Each interface may be listed only +# once in this file. You may NOT specify the name of +# an alias (e.g., eth0:0) here; see +# http://www.shorewall.net/FAQ.htm#faq18 +# +# You man NOT specify wildcards here, e.g. if you +# have multiple ppp interfaces, you need to put +# them all in here! +# +# If the device doesn't exist, a warning message will +# be issued during "shorewall [re]start" and "shorewall +# refresh" and traffic shaping configuration will be +# skipped for that device. +# +# IN-BANDWIDTH The incoming Bandwidth of that interface. Please +# note that you are not able to do traffic shaping +# on incoming traffic, as the traffic is already +# received before you could do so. But this allows +# you to define the maximum traffic allowed for +# this interface in total, if the rate is exceeded, +# the packets are dropped. +# You want this mainly if you have a DSL or Cable +# connection to avoid queuing at your providers side. +# +# If you don't want any traffic to be dropped set this +# to a value faster than your interface. +# +# Use kbit or kbps(for Kilobytes per second) for +# speed, and make sure there is NO space between the +# number and the unit. +# +# OUT-BANDWIDTH The outgoing Bandwidth of that interface. +# This is the maximum speed you connection can handle. +# It is also the speed you can refer as "full" if +# you define the tc classes. +# Outgoing traffic above this rate will be dropped. +# +# Use kbit or kbps(for Kilobytes per second) for +# speed, and make sure there is NO space between the +# number and the unit. +# +# Example 1: Suppose you are using PPP over Ethernet (DSL) +# and ppp0 is the interface for this. The +# device has an outgoing bandwidth of 500kbit and an +# incoming bandwidth of 6000kbit +# ppp0 6000kbit 500kbit +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +# /etc/shorewall/tcrules +# +# Entries in this file cause packets to be marked as a means of +# classifying them for traffic control or policy routing. +# +# I M P O R T A N T ! ! ! ! +# +# Unlike rules in the /etc/shorewall/rules file, evaluation +# of rules in this file will continue after a match. So the +# final mark for each packet will be the one assigned by the +# LAST tcrule that matches. +# +# If you use multiple internet providers with the 'track' option, +# in /etc/shorewall/providers be sure to read the restrictions at +# http://shorewall.net/MultiISP.html. +# +# Columns are: +# +# +# MARK/ a) A mark value which is an integer in the range 1-255. +# CLASSIFY +# Normally will set the mark value. If preceded by +# a vertical bar ("|"), the mark value will be +# logically ORed with the current mark value to +# produce a new mark value. If preceded by an +# ampersand ("&"), will be logically ANDed with the +# current mark value to produce a new mark value. +# +# Both "|" and "&" require Extended MARK Target +# support in your kernel and iptables; neither may +# be used with connection marks (see below). +# +# If HIGH_ROUTE_MARKS=Yes in shorewall.conf then +# you may also specify a value in the range 0x0100- +# 0xFF00 with the low-order byte being zero. Such +# values may only be used in the PREROUTING chain +# (value followed by :F or you have set +# MARK_IN_FORWARD_CHAIN=Yes in shorewall conf and have +# not followed the value with :P) or the OUTPUT chain +# (SOURCE is $FW). +# +# May optionally be followed by ":P" or ":F" +# where ":P" indicates that marking should occur in +# the PREROUTING chain and ":F" indicates that marking +# should occur in the FORWARD chain. If neither +# ":P" nor ":F" follow the mark value then the chain +# is determined by the setting of +# MARK_IN_FORWARD_CHAIN in +# /etc/shorewall/shorewall.conf. +# +# If your kernel and iptables include CONNMARK support +# then you can also mark the connection rather than +# the packet. +# +# The mark value may be optionally followed by "/" +# and a mask value (used to determine those bits of +# the connection mark to actually be set). The +# mark and optional mask are then followed by one of: +# +# C - Mark the connection in the chain determined +# by the setting of MARK_IN_FORWARD_CHAIN +# +# CF: Mark the connection in the FORWARD chain +# +# CP: Mark the connection in the PREROUTING +# chain. +# +# b) A classification (classid) of the form +# : where and are +# integers. Corresponds to the 'class' specification +# in these traffic shaping modules: +# +# - atm +# - cbq +# - dsmark +# - pfifo_fast +# - htb +# - prio +# +# Classification occurs in the POSTROUTING chain except +# when the SOURCE is $FW[:
] in which case +# marking occurs in the OUTPUT chain. +# +# c) RESTORE[/mask] -- restore the packet's mark from the +# connection's mark using the supplied mask if any. +# Your kernel and iptables must include CONNMARK +# support. +# +# As in a) above, may be followed by ":P" or ":F +# +# c) SAVE[/mask] -- save the packet's mark to the +# connection's mark using the supplied mask if any. +# Your kernel and iptables must include CONNMARK +# support. +# +# As in a) above, may be followed by ":P" or ":F +# +# d) CONTINUE -- don't process any more marking rules in +# the table. +# +# As in a) above, may be followed by ":P" or ":F". +# +# e) COMMENT -- the rest of the line will be attached as +# a comment to the Netfilter rule(s) generated by the +# following entries. The comment will appear delimited +# by "/* ... */" in the output of "shorewall show +# mangle" +# +# To stop the comment from being attached to further +# rules, simply include COMMENT on a line by itself. +# +# SOURCE Source of the packet. A comma-separated list of +# interface names, IP addresses, MAC addresses and/or +# subnets for packets being routed through a common path. +# List elements may also consist of an interface name +# followed by ":" and an address +# (e.g., eth1:192.168.1.0/24). For example, all packets +# for connections masqueraded to eth0 from other +# interfaces can be matched in a single rule with +# several alternative SOURCE criteria. However, a +# connection whose packets gets to eth0 in a +# different way, e.g., direct from the firewall itself, +# needs a different rule. +# +# Accordingly, use $FW in its own separate rule for +# packets originating on the firewall. In such a rule, +# the MARK column may NOT specify either ":P" or ":F" +# because marking for firewall-originated packets +# always occurs in the OUTPUT chain. +# +# MAC addresses must be prefixed with "~" and use +# "-" as a separator. +# +# Example: ~00-A0-C9-15-39-78 +# +# DEST Destination of the packet. Comma separated list of +# IP addresses and/or subnets. If your kernel and +# iptables include iprange match support, IP address +# ranges are also allowed. List elements may also +# consist of an interface name followed by ":" and an +# address (e.g., eth1:192.168.1.0/24). +# If the MARK column specificies a classification of +# the form : then this column may also +# contain an interface name. +# +# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", +# "ipp2p:udp", "ipp2p:all" a number, or "all". +# "ipp2p" requires ipp2p match support in your kernel +# and iptables. +# +# PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). +# +# If the protocol is ipp2p, this column is interpreted +# as an ipp2p option without the leading "--" (example +# "bit" for bit-torrent). If no PORT is given, "ipp2p" is +# assumed. +# +# This column is ignored if PROTOCOL = all but must be +# entered if any of the following field is supplied. +# In that case, it is suggested that this field contain +# "-" +# +# SOURCE PORT(S) (Optional) Source port(s). If omitted, +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. +# +# USER This column may only be non-empty if the SOURCE is +# the firewall itself. +# +# When this column is non-empty, the rule applies only +# if the program generating the output is running under +# the effective user and/or group. +# +# It may contain : +# +# []:[][+] +# +# The colon is optionnal when specifying only a user +# or a program name. +# Examples : john: , john , :users , john:users , +# +mozilla-bin (Support for program names +# was removed from Netfilter in Kernel +# version 2.6.14). +# +# TEST Defines a test on the existing packet or connection +# mark. The rule will match only if the test returns +# true. Tests have the format [!][/][:C] +# +# Where: +# +# ! Inverts the test (not equal) +# Value of the packet or connection mark. +# A mask to be applied to the mark before +# testing +# :C Designates a connection mark. If +# omitted, the packet mark's value is +# tested. +# +# If you don't want to define a test but need to specify +# anything in the following columns, place a "-" in this +# field. +# +# LENGTH (Optional) Packet Length. This field, if present +# allow you to match the length of a packet against +# a specific value or range of values. You must have +# iptables length support for this to work. +# A range is specified in the form : +# where either or (but not both) may be +# omitted. If is omitted, then 0 is assumed; if +# is omitted, than any packet that is or +# longer will match. +# +# Examples: 1024, 64:1500, :100 (packet of length +# 100 bytes or less) +# +# If you don't want to define a test but need to specify +# anything in the following columns, place a "-" in this +# field. +# +# TOS Type of service. Either a standard name, or a numeric +# value to match. +# +# Minimize-Delay (16) +# Maximize-Throughput (8) +# Maximize-Reliability (4) +# Minimize-Cost (2) +# Normal-Service (0) +# +# Example 1: +# +# Mark all ICMP echo traffic with packet mark 1. +# Mark all peer to peer traffic with packet mark 4. +# +# This is a little more complex than otherwise expected. Since +# the ipp2p module is unable to determine all packets in a +# connection are P2P packets, we mark the entire connection as +# P2P if any of the packets are determined to match. +# +# We assume packet/connection mark 0 to means unclassified. +# +# 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request +# 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply +# +# RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 +# CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 +# 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all +# SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 +# +# "If a packet hasn't been classifed (packet mark is 0), copy +# the connection mark to the packet mark. If the packet mark +# is set, we're done. If the packet is P2P, set the packet +# mark to 4. If the packet mark has been set, save it to the +# connection mark." +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# For usage in selecting among multiple ISPs, see +# http://shorewall.net/MultiISP.html +# +############################################################################### +# /etc/shorewall/tos +# +# This file defines rules for setting Type Of Service (TOS) +# +# Columns are: +# +# SOURCE Name of a zone declared in /etc/shorewall/zones, "all" +# or $FW. +# +# If not "all" or $FW, may optionally be followed by +# ":" and an IP address, a MAC address, a subnet +# specification or the name of an interface. +# +# Example: loc:192.168.2.3 +# +# MAC addresses must be prefixed with "~" and use +# "-" as a separator. +# +# Example: ~00-A0-C9-15-39-78 +# +# DEST Name of a zone declared in /etc/shorewall/zones, "all" +# or $FW. +# +# If not "all" or $FW, may optionally be followed by +# ":" and an IP address or a subnet specification +# +# Example: loc:192.168.2.3 +# +# PROTOCOL Protocol. +# +# SOURCE PORTS Source port or port range. If all ports, use "-". +# +# DEST PORTS Destination port or port range. If all ports, use "-" +# +# TOS Type of service. Must be one of the following: +# +# Minimize-Delay (16) +# Maximize-Throughput (8) +# Maximize-Reliability (4) +# Minimize-Cost (2) +# Normal-Service (0) +# +# See http://shorewall.net/Documentation.htm#TOS for additional +# information. +# +############################################################################### +# /etc/shorewall/tunnels +# +# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. +# +# IPIP, GRE and OPENVPN tunnels must be configured on the +# firewall/gateway itself. IPSEC endpoints may be defined +# on the firewall/gateway or on an internal system. +# +# The columns are: +# +# TYPE -- must start in column 1 and be "ipsec", "ipsecnat", +# "ipip", "gre", "6to4", "pptpclient", "pptpserver", +# "openvpn", "openvpnclient", "openvpnserver" or +# "generic" +# +# If the type is "ipsec" or "ipsecnat", it may be +# followed by ":noah" to indicate that the Authentication +# Header protocol (51) is not used by the tunnel. +# +# If type is "openvpn", "openvpnclient" or +# "openvpnserver" it may optionally be followed by ":" +# and "tcp" or "udp" to specify the protocol to be +# used. If not specified, "udp" is assumed. +# +# If