forked from extern/shorewall_code
Move 2.2.0+ to Lrp2
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1940 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a32c5eb849
commit
627713e621
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Accounting File
|
||||
# Shorewall version 2.2 - Accounting File
|
||||
#
|
||||
# /etc/shorewall/accounting
|
||||
#
|
||||
@ -47,9 +47,12 @@
|
||||
# Format the same as the SOURCE column.
|
||||
#
|
||||
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
||||
# number.
|
||||
# number, or "ipp2p"
|
||||
#
|
||||
# DEST PORT Destination Port number
|
||||
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
|
||||
# this column must contain an ipp2p option ("iptables -m
|
||||
# ipp2p --help") without the leading "--". If no option
|
||||
# is given in this column, "ipp2p" is assumed.
|
||||
#
|
||||
# Service name from /etc/services or port number. May
|
||||
# only be specified if the protocol is TCP or UDP (6
|
||||
@ -61,13 +64,33 @@
|
||||
# only be specified if the protocol is TCP or UDP (6
|
||||
# or 17).
|
||||
#
|
||||
# USER/GROUP This column may only be non-empty if the CHAIN is
|
||||
# OUTPUT.
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
# the effective <user> and/or <group> specified (or is
|
||||
# NOT running under that id if "!" is given).
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# joe #program must be run by joe
|
||||
# :kids #program must be run by a member of
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
#
|
||||
# In all of the above columns except ACTION and CHAIN, the values "-",
|
||||
# "any" and "all" may be used as wildcards
|
||||
#
|
||||
# Please see http://shorewall.net/Accounting.html for examples and
|
||||
# additional information about how to use this file.
|
||||
#
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
|
||||
# PORT PORT
|
||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
|
||||
# PORT PORT GROUP
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.1 /etc/shorewall/actions
|
||||
# Shorewall 2.2 /etc/shorewall/actions
|
||||
#
|
||||
# This file allows you to define new ACTIONS for use in rules
|
||||
# (/etc/shorewall/rules). You define the iptables rules to
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 -- Blacklist File
|
||||
# Shorewall 2.2 -- Blacklist File
|
||||
#
|
||||
# /etc/shorewall/blacklist
|
||||
#
|
||||
@ -7,7 +7,9 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
|
||||
# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address
|
||||
# range (if your kernel and iptables contain iprange
|
||||
# match support).
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use "-"
|
||||
# as a separator.
|
||||
@ -21,10 +23,10 @@
|
||||
# is TCP (6) or UDP (17). A comma-separated list
|
||||
# of port numbers or service names from /etc/services.
|
||||
#
|
||||
# When a packet arrives on in interface that has the 'blacklist' option
|
||||
# specified, its source IP address is checked against this file and disposed of
|
||||
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
|
||||
# /etc/shorewall/shorewall.conf
|
||||
# When a packet arrives on an interface that has the 'blacklist' option
|
||||
# specified in /etc/shorewall/interfaces, its source IP address is checked
|
||||
# against this file and disposed of according to the BLACKLIST_DISPOSITION and
|
||||
# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
|
||||
#
|
||||
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
||||
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 - /etc/shorewall/ecn
|
||||
# Shorewall 2.2 - /etc/shorewall/ecn
|
||||
#
|
||||
# Use this file to list the destinations for which you want to
|
||||
# disable ECN.
|
||||
@ -12,7 +12,9 @@
|
||||
# the firewall
|
||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||
# If left empty or supplied as "-",
|
||||
# 0.0.0.0/0 is assumed.
|
||||
# 0.0.0.0/0 is assumed. If your kernel and iptables
|
||||
# include iprange match support then IP address ranges
|
||||
# are also permitted.
|
||||
##############################################################################
|
||||
#INTERFACE HOST(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 - /etc/shorewall/hosts
|
||||
# Shorewall 2.2 - /etc/shorewall/hosts
|
||||
#
|
||||
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
||||
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
||||
@ -28,12 +28,15 @@
|
||||
# a) The IP address of a host
|
||||
# b) A subnetwork in the form
|
||||
# <subnet-address>/<mask width>
|
||||
# c) A physical port name; only allowed when the
|
||||
# c) An IP address range of the form <low address>-<high
|
||||
# address>. Your kernel and iptables must have iprange
|
||||
# match support.
|
||||
# d) A physical port name; only allowed when the
|
||||
# interface names a bridge created by the
|
||||
# brctl addbr command. This port must not
|
||||
# be defined in /etc/shorewall/interfaces and may
|
||||
# optionally followed by a colon (":") and a
|
||||
# host or network IP.
|
||||
# host or network IP or a range.
|
||||
# See http://www.shorewall.net/Bridge.html for details.
|
||||
#
|
||||
# Examples:
|
||||
@ -43,6 +46,7 @@
|
||||
# eth3:192.168.2.0/24,192.168.3.1
|
||||
# br0:eth4
|
||||
# br0:eth0:192.168.1.16/28
|
||||
# eth4:192.168.1.44-192.168.1.49
|
||||
#
|
||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
||||
# options are:
|
||||
@ -124,5 +128,12 @@
|
||||
# This option has no effect if
|
||||
# NEWNOTSYN=Yes.
|
||||
#
|
||||
# ipsec - The zone is accessed via a
|
||||
# kernel 2.6 ipsec SA. Note that if the
|
||||
# zone named in the ZONE column is
|
||||
# specified as an IPSEC zone in the
|
||||
# /etc/shorewall/ipsec file then you do NOT
|
||||
# need to specify the 'ipsec' option here.
|
||||
#
|
||||
#ZONE HOST(S) OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/init
|
||||
# Shorewall 2.2 -- /etc/shorewall/init
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a "shorewall start" or "shorewall restart" command.
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/initdone
|
||||
# Shorewall 2.2 -- /etc/shorewall/initdone
|
||||
#
|
||||
# Add commands below that you want to be executed during
|
||||
# "shorewall start" or "shorewall restart" commands at the point where
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 -- Interfaces File
|
||||
# Shorewall 2.2 -- Interfaces File
|
||||
#
|
||||
# /etc/shorewall/interfaces
|
||||
#
|
||||
@ -75,12 +75,23 @@
|
||||
# option does not cover those ranges
|
||||
# reserved by RFC 1918 -- see above).
|
||||
#
|
||||
# I PERSONALLY RECOMMEND AGAINST USING
|
||||
# THE 'nobogons' OPTION.
|
||||
#
|
||||
# routefilter - turn on kernel route filtering for this
|
||||
# interface (anti-spoofing measure). This
|
||||
# option can also be enabled globally in
|
||||
# the /etc/shorewall/shorewall.conf file.
|
||||
#
|
||||
# . . blacklist - Check packets arriving on this interface
|
||||
# logmartians - turn on kernel martian logging (logging
|
||||
# of packets with impossible source
|
||||
# addresses. It is suggested that if you
|
||||
# set routefilter on an interface that
|
||||
# you also set logmartians. This option
|
||||
# may also be enabled globally in the
|
||||
# /etc/shorewall/shorewall.conf file.
|
||||
#
|
||||
# blacklist - Check packets arriving on this interface
|
||||
# against the /etc/shorewall/blacklist
|
||||
# file.
|
||||
#
|
||||
@ -190,6 +201,7 @@
|
||||
# net ppp0 -
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
#
|
||||
net eth0 detect dhcp,routefilter,norfc1918
|
||||
loc eth1 detect
|
||||
loc eth1 detect dhcp
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
58
Lrp2/etc/shorewall/ipsec
Normal file
58
Lrp2/etc/shorewall/ipsec
Normal file
@ -0,0 +1,58 @@
|
||||
#
|
||||
# Shorewall 2.2 - /etc/shorewall/ipsec
|
||||
#
|
||||
# This file defines the attributes of zones with respect to
|
||||
# IPSEC. To use this file, you must be running a 2.6 kernel and
|
||||
# both your kernel and iptables must include Policy Match Support.
|
||||
#
|
||||
# The columns are:
|
||||
#
|
||||
# ZONE The name of a zone defined in /etc/shorewall/zones. The
|
||||
# $FW zone may not be listed.
|
||||
#
|
||||
# IPSEC Yes -- Communication with all zone hosts is encrypted
|
||||
# ONLY No -- Communication with some zone hosts is encrypted.
|
||||
# Encrypted hosts are designated using the 'ipsec'
|
||||
# option in /etc/shorewall/hosts.
|
||||
#
|
||||
# OPTIONS, A comma-separated list of options as follows:
|
||||
# IN OPTIONS,
|
||||
# OUT OPTIONS reqid=<number> where <number> is specified
|
||||
# using setkey(8) using the 'unique:<number>
|
||||
# option for the SPD level.
|
||||
#
|
||||
# spi=<number> where <number> is the SPI of
|
||||
# the SA used to encrypt/decrypt packets.
|
||||
#
|
||||
# proto=ah|esp|ipcomp
|
||||
#
|
||||
# mss=<number> (sets the MSS field in TCP packets)
|
||||
#
|
||||
# mode=transport|tunnel
|
||||
#
|
||||
# tunnel-src=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# tunnel-dst=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# strict Means that packets must match all rules.
|
||||
#
|
||||
# next Separates rules; can only be used with
|
||||
# strict..
|
||||
#
|
||||
# Example:
|
||||
# mode=transport,reqid=44
|
||||
#
|
||||
# The options in the OPTIONS column are applied to both incoming
|
||||
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||
# applied to outgoing traffic.
|
||||
#
|
||||
# If you wish to leave a column empty but need to make an entry
|
||||
# in a following column, use "-".
|
||||
###################################################################################
|
||||
#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 - MAC list file
|
||||
# Shorewall 2.2 - MAC list file
|
||||
#
|
||||
# /etc/shorewall/maclist
|
||||
#
|
||||
@ -15,7 +15,9 @@
|
||||
#
|
||||
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
|
||||
# must match. This column can contain a comma-separated
|
||||
# list of host and/or subnet addresses.
|
||||
# list of host and/or subnet addresses. If your kernel
|
||||
# and iptables have iprange match support then IP
|
||||
# address ranges are also allowed.
|
||||
##############################################################################
|
||||
#INTERFACE MAC IP ADDRESSES (Optional)