type is "openvpn", "openvpnclient" or +# "openvpnserver" it may optionally be followed +# by ":" and the port number used by the tunnel. if no +# ":" and port number are included, then the default port +# of 1194 will be used. . Where both the protocol and port +# are specified, the protocol must be given first (e.g., +# openvpn:tcp:4444). +# +# If type is "generic", it must be followed by ":" and +# a protocol name (from /etc/protocols) or a protocol +# number. If the protocol is "tcp" or "udp" (6 or 17), +# then it may optionally be followed by ":" and a +# port number. +# +# ZONE -- The zone of the physical interface through which +# tunnel traffic passes. This is normally your internet +# zone. +# +# GATEWAY -- The IP address of the remote tunnel gateway. If the +# remote gateway has no fixed address (Road Warrior) +# then specify the gateway as 0.0.0.0/0. May be +# specified as a network address and if your kernel and +# iptables include iprange match support then IP address +# ranges are also allowed. +# +# GATEWAY +# ZONES -- Optional. If the gateway system specified in the third +# column is a standalone host then this column should +# contain a comma-separated list of the names of the +# zones that the host might be in. This column only +# applies to IPSEC tunnels where it enables ISAKMP +# traffic to flow through the tunnel to the remote +# gateway. +# +# Example 1: +# +# IPSec tunnel. The remote gateway is 4.33.99.124 and +# the remote subnet is 192.168.9.0/24. The tunnel does +# not use the AH protocol +# +# ipsec:noah net 4.33.99.124 +# +# Example 2: +# +# Road Warrior (LapTop that may connect from anywhere) +# where the "gw" zone is used to represent the remote +# LapTop. +# +# ipsec net 0.0.0.0/0 gw +# +# Example 3: +# +# Host 4.33.99.124 is a standalone system connected +# via an ipsec tunnel to the firewall system. The host +# is in zone gw. +# +# ipsec net 4.33.99.124 gw +# +# Example 4: +# +# Road Warriors that may belong to zones vpn1, vpn2 or +# vpn3. The FreeS/Wan _updown script will add the +# host to the appropriate zone using the "shorewall add" +# command on connect and will remove the host from the +# zone at disconnect time. +# +# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 +# +# Example 5: +# +# You run the Linux PPTP client on your firewall and +# connect to server 192.0.2.221. +# +# pptpclient net 192.0.2.221 +# +# Example 6: +# +# You run a PPTP server on your firewall. +# +# pptpserver net +# +# Example 7: +# +# OPENVPN tunnel. The remote gateway is 4.33.99.124 and +# openvpn uses port 7777. +# +# openvpn:7777 net 4.33.99.124 +# +# Example 8: +# +# You have a tunnel that is not one of the supported +# types. Your tunnel uses UDP port 4444. The other end +# of the tunnel is 4.3.99.124. +# +# generic:udp:4444 net 4.3.99.124 +# +# See http://shorewall.net/Documentation.htm#Tunnels for additional +# information. +# +############################################################################### +# /etc/shorewall/zones +# +# This file declares your network zones. You specify the hosts in +# each zone through entries in /etc/shorewall/interfaces or +# /etc/shorewall/hosts. +# +# WARNING: The format of this file changed in Shorewall 3.0.0. You can +# continue to use your old records provided that you set +# IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will +# signal Shorewall that the IPSEC-related zone options are +# still specified in /etc/shorewall/ipsec rather than in this +# file. +# +# To use records in the format described below, you must have +# IPSECFILE=zones specified in /etc/shorewall/shorewall.conf +# AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!! +# +# Columns are: +# +# ZONE Short name of the zone. The names "all" and "none" are reserved +# and may not be used as zone names. The maximum length of a +# zone name is determined by the setting of the LOGFORMAT option +# in shorewall.conf. With the default LOGFORMAT, zone names can +# be at most 5 characters long. +# +# Where a zone is nested in one or more other zones, +# you may follow the (sub)zone name by ":" and a +# comma-separated list of the parent zones. The parent +# zones must have been defined in earlier records in this +# file. +# +# Example: +# +# #ZONE TYPE OPTIONS +# a ipv4 +# b ipv4 +# c:a,b ipv4 +# +# Currently, Shorewall uses this information to reorder the +# zone list so that parent zones appear after their subzones in +# the list. The IMPLICIT_CONTINUE option in shorewall.conf can +# also create implicit CONTINUE policies to/from the subzone. +# +# In the future, Shorewall may make additional use +# of nesting information. +# +# TYPE ipv4 - This is the standard Shorewall zone type and is the +# default if you leave this column empty or if you enter +# "-" in the column. Communication with some zone hosts +# may be encrypted. Encrypted hosts are designated using +# the 'ipsec'option in /etc/shorewall/hosts. +# ipsec - Communication with all zone hosts is encrypted +# Your kernel and iptables must include policy +# match support. +# firewall +# - Designates the firewall itself. You must have +# exactly one 'firewall' zone. No options are +# permitted with a 'firewall' zone. The name that you +# enter in the ZONE column will be stored in the shell +# variable $FW which you may use in other configuration +# files to designate the firewall zone. +# +# OPTIONS, A comma-separated list of options as follows: +# IN OPTIONS, +# OUT OPTIONS reqid= where is specified +# using setkey(8) using the 'unique: +# option for the SPD level. +# +# spi= where is the SPI of +# the SA used to encrypt/decrypt packets. +# +# proto=ah|esp|ipcomp +# +# mss= (sets the MSS field in TCP packets) +# +# mode=transport|tunnel +# +# tunnel-src=
[/] (only +# available with mode=tunnel) +# +# tunnel-dst=
[/] (only +# available with mode=tunnel) +# +# strict Means that packets must match all rules. +# +# next Separates rules; can only be used with +# strict +# +# Example: +# mode=transport,reqid=44 +# +# The options in the OPTIONS column are applied to both incoming +# and outgoing traffic. The IN OPTIONS are applied to incoming +# traffic (in addition to OPTIONS) and the OUT OPTIONS are +# applied to outgoing traffic. +# +# If you wish to leave a column empty but need to make an entry +# in a following column, use "-". +#------------------------------------------------------------------------------ +# Example zones: +# +# You have a three interface firewall with internet, local and DMZ +# interfaces. +# +# #ZONE TYPE OPTIONS IN OUT +# # OPTIONS OPTIONS +# fw firewall +# net ipv4 +# loc ipv4 +# dmz ipv4 +# +# For more information, see http://www.shorewall.net/Documentation.htm#Zones +# +############################################################################### diff --git a/Shorewall/ecn b/Shorewall/ecn index 835964ad5..40c11ca54 100644 --- a/Shorewall/ecn +++ b/Shorewall/ecn @@ -1,23 +1,6 @@ # # Shorewall version 3.3 - Ecn File # -# /etc/shorewall/ecn -# -# Use this file to list the destinations for which you want to -# disable ECN. -# -# This feature requires kernel 2.4.20 or later. If you run 2.4.20, -# you also need the patch found at http://www.shorewall.net/ecn/patch. -# That patch is included in kernels 2.4.21 and later. -# -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. If your kernel and iptables -# include iprange match support then IP address ranges -# are also permitted. -# # For additional information, see http://shorewall.net/Documentation.htm#ECN # ############################################################################### diff --git a/Shorewall/hosts b/Shorewall/hosts index e5d55e383..5b1a3ac56 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -1,130 +1,6 @@ # # Shorewall version 3.3 - Hosts file # -# /etc/shorewall/hosts -# -# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN -# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE. -# -# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE. -#------------------------------------------------------------------------------ -# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN -# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT -# ZONE AND INTERFACE IN THIS FILE. -#------------------------------------------------------------------------------ -# This file is used to define zones in terms of subnets and/or -# individual IP addresses. Most simple setups don't need to -# (should not) place anything in this file. -# -# The order of entries in this file is not significant in -# determining zone composition. Rather, the order that the zones -# are defined in /etc/shorewall/zones determines the order in -# which the records in this file are interpreted. -# -# ZONE - The name of a zone defined in /etc/shorewall/zones. You may -# not list the firewall zone in this column. -# -# HOST(S) - The name of an interface defined in the -# /etc/shorewall/interfaces file followed by a colon (":") and -# a comma-separated list whose elements are either: -# -# a) The IP address of a host -# b) A subnetwork in the form -# / -# c) An IP address range of the form -. Your kernel and iptables must have iprange -# match support. -# d) A physical port name; only allowed when the -# interface names a bridge created by the -# brctl addbr command. This port must not -# be defined in /etc/shorewall/interfaces and may -# optionally followed by a colon (":") and a -# host or network IP or a range. -# See http://www.shorewall.net/bridge.html -# for details. Specifying a physical port -# name requires that you have BRIDGING=Yes in -# /etc/shorewall/shorewall.conf. -# e) The name of an ipset (preceded by "+"). -# -# Examples: -# -# eth1:192.168.1.3 -# eth2:192.168.2.0/24 -# eth3:192.168.2.0/24,192.168.3.1 -# br0:eth4 -# br0:eth0:192.168.1.16/28 -# eth4:192.168.1.44-192.168.1.49 -# eth2:+Admin -# -# OPTIONS - A comma-separated list of options. Currently-defined -# options are: -# -# maclist - Connection requests from these hosts -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# routeback - Shorewall should set up the -# infrastructure to pass packets -# from this/these address(es) back -# to themselves. This is necessary if -# hosts in this group use the services -# of a transparent proxy that is -# a member of the group or if DNAT is used -# to send requests originating from this -# group to a server in the group. -# -# norfc1918 - This option only makes sense for ports -# on a bridge. -# -# The port should not accept -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses. If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# blacklist - This option only makes sense for ports -# on a bridge. -# -# Check packets arriving on this port -# against the /etc/shorewall/blacklist -# file. -# -# tcpflags - Packets arriving from these hosts are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# nosmurfs - This option only makes sense for ports -# on a bridge. -# -# Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# ipsec - The zone is accessed via a -# kernel 2.6 ipsec SA. Note that if the -# zone named in the ZONE column is -# specified as an IPSEC zone in the -# /etc/shorewall/zones file then you -# do NOT need to specify the 'ipsec' -# option here. -# # For additional information, see http://shorewall.net/Documentation.htm#Hosts # ############################################################################### diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 3c00d3877..371ce55b2 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -261,6 +261,7 @@ chmod 755 ${PREFIX}/etc/shorewall chmod 755 ${PREFIX}/usr/share/shorewall chmod 755 ${PREFIX}/usr/share/shorewall/configfiles +run_install $OWNERSHIP -m 0644 documentation.txt ${PREFIX}/usr/share/shorewall/configfiles/Documentation.txt # # Install the config file # diff --git a/Shorewall/interfaces b/Shorewall/interfaces index 30b0d9afa..c7584bc33 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -1,229 +1,6 @@ # # Shorewall version 3.3 - Interfaces File # -# /etc/shorewall/interfaces -# -# You must add an entry in this file for each network interface on your -# firewall system. -# -# Columns are: -# -# ZONE Zone for this interface. Must match the name of a -# zone defined in /etc/shorewall/zones. You may not -# list the firewall zone in this column. -# -# If the interface serves multiple zones that will be -# defined in the /etc/shorewall/hosts file, you should -# place "-" in this column. -# -# If there are multiple interfaces to the same zone, -# you must list them in separate entries: -# -# Example: -# -# loc eth1 - -# loc eth2 - -# -# INTERFACE Name of interface. Each interface may be listed only -# once in this file. You may NOT specify the name of -# an alias (e.g., eth0:0) here; see -# http://www.shorewall.net/FAQ.htm#faq18 -# -# You may specify wildcards here. For example, if you -# want to make an entry that applies to all PPP -# interfaces, use 'ppp+'. -# -# There is no need to define the loopback interface (lo) -# in this file. -# -# BROADCAST The broadcast address for the subnetwork to which the -# interface belongs. For P-T-P interfaces, this -# column is left blank.If the interface has multiple -# addresses on multiple subnets then list the broadcast -# addresses as a comma-separated list. -# -# If you use the special value "detect", Shorewall -# will detect the broadcast address(es) for you. If you -# select this option, the interface must be up before -# the firewall is started. -# -# If you don't want to give a value for this column but -# you want to enter a value in the OPTIONS column, enter -# "-" in this column. -# -# OPTIONS A comma-separated list of options including the -# following: -# -# dhcp - Specify this option when any of -# the following are true: -# 1. the interface gets its IP address -# via DHCP -# 2. the interface is used by -# a DHCP server running on the firewall -# 3. you have a static IP but are on a LAN -# segment with lots of Laptop DHCP -# clients. -# 4. the interface is a bridge with -# a DHCP server on one port and DHCP -# clients on another port. -# -# norfc1918 - This interface should not receive -# any packets whose source is in one -# of the ranges reserved by RFC 1918 -# (i.e., private or "non-routable" -# addresses). If packet mangling or -# connection-tracking match is enabled in -# your kernel, packets whose destination -# addresses are reserved by RFC 1918 are -# also rejected. -# -# routefilter - turn on kernel route filtering for this -# interface (anti-spoofing measure). This -# option can also be enabled globally in -# the /etc/shorewall/shorewall.conf file. -# -# logmartians - turn on kernel martian logging (logging -# of packets with impossible source -# addresses. It is suggested that if you -# set routefilter on an interface that -# you also set logmartians. This option -# may also be enabled globally in the -# /etc/shorewall/shorewall.conf file. -# -# blacklist - Check packets arriving on this interface -# against the /etc/shorewall/blacklist -# file. -# -# maclist - Connection requests from this interface -# are compared against the contents of -# /etc/shorewall/maclist. If this option -# is specified, the interface must be -# an ethernet NIC and must be up before -# Shorewall is started. -# -# tcpflags - Packets arriving on this interface are -# checked for certain illegal combinations -# of TCP flags. Packets found to have -# such a combination of flags are handled -# according to the setting of -# TCP_FLAGS_DISPOSITION after having been -# logged according to the setting of -# TCP_FLAGS_LOG_LEVEL. -# -# proxyarp - -# Sets -# /proc/sys/net/ipv4/conf//proxy_arp. -# Do NOT use this option if you are -# employing Proxy ARP through entries in -# /etc/shorewall/proxyarp. This option is -# intended soley for use with Proxy ARP -# sub-networking as described at: -# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet -# -# routeback - If specified, indicates that Shorewall -# should include rules that allow -# filtering traffic arriving on this -# interface back out that same interface. -# -# arp_filter - If specified, this interface will only -# respond to ARP who-has requests for IP -# addresses configured on the interface. -# If not specified, the interface can -# respond to ARP who-has requests for -# IP addresses on any of the firewall's -# interface. The interface must be up -# when Shorewall is started. -# -# arp_ignore[=] -# - If specified, this interface will -# respond to arp requests based on the -# value of . -# -# 1 - reply only if the target IP address -# is local address configured on the -# incoming interface -# -# 2 - reply only if the target IP address -# is local address configured on the -# incoming interface and both with the -# sender's IP address are part from same -# subnet on this interface -# -# 3 - do not reply for local addresses -# configured with scope host, only -# resolutions for global and link -# addresses are replied -# -# 4-7 - reserved -# -# 8 - do not reply for all local -# addresses -# -# If no is given then the value -# 1 is assumed -# -# WARNING -- DO NOT SPECIFY arp_ignore -# FOR ANY INTERFACE INVOLVED IN PROXY ARP. -# -# nosmurfs - Filter packets for smurfs -# (packets with a broadcast -# address as the source). -# -# Smurfs will be optionally logged based -# on the setting of SMURF_LOG_LEVEL in -# shorewall.conf. After logging, the -# packets are dropped. -# -# detectnets - Automatically taylors the zone named -# in the ZONE column to include only those -# hosts routed through the interface. -# -# sourceroute - If this option is not specified for an -# interface, then source-routed packets -# will not be accepted from that -# interface (sets /proc/sys/net/ipv4/ -# conf// -# accept_source_route to 1). -# Only set this option if you know what -# you are you doing. This might represent -# a security risk and is not usually -# needed. -# -# upnp - Incoming requests from this interface -# may be remapped via UPNP (upnpd). -# -# WARNING: DO NOT SET THE detectnets OPTION ON YOUR -# INTERNET INTERFACE. -# -# The order in which you list the options is not -# significant but the list should have no embedded white -# space. -# -# Example 1: Suppose you have eth0 connected to a DSL modem and -# eth1 connected to your local network and that your -# local subnet is 192.168.1.0/24. The interface gets -# it's IP address via DHCP from subnet -# 206.191.149.192/27. You have a DMZ with subnet -# 192.168.2.0/24 using eth2. -# -# Your entries for this setup would look like: -# -# net eth0 206.191.149.223 dhcp -# local eth1 192.168.1.255 -# dmz eth2 192.168.2.255 -# -# Example 2: The same configuration without specifying broadcast -# addresses is: -# -# net eth0 detect dhcp -# loc eth1 detect -# dmz eth2 detect -# -# Example 3: You have a simple dial-in system with no ethernet -# connections. -# -# net ppp0 - -# # For additional information, see # http://shorewall.net/Documentation.htm#Interfaces # diff --git a/Shorewall/maclist b/Shorewall/maclist index 55c7f70ac..daf132de3 100644 --- a/Shorewall/maclist +++ b/Shorewall/maclist @@ -1,34 +1,6 @@ # # Shorewall version 3.3 - Maclist file # -# /etc/shorewall/maclist -# -# This file is used to define the MAC addresses and optionally their -# associated IP addresses to be allowed to use the specified interface. -# The feature is enabled by using the maclist option in the interfaces -# or hosts configuration file. -# -# Columns are: -# -# DISPOSITION ACCEPT or DROP (if MACLIST_TABLE=filter, then REJECT -# is also allowed) -# -# INTERFACE Network interface to a host. If the interface -# names a bridge, it may be optionally followed by -# a colon (":") and a physical port name (e.g., -# br0:eth4). -# -# MAC MAC address of the host -- you do not need to use -# the Shorewall format for MAC addresses here. If IP -# ADDRESSES is supplied then MAC can be supplied as -# a dash ("-") -# -# IP ADDRESSES Optional -- if specified, both the MAC and IP address -# must match. This column can contain a comma-separated -# list of host and/or subnet addresses. If your kernel -# and iptables have iprange match support then IP -# address ranges are also allowed. -# # For additional information, see http://shorewall.net/MAC_Validation.html # ############################################################################### diff --git a/Shorewall/masq b/Shorewall/masq index 2da200141..03957779f 100644 --- a/Shorewall/masq +++ b/Shorewall/masq @@ -1,243 +1,6 @@ # # Shorewall version 3.3 - Masq file # -# /etc/shorewall/masq -# -# Use this file to define dynamic NAT (Masquerading) and to define -# Source NAT (SNAT). -# -# WARNING: The entries in this file are order-sensitive. The first -# entry that matches a particular connection will be the one that -# is used. -# -# WARNING: If you have more than one ISP, adding entries to this -# file will *not* force connections to go out through a particular -# ISP. You must use PREROUTING entries in /etc/shorewall/tcrules -# to do that. -# -# Columns are: -# -# INTERFACE -- Outgoing interface. This is usually your internet -# interface. If ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf, you may add ":" and -# a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER -# PLACE IN YOUR SHOREWALL CONFIGURATION. -# -# This may be qualified by adding the character -# ":" followed by a destination host or subnet. -# -# If you wish to inhibit the action of ADD_SNAT_ALIASES -# for this entry then include the ":" but omit the digit: -# -# eth0: -# eth2::192.0.2.32/27 -# -# Normally Masq/SNAT rules are evaluated after those for -# one-to-one NAT (/etc/shorewall/nat file). If you want -# the rule to be applied before one-to-one NAT rules, -# prefix the interface name with "+": -# -# +eth0 -# +eth0:192.0.2.32/27 -# +eth0:2 -# -# This feature should only be required if you need to -# insert rules in this file that preempt entries in -# /etc/shorewall/nat. -# -# If you place COMMENT in this column, then the rest of the -# line will be attached as a comment to the Netfilter rule(s) -# generated by the following entry. The comment will appear -# delimited by "/* ... */" in the output of "shorewall show -# nat" -# -# SOURCE (formerly called SUBNET) -# -# Set of hosts that you wish to masquerade. You can specify this -# as an address (net or host) or as an interface. If you give -# the name of an interface, the interface must be up before you -# start the firewall (Shorewall will use your main routing table -# to determine the appropriate addresses to masquerade). -# -# In order to exclude a addrress of the specified SOURCE, you -# may append "!" and a comma-separated list of IP addresses -# (host or net) that you wish to exclude. -# -# Example: eth1!192.168.1.4,192.168.32.0/27 -# -# In that example traffic from eth1 would be masqueraded unless -# it came from 192.168.1.4 or 196.168.32.0/27 -# -# ADDRESS -- (Optional). If you specify an address here, SNAT will be -# used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in -# /etc/shorewall/shorewall.conf then Shorewall -# will automatically add this address to the -# INTERFACE named in the first column. -# -# You may also specify a range of up to 256 -# IP addresses if you want the SNAT address to -# be assigned from that range in a round-robin -# range by connection. The range is specified by -# -. -# -# Example: 206.124.146.177-206.124.146.180 -# -# You may also use the special value "detect" -# which causes Shorewall to determine the -# IP addresses configured on the interface named -# in the INTERFACES column and substitute them -# in this column. -# -# Finally, you may also specify a comma-separated -# list of ranges and/or addresses in this column. -# -# This column may not contain DNS Names. -# -# Normally, Netfilter will attempt to retain -# the source port number. You may cause -# netfilter to remap the source port by following -# an address or range (if any) by ":" and -# a port range with the format - -# . If this is done, you must -# specify "tcp" or "udp" in the PROTO column. -# -# Examples: -# -# 192.0.2.4:5000-6000 -# :4000-5000 -# -# You can invoke the SAME target using the -# following in this column: -# -# SAME:[nodst:][,...] -# -# The may be single addresses -# or "detect" as described above. -# -# SAME works like SNAT with the exception that -# the same local IP address is assigned to each -# connection from a local address to a given -# remote address. -# -# If the 'nodst:' option is included, then the -# same source address is used for a given -# internal system regardless of which remote -# system is involved. -# -# If you want to leave this column empty -# but you need to specify the next column then -# place a hyphen ("-") here. -# -# PROTO -- (Optional) If you wish to restrict this entry to a -# particular protocol then enter the protocol -# name (from /etc/protocols) or number here. -# -# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) -# or UDP (protocol 17) then you may list one -# or more port numbers (or names from -# /etc/services) separated by commas or you -# may list a single port range -# (:). -# -# Where a comma-separated list is given, your -# kernel and iptables must have multiport match -# support and a maximum of 15 ports may be -# listed. -# -# IPSEC -- (Optional) If you specify a value other than "-" in this -# column, you must be running kernel 2.6 and -# your kernel and iptables must include policy -# match support. -# -# Comma-separated list of options from the -# following. Only packets that will be encrypted -# via an SA that matches these options will have -# their source address changed. -# -# Yes or yes -- must be the only option -# listed and matches all