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 - Masquerade file
|
||||
# Shorewall 2.2 - Masquerade file
|
||||
#
|
||||
# /etc/shorewall/masq
|
||||
#
|
||||
@ -20,6 +20,24 @@
|
||||
# This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
# If you wish to inhibit the action of ADD_SNAT_ALIASES
|
||||
# for this entry then include the ":" but omit the digit:
|
||||
#
|
||||
# eth0:
|
||||
# eth2::192.0.2.32/27
|
||||
#
|
||||
# Normally Masq/SNAT rules are evaluated after those for
|
||||
# one-to-one NAT (/etc/shorewall/nat file). If you want
|
||||
# the rule to be applied before one-to-one NAT rules,
|
||||
# prefix the interface name with "+":
|
||||
#
|
||||
# +eth0
|
||||
# +eth0:192.0.2.32/27
|
||||
# +eth0:2
|
||||
#
|
||||
# This feature should only be required if you need to
|
||||
# insert rules in this file that preempt entries in
|
||||
# /etc/shorewall/nat.
|
||||
#
|
||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
@ -42,13 +60,6 @@
|
||||
# will automatically add this address to the
|
||||
# INTERFACE named in the first column.
|
||||
#
|
||||
# If you have set ADD_SNAT_ALIASES=Yes in
|
||||
# /etc/shorewall/shorewall.conf then DO NOT
|
||||
# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
|
||||
# ADDRESS IN THIS COLUMN -- If you do so, you
|
||||
# will loose your default route when Shorewall
|
||||
# starts.
|
||||
#
|
||||
# You may also specify a range of up to 256
|
||||
# IP addresses if you want the SNAT address to
|
||||
# be assigned from that range in a round-robin
|
||||
@ -59,9 +70,22 @@
|
||||
#
|
||||
# Finally, you may also specify a comma-separated
|
||||
# list of ranges and/or addresses in this column.
|
||||
#
|
||||
#
|
||||
# This column may not contain DNS Names.
|
||||
#
|
||||
# Normally, Netfilter will attempt to retain
|
||||
# the source port number. You may cause
|
||||
# netfilter to remap the source port by following
|
||||
# an address or range (if any) by ":" and
|
||||
# a port range with the format <low port>-
|
||||
# <high port>. If this is done, you must
|
||||
# specify "tcp" or "udp" in the PROTO column.
|
||||
#
|
||||
# Examples:
|
||||
#
|
||||
# 192.0.2.4:5000-6000
|
||||
# :4000-5000
|
||||
#
|
||||
# If you want to leave this column empty
|
||||
# but you need to specify the next column then
|
||||
# place a hyphen ("-") here.
|
||||
@ -82,6 +106,42 @@
|
||||
# support and a maximum of 15 ports may be
|
||||
# listed.
|
||||
#
|
||||
# IPSEC -- (Optional) If you specify a value other than "-" in this
|
||||
# column, you must be running kernel 2.6 and
|
||||
# your kernel and iptables must include policy
|
||||
# match support.
|
||||
#
|
||||
# Comma-separated list of options from the following.
|
||||
# Only packets that will be encrypted via an SA that
|
||||
# matches these options will have their source address
|
||||
# changed.
|
||||
#
|
||||
# Yes or yes -- must be the only option listed
|
||||
# and matches all outbound traffic that will be
|
||||
# encrypted.
|
||||
#
|
||||
# reqid=<number> where <number> is specified
|
||||
# using setkey(8) using the 'unique:<number>
|
||||
# option for the SPD level.
|
||||
#
|
||||
# spi=<number> where <number> is the SPI of
|
||||
# the SA.
|
||||
#
|
||||
# proto=ah|esp|ipcomp
|
||||
#
|
||||
# mode=transport|tunnel
|
||||
#
|
||||
# tunnel-src=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# tunnel-dst=<address>[/<mask>] (only
|
||||
# available with mode=tunnel)
|
||||
#
|
||||
# strict Means that packets must match all
|
||||
# rules.
|
||||
#
|
||||
# next Separates rules; can only be used
|
||||
# with strict..
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
@ -136,6 +196,6 @@
|
||||
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
|
||||
eth0 eth1
|
||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
eth0 eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
##############################################################################
|
||||
# Shorewall 2.0 /etc/shorewall/modules
|
||||
# Shorewall 2.2 /etc/shorewall/modules
|
||||
#
|
||||
# This file loads the modules needed by the firewall.
|
||||
#
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Network Address Translation Table
|
||||
# Shorewall 2.2 -- Network Address Translation Table
|
||||
#
|
||||
# /etc/shorewall/nat
|
||||
#
|
||||
@ -16,6 +16,7 @@
|
||||
# EXTERNAL External IP Address - this should NOT be the primary
|
||||
# IP address of the interface named in the next
|
||||
# column and must not be a DNS Name.
|
||||
#
|
||||
# INTERFACE Interface that you want to EXTERNAL address to appear
|
||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||
# follow the interface name with ":" and a digit to
|
||||
@ -24,14 +25,21 @@
|
||||
# see the alias with ifconfig. THAT IS THE ONLY THING
|
||||
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
||||
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
||||
#
|
||||
# If you want to override ADD_IP_ALIASES=Yes for a
|
||||
# particular entry, follow the interface name with
|
||||
# ":" and no digit (e.g., "eth0:").
|
||||
# INTERNAL Internal Address (must not be a DNS Name).
|
||||
#
|
||||
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
|
||||
# If No or no (or left empty) then NAT will be effective
|
||||
# only through the interface named in the INTERFACE
|
||||
# column
|
||||
#
|
||||
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/params
|
||||
# Shorewall 2.2 /etc/shorewall/params
|
||||
#
|
||||
# Assign any variables that you need here.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 -- Policy File
|
||||
# Shorewall 2.2 -- Policy File
|
||||
#
|
||||
# /etc/shorewall/policy
|
||||
#
|
||||
@ -82,8 +82,4 @@ net all DROP ULOG
|
||||
# remove the comment from the following line.
|
||||
#fw net ACCEPT
|
||||
|
||||
#
|
||||
# THE FOLLOWING POLICY MUST BE LAST
|
||||
#
|
||||
all all REJECT ULOG
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Proxy ARP
|
||||
# Shorewall 2.2 -- Proxy ARP
|
||||
#
|
||||
# /etc/shorewall/proxyarp
|
||||
#
|
||||
|
@ -1,6 +1,6 @@
|
||||
##############################################################################
|
||||
#
|
||||
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
|
||||
# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
|
||||
#
|
||||
# /etc/shorewall/routestopped
|
||||
#
|
||||
@ -12,6 +12,10 @@
|
||||
# INTERFACE - Interface through which host(s) communicate with
|
||||
# the firewall
|
||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||
# addresses. If your kernel and iptables include
|
||||
# iprange match support, IP address ranges are also
|
||||
# allowed.
|
||||
#
|
||||
# If left empty or supplied as "-",
|
||||
# 0.0.0.0/0 is assumed.
|
||||
# OPTIONS - (Optional) A comma-separated list of
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Rules File
|
||||
# Shorewall version 2.2 - Rules File
|
||||
#
|
||||
# /etc/shorewall/rules
|
||||
#
|
||||
@ -72,6 +72,20 @@
|
||||
# DNAT:debug). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# If the ACTION names an action defined in
|
||||
# /etc/shorewall/actions or in
|
||||
# /usr/share/shorewall/actions.std then:
|
||||
#
|
||||
# - If the log level is followed by "!' then all rules
|
||||
# in the action are logged at the log level.
|
||||
#
|
||||
# - If the log level is not followed by "!" then only
|
||||
# those rules in the action that do not specify
|
||||
# logging are logged at the specified level.
|
||||
#
|
||||
# - The special log level 'none!' suppresses logging
|
||||
# by the action.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
@ -104,6 +118,10 @@
|
||||
# address; mac addresses must begin with "~" and must use
|
||||
# "-" as a separator.
|
||||
#
|
||||
# Hosts may be specified as an IP address range using the
|
||||
# syntax <low address>-<high address>. This requires that
|
||||
# your kernel and iptables contain iprange match support.
|
||||
#
|
||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
||||
#
|
||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
||||
@ -115,6 +133,10 @@
|
||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
||||
# MAC address 00:A0:C9:15:39:78.
|
||||
#
|
||||
# net:192.0.2.11-192.0.2.17
|
||||
# Hosts 192.0.2.11-192.0.2.17 in
|
||||
# the net zone.
|
||||
#
|
||||
# Alternatively, clients may be specified by interface
|
||||
# by appending ":" to the zone name followed by the
|
||||
# interface name. For example, loc:eth1 specifies a
|
||||
@ -145,7 +167,7 @@
|
||||
# 3. You may not specify both an interface and
|
||||
# an address.
|
||||
#
|
||||
# Unlike in the SOURCE column, you may specify a range of
|
||||
# Like in the SOURCE column, you may specify a range of
|
||||
# up to 256 IP addresses using the syntax
|
||||
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
||||
# the connections will be assigned to addresses in the
|
||||
@ -196,7 +218,7 @@
|
||||
#
|
||||
# If you don't want to restrict client ports but need to
|
||||
# specify an ORIGINAL DEST in the next column, then place
|
||||
# "-" in this column.
|
||||
# "-" in this column.
|
||||
#
|
||||
# If your kernel contains multi-port match support, then
|
||||
# only a single Netfilter rule will be generated if in
|
||||
@ -223,14 +245,6 @@
|
||||
# destination address in the connection request does not
|
||||
# match any of the addresses listed.
|
||||
#
|
||||
# The address (list) may optionally be followed by
|
||||
# a colon (":") and a second IP address. This causes
|
||||
# Shorewall to use the second IP address as the source
|
||||
# address in forwarded packets. See the Shorewall
|
||||
# documentation for restrictions concerning this feature.
|
||||
# If no source IP address is given, the original source
|
||||
# address is not altered.
|
||||
#
|
||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
||||
# this colume:
|
||||
#
|
||||
@ -281,9 +295,9 @@
|
||||
# to local system 192.168.1.3 with a limit of 3 per second and
|
||||
# a maximum burst of 10
|
||||
#
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
||||
# # PORT PORT(S) DEST
|
||||
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
|
||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# # PORT PORT(S) DEST LIMIT
|
||||
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
|
||||
#
|
||||
# Example: Redirect all locally-originating www connection requests to
|
||||
# port 3128 on the firewall (Squid running on the firewall
|
||||
@ -310,7 +324,6 @@
|
||||
####################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
# Accept DNS connections from the firewall to the network
|
||||
#
|
||||
ACCEPT fw net tcp 53
|
||||
@ -318,18 +331,19 @@ ACCEPT fw net udp 53
|
||||
# Accept SSH connections from the local network for administration
|
||||
#
|
||||
ACCEPT loc fw tcp 22
|
||||
# Allow Ping To And From Firewall
|
||||
# Allow Ping To Firewall
|
||||
#
|
||||
ACCEPT loc fw icmp 8
|
||||
ACCEPT net fw icmp 8
|
||||
ACCEPT fw loc icmp 8
|
||||
ACCEPT fw net icmp 8
|
||||
#
|
||||
# Allow all ICMP types (including ping) From Firewall
|
||||
#
|
||||
ACCEPT fw loc icmp
|
||||
ACCEPT fw net icmp
|
||||
#
|
||||
# Bering specific rules:
|
||||
# allow loc to fw udp/53 for local/caching DNS servers to work
|
||||
# allow loc to fw tcp/80 for weblet to work
|
||||
# allow loc to fw udp/67 and udp/68 for dnsmasq's dhcpd to work
|
||||
ACCEPT loc fw udp 53
|
||||
ACCEPT loc fw tcp 80
|
||||
ACCEPT loc fw udp 67,68
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,4 @@
|
||||
##############################################################################
|
||||
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
|
||||
/shorewall/shorewall.conf V2.1 - Change the following variables to
|
||||
# match your setup
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
@ -7,6 +6,14 @@
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
# S T A R T U P E N A B L E D
|
||||
##############################################################################
|
||||
# Once you have configured Shorewall, you may change the setting of
|
||||
# this variable to 'Yes'
|
||||
|
||||
STARTUP_ENABLED=No
|
||||
|
||||
##############################################################################
|
||||
# L O G G I N G
|
||||
##############################################################################
|
||||
@ -80,6 +87,18 @@ LOGFILE=/var/log/shorewall.log
|
||||
|
||||
LOGFORMAT="Shorewall:%s:%s:"