outbound -# traffic that will be encrypted. -# -# reqid= where is -# specified using setkey(8) using the -# 'unique: option for the SPD -# level. -# -# spi= where is the -# SPI of the SA. -# -# proto=ah|esp|ipcomp -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match -# all rules. -# -# next Separates rules; can only be -# used with strict.. -# -# Example 1: -# -# You have a simple masquerading setup where eth0 connects to -# a DSL or cable modem and eth1 connects to your local network -# with subnet 192.168.0.0/24. -# -# Your entry in the file can be either: -# -# eth0 eth1 -# -# or -# -# eth0 192.168.0.0/24 -# -# Example 2: -# -# You add a router to your local network to connect subnet -# 192.168.1.0/24 which you also want to masquerade. You then -# add a second entry for eth0 to this file: -# -# eth0 192.168.1.0/24 -# -# Example 3: -# -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: -# -# ipsec0:10.1.1.0/24 196.168.1.0/24 -# -# Example 4: -# -# You want all outgoing traffic from 192.168.1.0/24 through -# eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to -# be added to eth0 with name eth0:0. -# -# eth0:0 192.168.1.0/24 206.124.146.176 -# -# Example 5: -# -# You want all outgoing SMTP traffic entering the firewall -# on eth1 to be sent from eth0 with source IP address -# 206.124.146.177. You want all other outgoing traffic -# from eth1 to be sent from eth0 with source IP address -# 206.124.146.176. -# -# eth0 eth1 206.124.146.177 tcp smtp -# eth0 eth1 206.124.146.176 -# -# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! -# # For additional information, see http://shorewall.net/Documentation.htm#Masq # ############################################################################### diff --git a/Shorewall/nat b/Shorewall/nat index 6a28e83c3..74e3d870d 100644 --- a/Shorewall/nat +++ b/Shorewall/nat @@ -1,54 +1,6 @@ # # Shorewall version 3.3 - Nat File # -# /etc/shorewall/nat -# -# This file is used to define one-to-one Network Address Translation -# (NAT). -# -# WARNING: If all you want to do is simple port forwarding, do NOT use this -# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most -# cases, Proxy ARP is a better solution that one-to-one NAT. -# -# Columns are: -# -# EXTERNAL External IP Address - this should NOT be the primary -# IP address of the interface named in the next -# column and must not be a DNS Name. -# -# If you put COMMENT in this column, the rest of the -# line will be attached as a comment to the Netfilter -# rule(s) generated by the following entries in the -# file. The comment will appear delimited by "/* ... */" -# in the output of "shorewall show nat" -# -# To stop the comment from being attached to further -# rules, simply include COMMENT on a line by itself. -# -# INTERFACE Interface that has the EXTERNAL address. -# If ADD_IP_ALIASES=Yes in shorewall.conf, Shorewall -# will automatically add the EXTERNAL address to this -# interface. Also if ADD_IP_ALIASES=Yes, you may -# follow the interface name with ":" and a digit to -# indicate that you want Shorewall to add the alias -# with this name (e.g., "eth0:0"). That allows you to -# see the alias with ifconfig. THAT IS THE ONLY THING -# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT -# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION. -# -# If you want to override ADD_IP_ALIASES=Yes for a -# particular entry, follow the interface name with -# ":" and no digit (e.g., "eth0:"). -# INTERNAL Internal Address (must not be a DNS Name). -# -# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts. -# If No or no (or left empty) then NAT will be effective -# only through the interface named in the INTERFACE -# column -# -# LOCAL If Yes or yes, NAT will be effective from the firewall -# system -# # For additional information, see http://shorewall.net/NAT.htm # ############################################################################### diff --git a/Shorewall/netmap b/Shorewall/netmap index e0ad9d76b..ba1c127a2 100644 --- a/Shorewall/netmap +++ b/Shorewall/netmap @@ -1,33 +1,6 @@ # # Shorewall version 3.3 - Netmap File # -# /etc/shorewall/netmap -# -# This file is used to map addresses in one network to corresponding -# addresses in a second network. -# -# WARNING: To use this file, your kernel and iptables must have -# NETMAP support included. -# -# Columns are: -# -# TYPE Must be DNAT or SNAT. -# -# If DNAT, traffic entering INTERFACE and addressed to -# NET1 has it's destination address rewritten to the -# corresponding address in NET2. -# -# If SNAT, traffic leaving INTERFACE with a source -# address in NET1 has it's source address rewritten to -# the corresponding address in NET2. -# -# NET1 Network in CIDR format (e.g., 192.168.1.0/24) -# -# INTERFACE The name of a network interface. The interface must -# be defined in /etc/shorewall/interfaces. -# -# NET2 Network in CIDR format -# # See http://shorewall.net/netmap.html for an example and usage # information. # diff --git a/Shorewall/policy b/Shorewall/policy index c53618d8f..dfd608a48 100644 --- a/Shorewall/policy +++ b/Shorewall/policy @@ -1,112 +1,6 @@ # # Shorewall version 3.3 - Policy File # -# /etc/shorewall/policy -# -# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT -# -# This file determines what to do with a new connection request if we -# don't get a match from the /etc/shorewall/rules file . For each -# source/destination pair, the file is processed in order until a -# match is found ("all" will match any client or server). -# -# INTRA-ZONE POLICIES ARE PRE-DEFINED -# -# For $FW and for all of the zoned defined in /etc/shorewall/zones, -# the POLICY for connections from the zone to itself is ACCEPT (with no -# logging or TCP connection rate limiting but may be overridden by an -# entry in this file. The overriding entry must be explicit (cannot use -# "all" in the SOURCE or DEST). -# -# Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf, then -# the implicit policy to/from any sub-zone is CONTINUE. These implicit -# CONTINUE policies may also be overridden by an explicit entry in this -# file. -# -# Columns are: -# -# SOURCE Source zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all". -# -# DEST Destination zone. Must be the name of a zone defined -# in /etc/shorewall/zones, $FW or "all" -# -# POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". -# -# ACCEPT - Accept the connection -# DROP - Ignore the connection request -# REJECT - For TCP, send RST. For all other, -# send "port unreachable" ICMP. -# QUEUE - Send the request to a user-space -# application using the QUEUE target. -# CONTINUE - Pass the connection request past -# any other rules that it might also -# match (where the source or -# destination zone in those rules is -# a superset of the SOURCE or DEST -# in this policy). -# NONE - Assume that there will never be any -# packets from this SOURCE -# to this DEST. Shorewall will not set -# up any infrastructure to handle such -# packets and you may not have any -# rules with this SOURCE and DEST in -# the /etc/shorewall/rules file. If -# such a packet _is_ received, the -# result is undefined. NONE may not be -# used if the SOURCE or DEST columns -# contain the firewall zone ($FW) or -# "all". -# -# If the policy is DROP or REJECT then the policy should -# be followed by ":" and one of the following: -# -# a) The word "None" or "none". This causes any default -# action defined in /etc/shorewall/shorewall.conf to -# be omitted for this policy. -# b) The name of an action (requires that USE_ACTIONS=Yes -# in shorewall.conf). That action will be invoked -# before the policy is enforced. -# c) The name of a macro. The rules in that macro will -# be applied before the policy is enforced. This -# does not require USE_ACTIONS=Yes. -# -# LOG LEVEL If supplied, each connection handled under the default -# POLICY is logged at that level. If not supplied, no -# log message is generated. See syslog.conf(5) for a -# description of log levels. -# -# Beginning with Shorewall version 1.3.12, you may -# also specify ULOG (must be in upper case). This will -# log to the ULOG target and sent to a separate log -# through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# If you don't want to log but need to specify the -# following column, place "-" here. -# -# LIMIT:BURST If passed, specifies the maximum TCP connection rate -# and the size of an acceptable burst. If not specified, -# TCP connections are not limited. -# -# Example: -# -# a) All connections from the local network to the internet are allowed -# b) All connections from the internet are ignored but logged at syslog -# level KERNEL.INFO. -# d) All other connection requests are rejected and logged at level -# KERNEL.INFO. -# -# #SOURCE DEST POLICY LOG -# # LEVEL -# loc net ACCEPT -# net all DROP info -# # -# # THE FOLLOWING POLICY MUST BE LAST -# # -# all all REJECT info -# # See http://shorewall.net/Documentation.htm#Policy for additional information. # ############################################################################### diff --git a/Shorewall/providers b/Shorewall/providers index a3560a079..86dd9c03a 100644 --- a/Shorewall/providers +++ b/Shorewall/providers @@ -1,105 +1,6 @@ # # Shorewall version 3.3 - Providers File # -# /etc/shorewall/providers -# -# This file is used to define additional routing tables. You will -# want to define an additional table if: -# -# - You have connections to more than one ISP or multiple connections -# to the same ISP -# -# - You run Squid as a transparent proxy on a host other than the -# firewall. -# -# To omit a column, enter "-". -# -# Columns are: -# -# NAME The provider name. Must be a valid shell variable name. -# The names 'local', 'main', 'default' and 'unspec' are -# reserved and may not be used as provider names. -# -# NUMBER The provider number -- a number between 1 and 15 -# -# MARK A FWMARK value used in your /etc/shorewall/tcrules -# file to direct packets to this provider. -# -# If HIGH_ROUTE_MARKS=Yes in shorewall.conf, then the -# value must be a multiple of 256 between 256 and 65280 -# or their hexadecimal equivalents (0x0100 and 0xff00 -# with the low-order byte of the value being zero). -# Otherwise, the value must be between 1 and 255. -# -# DUPLICATE The name of an existing table to duplicate. May be -# 'main' or the name of a previous provider. -# -# INTERFACE The name of the network interface to the provider. -# Must be listed in /etc/shorewall/interfaces. -# -# GATEWAY The IP address of the provider's gateway router. -# -# You can enter "detect" here and Shorewall will -# attempt to detect the gateway automatically. -# -# [ EXPERIMENTAL ] For PPP devices, you may omit this -# column. -# -# OPTIONS A comma-separated list selected from the following: -# -# track If specified, inbound connections on this interface -# are to be tracked so that responses may be routed back -# out this same interface. -# -# You want to specify 'track' if internet hosts will be -# connecting to local servers through this provider. -# -# balance The providers that have 'balance' specified will -# get outbound traffic load-balanced among them. By -# default, all interfaces with 'balance' specified -# will have the same weight (1). You can change the -# weight of an interface by specifiying balance= -# where is the weight of the route out of -# this interface. -# -# loose Shorewall normally adds a routing rule for each -# IP address on an interface which forces traffic -# whose source is that IP address to be sent using -# the routing table for that interface. Setting -# 'loose' prevents creation of such rules on this -# interface. -# -# optional -# If the interface named in the INTERFACE column is not -# up and configured with an IPv4 address then ignore -# this provider. -# -# COPY A comma-separated lists of other interfaces on your -# firewall. Only makes sense when DUPLICATE is 'main'. -# Only copy routes through INTERFACE and through -# interfaces listed here. If you only wish to copy -# routes through INTERFACE, enter 'none' here. -# -# Example: You run squid in your DMZ on IP address 192.168.2.99. Your DMZ -# interface is eth2 -# -# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS -# Squid 1 1 - eth2 192.168.2.99 - -# -# Example: -# -# eth0 connects to ISP 1. The IP address of eth0 is 206.124.146.176 and -# the ISP's gateway router has IP address 206.124.146.254. -# -# eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the -# ISP's gateway router has IP address 130.252.99.254. -# -# eth2 connects to a local network. -# -# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY -# ISP1 1 1 main eth0 206.124.146.254 track,balance eth2 -# ISP2 2 2 main eth1 130.252.99.254 track,balance eth2 -# # For additional information, see http://shorewall.net/MultiISP.html # ############################################################################################ diff --git a/Shorewall/proxyarp b/Shorewall/proxyarp index 9b8755201..2547cf6be 100644 --- a/Shorewall/proxyarp +++ b/Shorewall/proxyarp @@ -1,42 +1,6 @@ # # Shorewall version 3.3 - Proxyarp File # -# /etc/shorewall/proxyarp -# -# This file is used to define Proxy ARP. -# -# Columns are: -# -# ADDRESS IP Address -# -# INTERFACE Local interface where system is connected. -# -# EXTERNAL External Interface to be used to access this system -# -# HAVEROUTE If there is already a route from the firewall to -# the host whose address is given, enter "Yes" or "yes" -# in this column. Otherwise, entry "no", "No" or leave -# the column empty and Shorewall will add the route for -# you. If Shorewall adds the route,the route will be -# persistent if the PERSISTENT column contains Yes; -# otherwise, "shorewall stop" or "shorewall clear" will -# delete the route. -# -# PERSISTENT If HAVEROUTE is No or "no", then the value of this -# column determines if the route added by Shorewall -# persists after a "shorewall stop" or a "shorewall -# clear". If this column contains "Yes" or "yes" then -# the route persists; If the column is empty or contains -# "No"or "no" then the route is deleted at "shorewall -# stop" or "shorewall clear". -# -# Example: Host with IP 155.186.235.6 is connected to -# interface eth1 and we want hosts attached via eth0 -# to be able to access it using that address. -# -# #ADDRESS INTERFACE EXTERNAL -# 155.186.235.6 eth1 eth0 -# # See http://shorewall.net/ProxyARP.htm for additional information. # ############################################################################### diff --git a/Shorewall/rfc1918 b/Shorewall/rfc1918 index e9a55d945..e63c9e4eb 100644 --- a/Shorewall/rfc1918 +++ b/Shorewall/rfc1918 @@ -1,44 +1,6 @@ # # Shorewall version 3.3 - Rfc1918 File # -# /etc/shorewall/rfc1918 -# -# Lists the subnetworks that are blocked by the 'norfc1918' interface -# option. -# -# The default list includes those IP addresses listed in RFC 1918. -# -# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE -# TO /etc/shorewall AND MODIFY THE COPY. -# -# Columns are: -# -# SUBNETS A comma-separated list of subnet addresses -# (host addresses also allowed as are IP -# address ranges provided that your kernel and iptables -# have iprange match support). -# TARGET Where to send packets to/from this subnet -# RETURN - let the packet be processed normally -# DROP - silently drop the packet -# logdrop - log then drop -# -# By default, the RETURN target causes 'norfc1918' processing to cease -# for a packet if the packet's source IP address matches the rule. Thus, -# if you have: -# -# SUBNETS TARGET -# 192.168.1.0/24 RETURN -# -# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though -# you also have: -# -# SUBNETS TARGET -# 10.0.0.0/8 logdrop -# -# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic -# to be logged and dropped since while the packet's source matches the -# RETURN rule, the packet's destination matches the 'logdrop' rule. -# ############################################################################### #SUBNETS TARGET 172.16.0.0/12 logdrop # RFC 1918 diff --git a/Shorewall/route_rules b/Shorewall/route_rules index 7156b6749..9f8c04395 100644 --- a/Shorewall/route_rules +++ b/Shorewall/route_rules @@ -1,69 +1,6 @@ # # Shorewall version 3.3 - route_rules File # -# /etc/shorewall/route_rules -# -# Entries in this file cause traffic to be routed to one of the -# providers listed in /etc/shorewall/providers. -# -# Columns are: -# -# SOURCE(optional) -# An ip address (network or host) that -# matches the source IP address in a packet. -# May also be specified as an interface -# name optionally followed by ":" and an -# address. If the device 'lo' is specified, -# the packet must originate from the firewall -# itself. -# -# DEST(optional) An ip address (network or host) that -# matches the destination IP address in a packet. -# -# If you choose to omit either SOURCE or DEST, -# place "-" in that column. Note that you -# may not omit both SOURCE and DEST. -# -# PROVIDER The provider to route the traffic through. -# May be expressed either as the provider name -# or the provider number. May also be 'main' -# or 254 for the main routing table. This can -# be used in combination with VPN tunnels, see -# example 2 below. -# -# PRIORITY -# The rule's priority which determines the order -# in which the rules are processed. -# -# 1000-1999 Before Shorewall-generated -# 'MARK' rules -# -# 11000- 11999 After 'MARK' rules but before -# Shorewall-generated rules for -# ISP interfaces. -# -# 26000-26999 After ISP interface rules but -# before 'default' rule. -# -# Rules with equal priority are applied in -# the order in which they appear in the file. -# -# Example 1: You want all traffic coming in on eth1 to be routed to the ISP1 -# provider: -# -# #SOURCE DEST PROVIDER PRIORITY -# eth1 - ISP1 1000 -# -# Example 2: You use OpenVPN (routed setup /tunX) in combination with multiple -# providers. In this case you have to set up a rule to ensure that -# the OpenVPN traffic is routed back through the tunX interface(s) -# rather than through any of the providers. 10.8.0.0/24 is the -# subnet choosen in your OpenVPN configuration (server 10.8.0.0 -# 255.255.255.0) -# -# #SOURCE DEST PROVIDER PRIORITY -# - 10.8.0.0/24 main 1000 -# # For additional information, see http://www.shorewall.net/MultiISP.html ############################################################################## #SOURCE DEST PROVIDER PRIORITY diff --git a/Shorewall/routestopped b/Shorewall/routestopped index cbc6c9878..085aaccef 100644 --- a/Shorewall/routestopped +++ b/Shorewall/routestopped @@ -1,60 +1,6 @@ # # Shorewall version 3.3 - Routestopped File # -# /etc/shorewall/routestopped -# -# This file is used to define the hosts that are accessible when the -# firewall is stopped or when it is in the process of being -# [re]started. -# -# Columns are: -# -# INTERFACE - Interface through which host(s) communicate with -# the firewall -# HOST(S) - (Optional) Comma-separated list of IP/subnet -# addresses. If your kernel and iptables include -# iprange match support, IP address ranges are also -# allowed. -# -# If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. -# OPTIONS - (Optional) A comma-separated list of -# options. The currently-supported options are: -# -# routeback - Set up a rule to ACCEPT traffic from -# these hosts back to themselves. -# -# source - Allow traffic from these hosts to ANY -# destination. Without this option or the 'dest' -# option, only traffic from this host to other -# listed hosts (and the firewall) is allowed. If -# 'source' is specified then 'routeback' is redundant. -# -# dest - Allow traffic to these hosts from ANY -# source. Without this option or the 'source' -# option, only traffic from this host to other -# listed hosts (and the firewall) is allowed. If -# 'dest' is specified then 'routeback' is redundant. -# -# critical - Allow traffic between the firewall and -# these hosts throughout '[re]start', 'stop' and -# 'clear'. Specifying 'critical' on one or more -# entries will cause your firewall to be "totally -# open" for a brief window during each of those -# operations. -# -# NOTE: The 'source' and 'dest' options work best when used -# in conjunction with ADMINISABSENTMINDED=Yes in -# /etc/shorewall/shorewall.conf. -# -# Example: -# -# INTERFACE HOST(S) OPTIONS -# eth2 192.168.1.0/24 -# eth0 192.0.2.44 -# br0 - routeback -# eth3 - source -# # See http://shorewall.net/Documentation.htm#Routestopped and # http://shorewall.net/starting_and_stopping_shorewall.htm for additional # information. diff --git a/Shorewall/rules b/Shorewall/rules index 26267bffc..4e5e7dae3 100644 --- a/Shorewall/rules +++ b/Shorewall/rules @@ -1,442 +1,6 @@ # # Shorewall version 3.3 - Rules File # -# /etc/shorewall/rules -# -# Rules in this file govern connection establishment. Requests and -# responses are automatically allowed using connection tracking. For any -# particular (source,dest) pair of zones, the rules are evaluated in the -# order in which they appear in this file and the first match is the one -# that determines the disposition of the request. -# -# In most places where an IP address or subnet is allowed, you -# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to -# indicate that the rule matches all addresses except the address/subnet -# given. Notice that no white space is permitted between "!" and the -# address/subnet. -#------------------------------------------------------------------------------ -# WARNING: If you masquerade or use SNAT from a local system to the internet, -# you cannot use an ACCEPT rule to allow traffic from the internet to -# that system. You *must* use a DNAT rule instead. -#------------------------------------------------------------------------------ -# -# The rules file is divided into sections. Each section is introduced by -# a "Section Header" which is a line beginning with SECTION followed by the -# section name. -# -# Sections are as follows and must appear in the order listed: -# -# ESTABLISHED Packets in the ESTABLISHED state are processed -# by rules in this section. -# -# The only ACTIONs allowed in this section are -# ACCEPT, DROP, REJECT, LOG and QUEUE -# -# There is an implicit ACCEPT rule inserted -# at the end of this section. -# -# RELATED Packets in the RELATED state are processed by -# rules in this section. -# -# The only ACTIONs allowed in this section are -# ACCEPT, DROP, REJECT, LOG and QUEUE -# -# There is an implicit ACCEPT rule inserted -# at the end of this section. -# -# NEW Packets in the NEW and INVALID states are -# processed by rules in this section. -# -# Note: If you are not familiar with Netfilter to the point where you are -# comfortable with the differences between the various connection -# tracking states, then I suggest that you omit the ESTABLISHED and -# RELATED sections and place all of your rules in the NEW section -# (That's after the line that reads SECTION NEW'). -# -# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the -# ESTABLISHED and RELATED sections must be empty. -# -# You may omit any section that you don't need. If no Section Headers appear -# in the file then all rules are assumed to be in the NEW section. -# -# Columns are: -# -# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, -# LOG, QUEUE, COMMENT, a , or an . -# -# ACCEPT -- allow the connection request -# ACCEPT+ -- like ACCEPT but also excludes the -# connection from any subsequent -# DNAT[-] or REDIRECT[-] rules -# NONAT -- Excludes the connection from any -# subsequent DNAT[-] or REDIRECT[-] -# rules but doesn't generate a rule -# to accept the traffic. -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable or an RST packet. -# DNAT -- Forward the request to another -# system (and optionally another -# port). -# DNAT- -- Advanced users only. -# Like DNAT but only generates the -# DNAT iptables rule and not -# the companion ACCEPT rule. -# SAME -- Similar to DNAT except that the -# port may not be remapped and when -# multiple server addresses are -# listed, all requests from a given -# remote system go to the same -# server. -# SAME- -- Advanced users only. -# Like SAME but only generates the -# NAT iptables rule and not -# the companion ACCEPT rule. -# REDIRECT -- Redirect the request to a local -# port on the firewall. -# REDIRECT- -# -- Advanced users only. -# Like REDIRET but only generates the -# REDIRECT iptables rule and not -# the companion ACCEPT rule. -# -# CONTINUE -- (For experts only). Do not process -# any of the following rules for this -# (source zone,destination zone). If -# The source and/or destination IP -# address falls into a zone defined -# later in /etc/shorewall/zones, this -# connection request will be passed -# to the rules defined for that -# (those) zone(s). -# LOG -- Simply log the packet and continue. -# QUEUE -- Queue the packet to a user-space -# application such as ftwall -# (http://p2pwall.sf.net). -# COMMENT -- the rest of the line will be attached -# as a comment to the Netfilter rule(s) -# generated by the following entres. -# The comment will appear delimited by -# "/* ... */" in the output of -# "shorewall show ". To stop -# the comment from being attached to -# further rules, simply include -# COMMENT on a line by itself. -# -- The name of an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std. -# -- The name of a macro defined in a -# file named macro.. If -# the macro accepts an action -# parameter (Look at the macro -# source to see if it has PARAM in -# the TARGET column) then the macro -# name is followed by "/" and the -# action (ACCEPT, DROP, REJECT, ...) -# to be substituted for the -# parameter. Example: FTP/ACCEPT. -# -# The ACTION may optionally be followed -# by ":" and a syslog log level (e.g, REJECT:info or -# DNAT:debug). This causes the packet to be -# logged at the specified level. -# -# If the ACTION names an action defined in -# /etc/shorewall/actions or in -# /usr/share/shorewall/actions.std then: -# -# - If the log level is followed by "!' then all rules -# in the action are logged at the log level. -# -# - If the log level is not followed by "!" then only -# those rules in the action that do not specify -# logging are logged at the specified level. -# -# - The special log level 'none!' suppresses logging -# by the action. -# -# You may also specify ULOG (must be in upper case) as a -# log level.This will log to the ULOG target for routing -# to a separate log through use of ulogd -# (http://www.gnumonks.org/projects/ulogd). -# -# Actions specifying logging may be followed by a -# log tag (a string of alphanumeric characters) -# are appended to the string generated by the -# LOGPREFIX (in /etc/shorewall/shorewall.conf). -# -# Example: ACCEPT:info:ftp would include 'ftp ' -# at the end of the log prefix generated by the -# LOGPREFIX setting. -# -# SOURCE Source hosts to which the rule applies. May be a zone -# defined in /etc/shorewall/zones, $FW to indicate the -# firewall itself, "all", "all+", "all-", "all+-" or -# "none". -# -# When "none" is used either in the SOURCE or DEST -# column, the rule is ignored. -# -# "all" means "All Zones", including the firewall itself. -# "all-" means "All Zones, except the firewall itself". -# When "all[-]" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+[-]" is -# "used, intra-zone traffic is affected. -# -# Except when "all[+][-]" is specified, clients may be -# further restricted to a list of subnets and/or hosts by -# appending ":" and a comma-separated list of subnets -# and/or hosts. Hosts may be specified by IP or MAC -# address; mac addresses must begin with "~" and must use -# "-" as a separator. -# -# Hosts may be specified as an IP address range using the -# syntax -. This requires that -# your kernel and iptables contain iprange match support. -# If you kernel and iptables have ipset match support -# then you may give the name of an ipset prefaced by "+". -# The ipset name may be optionally followed by a number -# from 1 to 6 enclosed in square brackets ([]) to -# indicate the number of levels of source bindings to be -# matched. -# -# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ -# -# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the -# Internet -# -# loc:192.168.1.1,192.168.1.2 -# Hosts 192.168.1.1 and -# 192.168.1.2 in the local zone. -# loc:~00-A0-C9-15-39-78 Host in the local zone with -# MAC address 00:A0:C9:15:39:78. -# -# net:192.0.2.11-192.0.2.17 -# Hosts 192.0.2.11-192.0.2.17 in -# the net zone. -# -# Alternatively, clients may be specified by interface -# by appending ":" to the zone name followed by the -# interface name. For example, loc:eth1 specifies a -# client that communicates with the firewall system -# through eth1. This may be optionally followed by -# another colon (":") and an IP/MAC/subnet address -# as described above (e.g., loc:eth1:192.168.1.5). -# -# DEST Location of Server. May be a zone defined in -# /etc/shorewall/zones, $FW to indicate the firewall -# itself, "all". "all+" or "none". -# -# When "none" is used either in the SOURCE or DEST -# column, the rule is ignored. -# -# When "all" is used either in the SOURCE or DEST column -# intra-zone traffic is not affected. When "all+" is -# used, intra-zone traffic is affected. -# -# Except when "all[+]" is specified, the server may be -# further restricted to a particular subnet, host or -# interface by appending ":" and the subnet, host or -# interface. See above. -# -# Restrictions: -# -# 1. MAC addresses are not allowed. -# 2. In DNAT rules, only IP addresses are -# allowed; no FQDNs or subnet addresses -# are permitted. -# 3. You may not specify both an interface and -# an address. -# -# Like in the SOURCE column, you may specify a range of -# up to 256 IP addresses using the syntax -# -. When the ACTION is DNAT or DNAT-, -# the connections will be assigned to addresses in the -# range in a round-robin fashion. -# -# If you kernel and iptables have ipset match support -# then you may give the name of an ipset prefaced by "+". -# The ipset name may be optionally followed by a number -# from 1 to 6 enclosed in square brackets ([]) to -# indicate the number of levels of destination bindings -# to be matched. Only one of the SOURCE and DEST columns -# may specify an ipset name. -# -# The port that the server is listening on may be -# included and separated from the server's IP address by -# ":". If omitted, the firewall will not modifiy the -# destination port. A destination port may only be -# included if the ACTION is DNAT or REDIRECT. -# -# Example: loc:192.168.1.3:3128 specifies a local -# server at IP address 192.168.1.3 and listening on port -# 3128. The port number MUST be specified as an integer -# and not as a name from /etc/services. -# -# if the ACTION is REDIRECT, this column needs only to -# contain the port number on the firewall that the -# request should be redirected to. -# -# PROTO Protocol - Must be "tcp", "tcp:syn", "udp", "icmp", -# "ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all". -# "ipp2p*" requires ipp2p match support in your kernel -# and iptables. -# -# "tcp:syn" implies "tcp" plus the SYN flag must be -# set and the RST,ACK and FIN flags must be reset. -# -# DEST PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example -# "bit" for bit-torrent). If no port is given, "ipp2p" is -# assumed. -# -# A port range is expressed as :. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following ields are supplied. -# In that case, it is suggested that this field contain -# "-" -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the CLIENT PORT(S) list below: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# If you don't want to restrict client ports but need to -# specify an ORIGINAL DEST in the next column, then -# place "-" in this column. -# -# If your kernel contains multi-port match support, then -# only a single Netfilter rule will be generated if in -# this list and the DEST PORT(S) list above: -# 1. There are 15 or less ports listed. -# 2. No port ranges are included. -# Otherwise, a separate rule will be generated for each -# port. -# -# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] -# then if included and different from the IP -# address given in the SERVER column, this is an address -# on some interface on the firewall and connections to -# that address will be forwarded to the IP and port -# specified in the DEST column. -# -# A comma-separated list of addresses may also be used. -# This is usually most useful with the REDIRECT target -# where you want to redirect traffic destined for -# particular set of hosts. -# -# Finally, if the list of addresses begins with "!" then -# the rule will be followed only if the original -# destination address in the connection request does not -# match any of the addresses listed. -# -# For other actions, this column may be included and may -# contain one or more addresses (host or network) -# separated by commas. Address ranges are not allowed. -# When this column is supplied, rules are generated -# that require that the original destination address -# matches one of the listed addresses. This feature is -# most useful when you want to generate a filter rule -# that corresponds to a DNAT- or REDIRECT- rule. In this -# usage, the list of addresses should not begin with "!". -# -# See http://shorewall.net/PortKnocking.html for an -# example of using an entry in this column with a -# user-defined action rule. -# -# RATE LIMIT You may rate-limit the rule by placing a value in -# this colume: -# -# /[:] -# -# where is the number of connections per -# ("sec" or "min") and is the -# largest burst permitted. If no is given, -# a value of 5 is assumed. There may be no -# no whitespace embedded in the specification. -# -# Example: 10/sec:20 -# -# USER/GROUP This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# The column may contain: -# -# [!][][:][+] -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective and/or specified (or is -# NOT running under that id if "!" is given). -# -# Examples: -# -# joe #program must be run by joe -# :kids #program must be run by a member of -# #the 'kids' group -# !:kids #program must not be run by a member -# #of the 'kids' group -# +upnpd #program named upnpd (This feature was -# #removed from Netfilter in kernel -# #version 2.6.14). -# -# Example: Accept SMTP requests from the DMZ to the internet -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT dmz net tcp smtp -# -# Example: Forward all ssh and http connection requests from the -# internet to local system 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp ssh,http -# -# Example: Forward all http connection requests from the internet -# to local system 192.168.1.3 with a limit of 3 per second and -# a maximum burst of 10 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE -# # PORT PORT(S) DEST LIMIT -# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10 -# -# Example: Redirect all locally-originating www connection requests to -# port 3128 on the firewall (Squid running on the firewall -# system) except when the destination address is 192.168.2.2 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# REDIRECT loc 3128 tcp www - !192.168.2.2 -# -# Example: All http requests from the internet to address -# 130.252.100.69 are to be forwarded to 192.168.1.3 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 -# -# Example: You want to accept SSH connections to your firewall only -# from internet IP addresses 130.252.100.69 and 130.252.100.70 -# -# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL -# # PORT PORT(S) DEST -# ACCEPT net:130.252.100.69,130.252.100.70 $FW \ -# tcp 22 ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP diff --git a/Shorewall/shorewall.spec b/Shorewall/shorewall.spec index 338682081..0edef4b5f 100644 --- a/Shorewall/shorewall.spec +++ b/Shorewall/shorewall.spec @@ -68,6 +68,7 @@ fi %attr(0755,root,root) %dir /usr/share/shorewall %attr(0755,root,root) %dir /usr/share/shorewall/configfiles %attr(0700,root,root) %dir /var/lib/shorewall +%attr(0644,root,root) %config(noreplace) /etc/shorewall/Documentation.txt %attr(0644,root,root) %config(noreplace) /etc/shorewall/shorewall.conf %attr(0600,root,root) %config(noreplace) /etc/shorewall/zones %attr(0600,root,root) %config(noreplace) /etc/shorewall/policy diff --git a/Shorewall/tcclasses b/Shorewall/tcclasses index b30a0d716..4a6572ef5 100644 --- a/Shorewall/tcclasses +++ b/Shorewall/tcclasses @@ -1,193 +1,6 @@ # # Shorewall version 3.3 - Tcclasses File # -# Based on tc4shorewall version 0.5 by Arne Bernin -# -# /etc/shorewall/tcclasses -# -# Define the classes used for traffic shaping in this file. -# -# A note on the rate/bandwidth definitions used in this file: -# -# - don't use a space between the integer value and -# the unit: 30kbit is valid while 30 kbit is NOT. -# -# - you can use one of the following units: -# -# kbps Kilobytes per second -# mbps Megabytes per second -# kbit Kilobits per second -# mbit Megabits per second -# bps or a -# bare number Bytes per second -# -# - if you want the values to be calculated for you depending -# on the output bandwidth setting defined for an interface -# in tcdevices, you can use expressions like the following: -# -# full/3 causes the bandwidth to be calculated -# as 3 of the the full outgoing -# speed that is defined. -# -# full*9/10 will set this bandwidth to 9/10 of -# the full bandwidth -# -# DO NOT add a unit to the rate if it is calculated ! -# -# Columns are: -# -# INTERFACE Name of interface. Each interface may be listed only -# once in this file. You may NOT specify the name of -# an alias (e.g., eth0:0) here; see -# http://www.shorewall.net/FAQ.htm#faq18 -# -# You may NOT specify wildcards here, e.g. if you -# have multiple ppp interfaces, you need to put -# them all in here! -# -# Please note that you can only use interface names -# in here that have a bandwidth defined in the tcdevices -# file -# -# MARK The mark value which is an integer in the range 1-255. -# You define this marks in the tcrules file, marking -# the traffic you want to fit in the classes defined -# in here. -# -# You can use the same marks for different interfaces. -# -# RATE The minimum bandwidth this class should get, -# when the traffic load rises. -# -# CEIL The maximum bandwidth this class is allowed to use -# when the link is idle. Useful if you have traffic -# which can get full speed when more needed services -# (e.g. ssh) are not used. -# -# You can use the value "full" in here for setting -# the maximum bandwidth