|
||||
|
||||
#
|
||||
# LOG FORMAT Continued
|
||||
#
|
||||
# Using the default LOGFORMAT, chain names may not exceed 11 characters or
|
||||
# truncation of the log prefix may occur. Longer chain names may be used with
|
||||
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
|
||||
# specified then the tag is included in the log prefix in place of the chain
|
||||
# name.
|
||||
#
|
||||
|
||||
LOGTAGONLY=No
|
||||
|
||||
#
|
||||
# LOG RATE LIMITING
|
||||
#
|
||||
@ -110,6 +129,18 @@ LOGFORMAT="Shorewall:%s:%s:"
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
|
||||
#
|
||||
# LOG ALL NEW
|
||||
#
|
||||
# This option should only be used when you are trying to analyze a problem.
|
||||
# It causes all packets in the Netfilter NEW state to be logged as the
|
||||
# first rule in each builtin chain. To use this option, set LOGALLNEW to
|
||||
# the log level that you want these packets logged at (e.g.,
|
||||
# LOGALLNEW=debug).
|
||||
#
|
||||
|
||||
LOGALLNEW=
|
||||
|
||||
#
|
||||
# BLACKLIST LOG LEVEL
|
||||
#
|
||||
@ -201,9 +232,29 @@ SMURF_LOG_LEVEL=ULOG
|
||||
#
|
||||
|
||||
BOGON_LOG_LEVEL=ULOG
|
||||
|
||||
#
|
||||
# MARTIAN LOGGING
|
||||
#
|
||||
# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
|
||||
# that have impossible source IP addresses. This logging may be enabled
|
||||
# on individual interfaces by using the 'logmartians' option in
|
||||
# /etc/shorewall/interfaces.
|
||||
#
|
||||
|
||||
LOG_MARTIANS=No
|
||||
################################################################################
|
||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
||||
################################################################################
|
||||
#
|
||||
# IPTABLES
|
||||
#
|
||||
# Full path to iptables executable Shorewall uses to build the firewall. If
|
||||
# not specified or if specified with an empty value (e.g., IPTABLES="") then
|
||||
# the iptables executable located via the PATH setting below is used.
|
||||
#
|
||||
IPTABLES=
|
||||
|
||||
#
|
||||
# PATH - Change this if you want to change the order in which Shorewall
|
||||
# searches directories for executable files.
|
||||
@ -320,14 +371,28 @@ ADD_IP_ALIASES=Yes
|
||||
#
|
||||
ADD_SNAT_ALIASES=No
|
||||
|
||||
#
|
||||
# RETAIN EXISTING ALIASES/IP ADDRESSES
|
||||
#
|
||||
# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall
|
||||
# will first delete the address then re-add it. This is to ensure that the
|
||||
# address is added with the specified label. Unfortunately, this can cause
|
||||
# problems if it results in the deletion of the last IP address on an
|
||||
# interface because then all routes through the interface are automatically
|
||||
# removed.
|
||||
#
|
||||
# You can cause Shorewall to retain existing addresses by setting
|
||||
# RETAIN_ALIASES=Yes.
|
||||
#
|
||||
RETAIN_ALIASES=No
|
||||
|
||||
#
|
||||
# ENABLE TRAFFIC SHAPING
|
||||
#
|
||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
||||
# you must enable packet mangling above.
|
||||
#
|
||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
|
||||
|
||||
TC_ENABLED=No
|
||||
|
||||
#
|
||||
@ -393,6 +458,14 @@ MARK_IN_FORWARD_CHAIN=No
|
||||
#
|
||||
# If left blank, or set to "No" or "no", the option is not enabled.
|
||||
#
|
||||
# You may also set this option to a numeric value in which case Shorewall will
|
||||
# set up a rule to modify the MSS value in SYN packets to the value that
|
||||
# you specify.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# CLAMPMSS=1400
|
||||
#
|
||||
CLAMPMSS=No
|
||||
|
||||
#
|
||||
@ -470,7 +543,7 @@ MUTEX_TIMEOUT=60
|
||||
# A packet is said to be NEW if it is not part of or related to an already
|
||||
# established connection.
|
||||
#
|
||||
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# The NETNOTSYN option determines the handling of non-SYN packets (those with
|
||||
# SYN off or with ACK or RST on) that are not associated with an already
|
||||
# established connection.
|
||||
#
|
||||
@ -551,6 +624,14 @@ ADMINISABSENTMINDED=Yes
|
||||
#
|
||||
BLACKLISTNEWONLY=Yes
|
||||
|
||||
#
|
||||
# Users with a large blacklist find that "shorwall [re]start" takes a long
|
||||
# time and that new connections are disabled during that time. By setting
|
||||
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
|
||||
# before loading the blacklist.
|
||||
|
||||
DELAYBLACKLISTLOAD=No
|
||||
|
||||
# MODULE NAME SUFFIX
|
||||
#
|
||||
# When loading a module named in /etc/shorewall/modules, Shorewall normally
|
||||
@ -610,16 +691,9 @@ DYNAMIC_ZONES=No
|
||||
# USE PKTTYPE MATCH
|
||||
#
|
||||
# Some users have reported problems with the PKTTYPE match extension not being
|
||||
# able to match certain broadcast packets.
|
||||
#
|
||||
# Other users have complained of the following message when
|
||||
# starting Shorewall:
|
||||
#
|
||||
# modprobe: cant locate module ipt_pkttype
|
||||
#
|
||||
# If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
|
||||
# broadcasts rather than pkttype. If not given or if given as empty
|
||||
# (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||
# able to patch certail broadcast packets. If you set PKTTYPE=No then Shorewall
|
||||
# will use IP addresses to detect broadcasts rather than pkttype. If not given
|
||||
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
||||
|
||||
PKTTYPE=Yes
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/start
|
||||
# Shorewall 2.2 -- /etc/shorewall/start
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
@ -7,4 +7,4 @@
|
||||
for file in /etc/shorewall/start.d/* ; do
|
||||
run_user_exit $file
|
||||
done
|
||||
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/stop
|
||||
# Shorewall 2.2 -- /etc/shorewall/stop
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of a
|
||||
# "shorewall stop" command.
|
||||
@ -7,4 +7,4 @@
|
||||
for file in /etc/shorewall/stop.d/* ; do
|
||||
run_user_exit $file
|
||||
done
|
||||
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
############################################################################
|
||||
# Shorewall 2.0 -- /etc/shorewall/stopped
|
||||
# Shorewall 2.2 -- /etc/shorewall/stopped
|
||||
#
|
||||
# Add commands below that you want to be executed at the completion of a
|
||||
# "shorewall stop" command.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 2.0 - Traffic Control Rules File
|
||||
# Shorewall version 2.2 - Traffic Control Rules File
|
||||
#
|
||||
# /etc/shorewall/tcrules
|
||||
#
|
||||
@ -19,20 +19,65 @@
|
||||
# Columns are:
|
||||
#
|
||||
#
|
||||
# MARK The mark value which is an
|
||||
# integer in the range 1-255
|
||||
# MARK/ a) A mark value which is a integer in the range 1-255
|
||||
# CLASSIFY
|
||||
# May optionally be followed by ":P" or ":F"
|
||||
# where ":P" indicates that marking should occur in
|
||||
# the PREROUTING chain and ":F" indicates that marking
|
||||
# should occur in the FORWARD chain. If neither
|
||||
# ":P" nor ":F" follow the mark value then the chain is
|
||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# May optionally be followed by ":P" or ":F"
|
||||
# where ":P" indicates that marking should occur in
|
||||
# the PREROUTING chain and ":F" indicates that marking
|
||||
# should occur in the FORWARD chain. If neither
|
||||
# ":P" nor ":F" follow the mark value then the chain is
|
||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
# If your kernel and iptables include CONNMARK support
|
||||
# then you can also mark the connection rather than
|
||||
# the packet.
|
||||
#
|
||||
# The mark value may be optionally followed by "/"
|
||||
# and a mask value (used to determine those bits of
|
||||
# the connection mark to actually be set). The
|
||||
# mark and optional mask are then followed by one of:
|
||||
#
|
||||
# C - Mark the connection in the chain determined
|
||||
# by the setting of MARK_IN_FORWARD_CHAIN
|
||||
#
|
||||
# CF: Mark the conneciton in the FORWARD chain
|
||||
#
|
||||
# CP: Mark the connection in the PREROUTING chain.
|
||||
#
|
||||
# b) A classification of the form <major>:<minor> where
|
||||
# <major> and <minor> are integers. Corresponds to
|
||||
# the 'class' specification in these traffic shaping
|
||||
# modules:
|
||||
#
|
||||
# - atm
|
||||
# - cbq
|
||||
# - dsmark
|
||||
# - pfifo_fast
|
||||
# - htb
|
||||
# - prio
|
||||
#
|
||||
# Classify always occurs in the POSTROUTING chain.
|
||||
#
|
||||
# c) RESTORE[/mask] -- restore the packet's mark from the
|
||||
# connection's mark using the supplied mask if any.
|
||||
# Your kernel and iptables must include CONNMARK support.
|
||||
# As in a) above, may be followed by ":P" or ":F
|
||||
#
|
||||
# c) SAVE[/mask] -- save the packet's mark to the
|
||||
# connection's mark using the supplied mask if any.
|
||||
# Your kernel and iptables must include CONNMARK support.
|
||||
# As in a) above, may be followed by ":P" or ":F
|
||||
#
|
||||
# d) CONTINUE -- don't process any more marking rules in
|
||||
# the table. As in a) above, may be followed by ":P" or
|
||||
# ":F".
|
||||
#
|
||||
# SOURCE Source of the packet. A comma-separated list of
|
||||
# interface names, IP addresses, MAC addresses
|
||||
# and/or subnets. Use $FW if the packet originates on
|
||||
# and/or subnets. If your kernel and iptables include
|
||||
# iprange match support, IP address ranges are also
|
||||
# allowed. Use $FW if the packet originates on
|
||||
# the firewall in which case the MARK column may NOT
|
||||
# specify either ":P" or ":F" (marking always occurs
|
||||
# in the OUTPUT chain).
|
||||
@ -43,22 +88,34 @@
|
||||
# Example: ~00-A0-C9-15-39-78
|
||||
#
|
||||
# DEST Destination of the packet. Comma separated list of
|
||||
# IP addresses and/or subnets.
|
||||
# IP addresses and/or subnets. If your kernel and
|
||||
# iptables include iprange match support, IP address
|
||||
# ranges are also allowed.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# or "all".
|
||||
# If the MARK column specificies a classification of
|
||||
# the form <major>:<minor> then this column may also
|
||||
# contain an interface name.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
#
|
||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example "bit"
|
||||
# for bit-torrent). If no PORT is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following field is supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