to the defined output bandwidth -# of that interface -# -# PRIORITY The priority in which classes will be serviced by -# the packet shaping scheduler and also the priority -# in which bandwidth in excess of the rate will be -# given to each class. -# -# Higher priority classes will experience less delay -# since they are serviced first. Priority values -# are serviced in ascending order (e.g. 0 is higher -# priority than 1). -# -# Classes may be set to the same priority, in which -# case they will be serviced as equals. -# -# OPTIONS A comma-separated list of options including the -# following: -# -# default - this is the default class for that -# interface where all traffic should go, -# that is not classified otherwise. -# -# NOTE: defining default for exactly one -# class per interface is mandatory! -# -# tos=0x[/0x] (mask defaults to 0xff) -# - this lets you define a classifier -# for the given / -# combination of the IP packet's -# TOS/Precedence/DiffSrv octet (aka the -# TOS byte). Please note, classifiers -# override all mark settings, so if you -# define a classifer for a class, all -# traffic having that mark will go in it -# regardless of any mark set on the -# packet by a firewall/mangle filter. -# -# NOTE: multiple tos= statements may be -# applied per class and per interface, -# but a given value/mask pair is valid -# for only ONE class per interface. -# -# tos- - aliases for the following TOS octet -# value and mask encodings. TOS -# encodings of the "TOS byte" have been -# deprecated in favor of diffserve -# classes, but programs like ssh, -# rlogin, and ftp still use them. -# -# tos-minimize-delay 0x10/0x10 -# tos-maximize-throughput 0x08/0x08 -# tos-maximize-reliability 0x04/0x04 -# tos-minimize-cost 0x02/0x02 -# tos-normal-service 0x00/0x1e -# -# NOTE: each of this options is only -# valid for ONE class per interface. -# -# tcp-ack - if defined causes an tc filter to -# be created that puts all tcp ack -# packets on that interface that have -# an size of <=64 Bytes to go in this -# class. This is useful for speeding up -# downloads. Please note that the size -# of the ack packets is limited to 64 -# bytes as some applications (p2p for -# example) use to make every packet an -# ack packet which would cause them -# all into here. We want only packets -# WITHOUT payload to match, so the size -# limit. -# -# NOTE: This option is only valid for -# ONE class per interface. -# -# -# -# Example 1: Suppose you are using PPP over Ethernet (DSL) -# and ppp0 is the interface for this. You have 4 classes -# here, the first you can use for voice over IP -# traffic, the second interactive traffic (e.g. -# ssh/telnet but not scp), the third will be for all -# unclassified traffic, and the forth is for low -# priority traffic (e.g. peer-to-peer). -# -# The voice traffic in the first class will be -# guaranteed a minimum of 100kbps and always be -# serviced first (because of the low priority number, -# giving less delay) and will be granted excess -# bandwidth (up to 180kbps, the class ceiling) first, -# before any other traffic. A single VOIP stream, -# depending upon codecs, after encapsulation, can take -# up to 80kbps on a PPOE/DSL link, so we pad a little -# bit just in case. (TOS byte values 0xb8 and 0x68 -# are DiffServ classes EF and AFF3-1 respectively and -# are often used by VOIP devices). -# -# Interactive traffic (tos-minimum-delay) and -# TCP acks (and ICMP echo traffic if you use the example -# in tcrules) and any packet with a mark of 2 will be -# guaranteed 1/4 of the link bandwidth, and may extend -# up to full speed of the link. -# -# Unclassified traffic and packets marked as 3 will be -# guaranteed 1/4th of the link bandwidth, and may extend -# to the full speed of the link. -# -# Packets marked with 4 will be treated as low priority -# packets. (The tcrules example marks p2p traffic as -# such.) If the link is congested, they're only -# guaranteed 1/8th of the speed, and even if the link is -# empty, can only expand to 80% of link bandwidth just -# as a precaution in case there are upstream queues we -# didn't account for. This is the last class to get -# additional bandwidth and the last to get serviced by -# the scheduler because of the low priority. -# -# ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc -# ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay -# ppp0 3 full/4 full 3 default -# ppp0 4 full/8 full*8/10 4 -# ############################################################################### #INTERFACE MARK RATE CEIL PRIORITY OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/tcdevices b/Shorewall/tcdevices index 0a141f10a..3cfe704e2 100644 --- a/Shorewall/tcdevices +++ b/Shorewall/tcdevices @@ -1,68 +1,6 @@ # # Shorewall version 3.3 - Tcdevices File # -# Based on tc4shorewall version 0.5 by Arne Bernin -# -# /etc/shorewall/tcdevices -# -# Entries in this file define the bandwidth for interfaces -# on which you want traffic shaping to be enabled. -# -# If you do not plan to use traffic shaping for a device, -# don't put it in here as it limits the troughput of that -# device to the limits you set here. -# -# Columns are: -# -# -# INTERFACE Name of interface. Each interface may be listed only -# once in this file. You may NOT specify the name of -# an alias (e.g., eth0:0) here; see -# http://www.shorewall.net/FAQ.htm#faq18 -# -# You man NOT specify wildcards here, e.g. if you -# have multiple ppp interfaces, you need to put -# them all in here! -# -# If the device doesn't exist, a warning message will -# be issued during "shorewall [re]start" and "shorewall -# refresh" and traffic shaping configuration will be -# skipped for that device. -# -# IN-BANDWIDTH The incoming Bandwidth of that interface. Please -# note that you are not able to do traffic shaping -# on incoming traffic, as the traffic is already -# received before you could do so. But this allows -# you to define the maximum traffic allowed for -# this interface in total, if the rate is exceeded, -# the packets are dropped. -# You want this mainly if you have a DSL or Cable -# connection to avoid queuing at your providers side. -# -# If you don't want any traffic to be dropped set this -# to a value faster than your interface. -# -# Use kbit or kbps(for Kilobytes per second) for -# speed, and make sure there is NO space between the -# number and the unit. -# -# OUT-BANDWIDTH The outgoing Bandwidth of that interface. -# This is the maximum speed you connection can handle. -# It is also the speed you can refer as "full" if -# you define the tc classes. -# Outgoing traffic above this rate will be dropped. -# -# Use kbit or kbps(for Kilobytes per second) for -# speed, and make sure there is NO space between the -# number and the unit. -# -# Example 1: Suppose you are using PPP over Ethernet (DSL) -# and ppp0 is the interface for this. The -# device has an outgoing bandwidth of 500kbit and an -# incoming bandwidth of 6000kbit -# ppp0 6000kbit 500kbit -# -# ############################################################################### #INTERFACE IN-BANDWITH OUT-BANDWIDTH #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/tcrules b/Shorewall/tcrules index f3c48cf0e..14acee0cf 100644 --- a/Shorewall/tcrules +++ b/Shorewall/tcrules @@ -1,265 +1,6 @@ # # Shorewall version 3.3 - Tcrules File # -# /etc/shorewall/tcrules -# -# Entries in this file cause packets to be marked as a means of -# classifying them for traffic control or policy routing. -# -# I M P O R T A N T ! ! ! ! -# -# Unlike rules in the /etc/shorewall/rules file, evaluation -# of rules in this file will continue after a match. So the -# final mark for each packet will be the one assigned by the -# LAST tcrule that matches. -# -# If you use multiple internet providers with the 'track' option, -# in /etc/shorewall/providers be sure to read the restrictions at -# http://shorewall.net/MultiISP.html. -# -# Columns are: -# -# -# MARK/ a) A mark value which is an integer in the range 1-255. -# CLASSIFY -# Normally will set the mark value. If preceded by -# a vertical bar ("|"), the mark value will be -# logically ORed with the current mark value to -# produce a new mark value. If preceded by an -# ampersand ("&"), will be logically ANDed with the -# current mark value to produce a new mark value. -# -# Both "|" and "&" require Extended MARK Target -# support in your kernel and iptables; neither may -# be used with connection marks (see below). -# -# If HIGH_ROUTE_MARKS=Yes in shorewall.conf then -# you may also specify a value in the range 0x0100- -# 0xFF00 with the low-order byte being zero. Such -# values may only be used in the PREROUTING chain -# (value followed by :F or you have set -# MARK_IN_FORWARD_CHAIN=Yes in shorewall conf and have -# not followed the value with :P) or the OUTPUT chain -# (SOURCE is $FW). -# -# May optionally be followed by ":P" or ":F" -# where ":P" indicates that marking should occur in -# the PREROUTING chain and ":F" indicates that marking -# should occur in the FORWARD chain. If neither -# ":P" nor ":F" follow the mark value then the chain -# is determined by the setting of -# MARK_IN_FORWARD_CHAIN in -# /etc/shorewall/shorewall.conf. -# -# If your kernel and iptables include CONNMARK support -# then you can also mark the connection rather than -# the packet. -# -# The mark value may be optionally followed by "/" -# and a mask value (used to determine those bits of -# the connection mark to actually be set). The -# mark and optional mask are then followed by one of: -# -# C - Mark the connection in the chain determined -# by the setting of MARK_IN_FORWARD_CHAIN -# -# CF: Mark the connection in the FORWARD chain -# -# CP: Mark the connection in the PREROUTING -# chain. -# -# b) A classification (classid) of the form -# : where and are -# integers. Corresponds to the 'class' specification -# in these traffic shaping modules: -# -# - atm -# - cbq -# - dsmark -# - pfifo_fast -# - htb -# - prio -# -# Classification occurs in the POSTROUTING chain except -# when the SOURCE is $FW[:
] in which case -# marking occurs in the OUTPUT chain. -# -# c) RESTORE[/mask] -- restore the packet's mark from the -# connection's mark using the supplied mask if any. -# Your kernel and iptables must include CONNMARK -# support. -# -# As in a) above, may be followed by ":P" or ":F -# -# c) SAVE[/mask] -- save the packet's mark to the -# connection's mark using the supplied mask if any. -# Your kernel and iptables must include CONNMARK -# support. -# -# As in a) above, may be followed by ":P" or ":F -# -# d) CONTINUE -- don't process any more marking rules in -# the table. -# -# As in a) above, may be followed by ":P" or ":F". -# -# e) COMMENT -- the rest of the line will be attached as -# a comment to the Netfilter rule(s) generated by the -# following entries. The comment will appear delimited -# by "/* ... */" in the output of "shorewall show -# mangle" -# -# To stop the comment from being attached to further -# rules, simply include COMMENT on a line by itself. -# -# SOURCE Source of the packet. A comma-separated list of -# interface names, IP addresses, MAC addresses and/or -# subnets for packets being routed through a common path. -# List elements may also consist of an interface name -# followed by ":" and an address -# (e.g., eth1:192.168.1.0/24). For example, all packets -# for connections masqueraded to eth0 from other -# interfaces can be matched in a single rule with -# several alternative SOURCE criteria. However, a -# connection whose packets gets to eth0 in a -# different way, e.g., direct from the firewall itself, -# needs a different rule. -# -# Accordingly, use $FW in its own separate rule for -# packets originating on the firewall. In such a rule, -# the MARK column may NOT specify either ":P" or ":F" -# because marking for firewall-originated packets -# always occurs in the OUTPUT chain. -# -# MAC addresses must be prefixed with "~" and use -# "-" as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# DEST Destination of the packet. Comma separated list of -# IP addresses and/or subnets. If your kernel and -# iptables include iprange match support, IP address -# ranges are also allowed. List elements may also -# consist of an interface name followed by ":" and an -# address (e.g., eth1:192.168.1.0/24). -# If the MARK column specificies a classification of -# the form : then this column may also -# contain an interface name. -# -# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", -# "ipp2p:udp", "ipp2p:all" a number, or "all". -# "ipp2p" requires ipp2p match support in your kernel -# and iptables. -# -# PORT(S) Destination Ports. A comma-separated list of Port -# names (from /etc/services), port numbers or port -# ranges; if the protocol is "icmp", this column is -# interpreted as the destination icmp-type(s). -# -# If the