# "-"
|
||||
#
|
||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
||||
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
||||
# any source port is acceptable. Specified as a comma-
|
||||
# separated list of port names, port numbers or port
|
||||
# ranges.
|
||||
@ -75,9 +132,21 @@
|
||||
# [<user name or number>]:[<group name or number>]
|
||||
#
|
||||
# The colon is optionnal when specifying only a user.
|
||||
# Examples : john: / john / :users / john:users
|
||||
# Examples : john: / john / :users / john:users
|
||||
#
|
||||
# TEST Defines a test on the existing packet or connection mark.
|
||||
# The rule will match only if the test returns true. Tests
|
||||
# have the format [!]<value>[/<mask>][:C]
|
||||
#
|
||||
# Where:
|
||||
#
|
||||
# ! Inverts the test (not equal)
|
||||
# <value> Value of the packet or connection mark.
|
||||
# <mask> A mask to be applied to the mark before
|
||||
# testing
|
||||
# :C Designates a connection mark. If omitted,
|
||||
# the packet mark's value is tested.
|
||||
##############################################################################
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 -- /etc/shorewall/tos
|
||||
# Shorewall 2.2 -- /etc/shorewall/tos
|
||||
#
|
||||
# This file defines rules for setting Type Of Service (TOS)
|
||||
#
|
||||
@ -43,10 +43,4 @@
|
||||
#
|
||||
##############################################################################
|
||||
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
|
||||
all all tcp - 22 16
|
||||
all all tcp 22 - 16
|
||||
all all tcp - 21 16
|
||||
all all tcp 21 - 16
|
||||
all all tcp 20 - 8
|
||||
all all tcp - 20 8
|
||||
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 - /etc/shorewall/tunnels
|
||||
# Shorewall 2.2 - /etc/shorewall/tunnels
|
||||
#
|
||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
||||
#
|
||||
@ -9,7 +9,7 @@
|
||||
#
|
||||
# The columns are:
|
||||
#
|
||||
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
|
||||
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip"
|
||||
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
|
||||
# "generic"
|
||||
#
|
||||
@ -34,7 +34,10 @@
|
||||
#
|
||||
# GATEWAY -- The IP address of the remote tunnel gateway. If the
|
||||
# remote getway has no fixed address (Road Warrior)
|
||||
# then specify the gateway as 0.0.0.0/0.
|
||||
# then specify the gateway as 0.0.0.0/0. May be
|
||||
# specified as a network address and if your kernel and
|
||||
# iptables include iprange match support then IP address
|
||||
# ranges are also allowed.
|
||||
#
|
||||
# GATEWAY
|
||||
# ZONES -- Optional. If the gateway system specified in the third
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/zones
|
||||
# Shorewall 2.2 /etc/shorewall/zones
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall Packet Filtering Firewall Control Program - V2.0 - 3/14/2004
|
||||
# Shorewall Packet Filtering Firewall Control Program - V2.2
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
@ -33,7 +33,7 @@
|
||||
#
|
||||
# shorewall add <iface>[:<host>] zone Adds a host or subnet to a zone
|
||||
# shorewall delete <iface>[:<host>] zone Deletes a host or subnet from a zone
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall monitor [ refresh-interval ] Repeatedly Displays firewall status
|
||||
@ -134,6 +134,24 @@ showchain() # $1 = name of chain
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
|
||||
#
|
||||
|
||||
iptablesbug()
|
||||
{
|
||||
if qt which awk ; then
|
||||
awk 'BEGIN {sline=""; };\
|
||||
/^-j/ { print sline $0; next };\
|
||||
/-m policy.*-j/ { print $0; next };\
|
||||
/-m policy/ { sline=$0; next };\
|
||||
{print ; sline="" }'
|
||||
else
|
||||
echo " Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
|
||||
cat
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Validate the value of RESTOREFILE
|
||||
#
|
||||
@ -174,6 +192,19 @@ get_config() {
|
||||
|
||||
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
|
||||
|
||||
if [ -n "$IPTABLES" ]; then
|
||||
if [ ! -e "$IPTABLES" ]; then
|
||||
echo " ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
|
||||
exit 2
|
||||
fi
|
||||
else
|
||||
IPTABLES=$(which iptables 2> /dev/null)
|
||||
if [ -z "$IPTABLES" ] ; then
|
||||
echo " ERROR: Can't find iptables executable" >&2
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$SHOREWALL_SHELL" ]; then
|
||||
if [ ! -e "$SHOREWALL_SHELL" ]; then
|
||||
echo " ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
|
||||
@ -205,7 +236,7 @@ display_chains()
|
||||
TMPFILE=$(mktempfile)
|
||||
[ -n "$TMPFILE" ] || { echo " ERROR:Cannot create temporary file" >&2; exit 1; }
|
||||
|
||||
iptables -L $IPT_OPTIONS >> $TMPFILE
|
||||
$IPTABLES -L $IPT_OPTIONS >> $TMPFILE
|
||||
|
||||
clear
|
||||
echo "$banner $(date)"
|
||||
@ -288,7 +319,7 @@ display_chains()
|
||||
|
||||
qt rm -f $TMPFILE
|
||||
else
|
||||
iptables -L -n -v
|
||||
$IPTABLES -L -n -v
|
||||
timed_read
|
||||
fi
|
||||
trap - 1 2 3 4 5 6 9
|
||||
@ -315,10 +346,9 @@ packet_log() # $1 = number of messages
|
||||
|
||||
[ -n "$realtail" ] && options="-n$1"
|
||||
|
||||
grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \
|
||||
grep "${LOGFORMAT}" $LOGFILE | \
|
||||
sed s/" kernel:"// | \
|
||||
sed s/" $host $LOGFORMAT"/" "/ | \
|
||||
sed s/" $host kernel: ipt_unclean: "/" "/ | \
|
||||
sed 's/MAC=.* SRC=/SRC=/' | \
|
||||
tail $options
|
||||
}
|
||||
@ -388,9 +418,8 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
# an 'interesting' packet count changes
|
||||
{
|
||||
|
||||
get_config
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
||||
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
let "timeout=- $1"
|
||||
@ -423,7 +452,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
||||
rejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
@ -450,7 +479,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
echo
|
||||
echo "NAT Status"
|
||||
echo
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
@ -459,7 +488,7 @@ monitor_firewall() # $1 = timeout -- if negative, prompt each time that
|
||||
echo
|
||||
echo "TOS/MARK Status"
|
||||
echo
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
timed_read
|
||||
|
||||
clear
|
||||
@ -498,9 +527,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
# an 'interesting' packet count changes
|
||||
{
|
||||
|
||||
get_config
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
oldrejects=$(iptables -L -v -n | grep 'LOG')
|
||||
oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ $1 -lt 0 ]; then
|
||||
timeout=$((- $1))
|
||||
@ -522,7 +550,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
|
||||
|
||||
show_reset
|
||||
|
||||
rejects=$(iptables -L -v -n | grep 'LOG')
|
||||
rejects=$($IPTABLES -L -v -n | grep 'LOG')
|
||||
|
||||
if [ "$rejects" != "$oldrejects" ]; then
|
||||
oldrejects="$rejects"
|
||||
@ -562,11 +590,11 @@ usage() # $1 = exit status
|
||||
{
|
||||
echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
|
||||
echo "where <command> is one of:"
|
||||
echo " add <interface>[:<host>] <zone>"
|
||||
echo " add <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
|
||||
echo " allow <address> ..."