protocol is ipp2p, this column is interpreted -# as an ipp2p option without the leading "--" (example -# "bit" for bit-torrent). If no PORT is given, "ipp2p" is -# assumed. -# -# This column is ignored if PROTOCOL = all but must be -# entered if any of the following field is supplied. -# In that case, it is suggested that this field contain -# "-" -# -# SOURCE PORT(S) (Optional) Source port(s). If omitted, -# any source port is acceptable. Specified as a comma- -# separated list of port names, port numbers or port -# ranges. -# -# USER This column may only be non-empty if the SOURCE is -# the firewall itself. -# -# When this column is non-empty, the rule applies only -# if the program generating the output is running under -# the effective user and/or group. -# -# It may contain : -# -# []:[][+] -# -# The colon is optionnal when specifying only a user -# or a program name. -# Examples : john: , john , :users , john:users , -# +mozilla-bin (Support for program names -# was removed from Netfilter in Kernel -# version 2.6.14). -# -# TEST Defines a test on the existing packet or connection -# mark. The rule will match only if the test returns -# true. Tests have the format [!][/][:C] -# -# Where: -# -# ! Inverts the test (not equal) -# Value of the packet or connection mark. -# A mask to be applied to the mark before -# testing -# :C Designates a connection mark. If -# omitted, the packet mark's value is -# tested. -# -# If you don't want to define a test but need to specify -# anything in the following columns, place a "-" in this -# field. -# -# LENGTH (Optional) Packet Length. This field, if present -# allow you to match the length of a packet against -# a specific value or range of values. You must have -# iptables length support for this to work. -# A range is specified in the form : -# where either or (but not both) may be -# omitted. If is omitted, then 0 is assumed; if -# is omitted, than any packet that is or -# longer will match. -# -# Examples: 1024, 64:1500, :100 (packet of length -# 100 bytes or less) -# -# If you don't want to define a test but need to specify -# anything in the following columns, place a "-" in this -# field. -# -# TOS Type of service. Either a standard name, or a numeric -# value to match. -# -# Minimize-Delay (16) -# Maximize-Throughput (8) -# Maximize-Reliability (4) -# Minimize-Cost (2) -# Normal-Service (0) -# -# Example 1: -# -# Mark all ICMP echo traffic with packet mark 1. -# Mark all peer to peer traffic with packet mark 4. -# -# This is a little more complex than otherwise expected. Since -# the ipp2p module is unable to determine all packets in a -# connection are P2P packets, we mark the entire connection as -# P2P if any of the packets are determined to match. -# -# We assume packet/connection mark 0 to means unclassified. -# -# 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request -# 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply -# -# RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 -# CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 -# 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all -# SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 -# -# "If a packet hasn't been classifed (packet mark is 0), copy -# the connection mark to the packet mark. If the packet mark -# is set, we're done. If the packet is P2P, set the packet -# mark to 4. If the packet mark has been set, save it to the -# connection mark." -# -# # See http://shorewall.net/traffic_shaping.htm for additional information. # For usage in selecting among multiple ISPs, see # http://shorewall.net/MultiISP.html diff --git a/Shorewall/tos b/Shorewall/tos index a09849633..a5df95d78 100644 --- a/Shorewall/tos +++ b/Shorewall/tos @@ -1,48 +1,6 @@ # # Shorewall version 3.3 - Tos File # -# /etc/shorewall/tos -# -# This file defines rules for setting Type Of Service (TOS) -# -# Columns are: -# -# SOURCE Name of a zone declared in /etc/shorewall/zones, "all" -# or $FW. -# -# If not "all" or $FW, may optionally be followed by -# ":" and an IP address, a MAC address, a subnet -# specification or the name of an interface. -# -# Example: loc:192.168.2.3 -# -# MAC addresses must be prefixed with "~" and use -# "-" as a separator. -# -# Example: ~00-A0-C9-15-39-78 -# -# DEST Name of a zone declared in /etc/shorewall/zones, "all" -# or $FW. -# -# If not "all" or $FW, may optionally be followed by -# ":" and an IP address or a subnet specification -# -# Example: loc:192.168.2.3 -# -# PROTOCOL Protocol. -# -# SOURCE PORTS Source port or port range. If all ports, use "-". -# -# DEST PORTS Destination port or port range. If all ports, use "-" -# -# TOS Type of service. Must be one of the following: -# -# Minimize-Delay (16) -# Maximize-Throughput (8) -# Maximize-Reliability (4) -# Minimize-Cost (2) -# Normal-Service (0) -# ############################################################################### #SOURCE DEST PROTOCOL SOURCE DEST TOS # PORTS PORTS diff --git a/Shorewall/tunnels b/Shorewall/tunnels index d7c52105d..43a0d61e3 100644 --- a/Shorewall/tunnels +++ b/Shorewall/tunnels @@ -1,127 +1,6 @@ # # Shorewall version 3.3 - Tunnels File # -# /etc/shorewall/tunnels -# -# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. -# -# IPIP, GRE and OPENVPN tunnels must be configured on the -# firewall/gateway itself. IPSEC endpoints may be defined -# on the firewall/gateway or on an internal system. -# -# The columns are: -# -# TYPE -- must start in column 1 and be "ipsec", "ipsecnat", -# "ipip", "gre", "6to4", "pptpclient", "pptpserver", -# "openvpn", "openvpnclient", "openvpnserver" or -# "generic" -# -# If the type is "ipsec" or "ipsecnat", it may be -# followed by ":noah" to indicate that the Authentication -# Header protocol (51) is not used by the tunnel. -# -# If type is "openvpn", "openvpnclient" or -# "openvpnserver" it may optionally be followed by ":" -# and "tcp" or "udp" to specify the protocol to be -# used. If not specified, "udp" is assumed. -# -# If type is "openvpn", "openvpnclient" or -# "openvpnserver" it may optionally be followed -# by ":" and the port number used by the tunnel. if no -# ":" and port number are included, then the default port -# of 1194 will be used. . Where both the protocol and port -# are specified, the protocol must be given first (e.g., -# openvpn:tcp:4444). -# -# If type is "generic", it must be followed by ":" and -# a protocol name (from /etc/protocols) or a protocol -# number. If the protocol is "tcp" or "udp" (6 or 17), -# then it may optionally be followed by ":" and a -# port number. -# -# ZONE -- The zone of the physical interface through which -# tunnel traffic passes. This is normally your internet -# zone. -# -# GATEWAY -- The IP address of the remote tunnel gateway. If the -# remote gateway has no fixed address (Road Warrior) -# then specify the gateway as 0.0.0.0/0. May be -# specified as a network address and if your kernel and -# iptables include iprange match support then IP address -# ranges are also allowed. -# -# GATEWAY -# ZONES -- Optional. If the gateway system specified in the third -# column is a standalone host then this column should -# contain a comma-separated list of the names of the -# zones that the host might be in. This column only -# applies to IPSEC tunnels where it enables ISAKMP -# traffic to flow through the tunnel to the remote -# gateway. -# -# Example 1: -# -# IPSec tunnel. The remote gateway is 4.33.99.124 and -# the remote subnet is 192.168.9.0/24. The tunnel does -# not use the AH protocol -# -# ipsec:noah net 4.33.99.124 -# -# Example 2: -# -# Road Warrior (LapTop that may connect from anywhere) -# where the "gw" zone is used to represent the remote -# LapTop. -# -# ipsec net 0.0.0.0/0 gw -# -# Example 3: -# -# Host 4.33.99.124 is a standalone system connected -# via an ipsec tunnel to the firewall system. The host -# is in zone gw. -# -# ipsec net 4.33.99.124 gw -# -# Example 4: -# -# Road Warriors that may belong to zones vpn1, vpn2 or -# vpn3. The FreeS/Wan _updown script will add the -# host to the appropriate zone using the "shorewall add" -# command on connect and will remove the host from the -# zone at disconnect time. -# -# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 -# -# Example 5: -# -# You run the Linux PPTP client on your firewall and -# connect to server 192.0.2.221. -# -# pptpclient net 192.0.2.221 -# -# Example 6: -# -# You run a PPTP server on your firewall. -# -# pptpserver net -# -# Example 7: -# -# OPENVPN tunnel. The remote gateway is 4.33.99.124 and -# openvpn uses port 7777. -# -# openvpn:7777 net 4.33.99.124 -# -# Example 8: -# -# You have a tunnel that is not one of the supported -# types. Your tunnel uses UDP port 4444. The other end -# of the tunnel is 4.3.99.124. -# -# generic:udp:4444 net 4.3.99.124 -# -# # See http://shorewall.net/Documentation.htm#Tunnels for additional # information. # diff --git a/Shorewall/zones b/Shorewall/zones index 7efcff0b4..340d6a795 100644 --- a/Shorewall/zones +++ b/Shorewall/zones @@ -1,118 +1,6 @@ # # Shorewall version 3.3 - Zones File # -# /etc/shorewall/zones -# -# This file declares your network zones. You specify the hosts in -# each zone through entries in /etc/shorewall/interfaces or -# /etc/shorewall/hosts. -# -# WARNING: The format of this file changed in Shorewall 3.0.0. You can -# continue to use your old records provided that you set -# IPSECFILE=ipsec in /etc/shorewall/shorewall.conf. This will -# signal Shorewall that the IPSEC-related zone options are -# still specified in /etc/shorewall/ipsec rather than in this -# file. -# -# To use records in the format described below, you must have -# IPSECFILE=zones specified in /etc/shorewall/shorewall.conf -# AND YOU MUST NOT SET THE 'FW' VARIABLE IN THAT FILE!!!!! -# -# Columns are: -# -# ZONE Short name of the zone. The names "all" and "none" are reserved -# and may not be used as zone names. The maximum length of a -# zone name is determined by the setting of the LOGFORMAT option -# in shorewall.conf. With the default LOGFORMAT, zone names can -# be at most 5 characters long. -# -# Where a zone is nested in one or more other zones, -# you may follow the (sub)zone name by ":" and a -# comma-separated list of the parent zones. The parent -# zones must have been defined in earlier records in this -# file. -# -# Example: -# -# #ZONE TYPE OPTIONS -# a ipv4 -# b ipv4 -# c:a,b ipv4 -# -# Currently, Shorewall uses this information to reorder the -# zone list so that parent zones appear after their subzones in -# the list. The IMPLICIT_CONTINUE option in shorewall.conf can -# also create implicit CONTINUE policies to/from the subzone. -# -# In the future, Shorewall may make additional use -# of nesting information. -# -# TYPE ipv4 - This is the standard Shorewall zone type and is the -# default if you leave this column empty or if you enter -# "-" in the column. Communication with some zone hosts -# may be encrypted. Encrypted hosts are designated using -# the 'ipsec'option in /etc/shorewall/hosts. -# ipsec - Communication with all zone hosts is encrypted -# Your kernel and iptables must include policy -# match support. -# firewall -# - Designates the firewall itself. You must have -# exactly one 'firewall' zone. No options are -# permitted with a 'firewall' zone. The name that you -# enter in the ZONE column will be stored in the shell -# variable $FW which you may use in other configuration -# files to designate the firewall zone. -# -# OPTIONS, A comma-separated list of options as follows: -# IN OPTIONS, -# OUT OPTIONS reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. -# -# spi= where is the SPI of -# the SA used to encrypt/decrypt packets. -# -# proto=ah|esp|ipcomp -# -# mss= (sets the MSS field in TCP packets) -# -# mode=transport|tunnel -# -# tunnel-src=
[/] (only -# available with mode=tunnel) -# -# tunnel-dst=
[/] (only -# available with mode=tunnel) -# -# strict Means that packets must match all rules. -# -# next Separates rules; can only be used with -# strict -# -# Example: -# mode=transport,reqid=44 -# -# The options in the OPTIONS column are applied to both incoming -# and outgoing traffic. The IN OPTIONS are applied to incoming -# traffic (in addition to OPTIONS) and the OUT OPTIONS are -# applied to outgoing traffic. -# -# If you wish to leave a column empty but need to make an entry -# in a following column, use "-". -#------------------------------------------------------------------------------ -# Example zones: -# -# You have a three interface firewall with internet, local and DMZ -# interfaces. -# -# #ZONE TYPE OPTIONS IN OUT -# # OPTIONS OPTIONS -# fw firewall -# net ipv4 -# loc ipv4 -# dmz ipv4 -# -# # For more information, see http://www.shorewall.net/Documentation.htm#Zones # ###############################################################################