|
||||
echo " check"
|
||||
echo " check [ <directory> ]"
|
||||
echo " clear"
|
||||
echo " delete <interface>[:<host>] <zone>"
|
||||
echo " delete <interface>[:{<bridge-port>[:<host>]|<host>}[,...]] ... <zone>"
|
||||
echo " drop <address> ..."
|
||||
echo " forget [ <file name> ]"
|
||||
echo " help [ <command > | host | address ]"
|
||||
@ -578,15 +606,17 @@ usage() # $1 = exit status
|
||||
echo " refresh"
|
||||
echo " reject <address> ..."
|
||||
echo " reset"
|
||||
echo " restart"
|
||||
echo " restart [ <directory> ]"
|
||||
echo " restore [ <file name> ]"
|
||||
echo " save [ <file name> ]"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
|
||||
echo " start"
|
||||
echo " show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
|
||||
echo " start [ <directory> ]"
|
||||
echo " stop"
|
||||
echo " status"
|
||||
echo " try <directory> [ <timeout> ]"
|
||||
echo " version"
|
||||
echo
|
||||
echo "The -c and -f options may not be specified with a <directory> in the start, restart and check commands"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@ -598,8 +628,11 @@ show_reset() {
|
||||
echo "Counters reset $(cat $STATEDIR/restarted)" && \
|
||||
echo
|
||||
}
|
||||
|
||||
show_proc() {
|
||||
#
|
||||
# Display's the passed file name followed by "=" and the file's contents.
|
||||
#
|
||||
show_proc() # $1 = name of a file
|
||||
{
|
||||
[ -f $1 ] && echo " $1 = $(cat $1)"
|
||||
}
|
||||
|
||||
@ -721,6 +754,8 @@ ensure_config_path
|
||||
|
||||
export CONFIG_PATH
|
||||
|
||||
get_config
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
if [ ! -f $FIREWALL ]; then
|
||||
@ -765,8 +800,28 @@ esac
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
[ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
echo "$2 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
export SHOREWALL_DIR
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$FAST" ]; then
|
||||
|
||||
RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
|
||||
@ -783,15 +838,37 @@ case "$1" in
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
|
||||
fi
|
||||
;;
|
||||
stop|restart|reset|clear|refresh|check)
|
||||
stop|reset|clear|refresh)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
get_config
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
check|restart)
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
2)
|
||||
[ -n "$SHOREWALL_DIR" ] && usage 2
|
||||
|
||||
if [ ! -d $2 ]; then
|
||||
if [ -e $2 ]; then
|
||||
echo "$2 is not a directory" >&2 && exit 2
|
||||
else
|
||||
echo "Directory $2 does not exist" >&2 && exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
SHOREWALL_DIR=$2
|
||||
export SHOREWALL_DIR
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
add|delete)
|
||||
[ $# -ne 3 ] && usage 1
|
||||
get_config
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
|
||||
[ $# -lt 3 ] && usage 1
|
||||
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
|
||||
;;
|
||||
show|list)
|
||||
[ -n "$debugging" ] && set -x
|
||||
@ -807,18 +884,17 @@ case "$1" in
|
||||
echo "Shorewall-$version NAT at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
;;
|
||||
tos|mangle)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
echo "Shorewall-$version TOS at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
;;
|
||||
log)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
get_config
|
||||
echo "Shorewall-$version Log at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
@ -837,6 +913,24 @@ case "$1" in
|
||||
echo
|
||||
show_classifiers
|
||||
;;
|
||||
zones)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
if [ -f $STATEDIR/zones ]; then
|
||||
echo "Shorewall-$version Zones at $HOSTNAME - $(date)"
|
||||
echo
|
||||
while read zone hosts; do
|
||||
echo $zone
|
||||
for host in $hosts; do
|
||||
echo " $host"
|
||||
done
|
||||
done < $STATEDIR/zones
|
||||
echo
|
||||
else
|
||||
echo " ERROR: $STATEDIR/zones does not exist" >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
|
||||
@ -845,10 +939,10 @@ case "$1" in
|
||||
show_reset
|
||||
if [ $# -gt 0 ]; then
|
||||
for chain in $*; do
|
||||
iptables -L $chain $IPT_OPTIONS
|
||||
$IPTABLES -L $chain $IPT_OPTIONS
|
||||
done
|
||||
else
|
||||
iptables -L $IPT_OPTIONS
|
||||
$IPTABLES -L $IPT_OPTIONS
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
@ -866,29 +960,32 @@ case "$1" in
|
||||
status)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo "Shorewall-$version Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_reset
|
||||
host=$(echo $HOSTNAME | sed 's/\..*$//')
|
||||
iptables -L $IPT_OPTIONS
|
||||
$IPTABLES -L $IPT_OPTIONS
|
||||
echo
|
||||
packet_log 20
|
||||
echo
|
||||
echo "NAT Table"
|
||||
echo
|
||||
iptables -t nat -L $IPT_OPTIONS
|
||||
$IPTABLES -t nat -L $IPT_OPTIONS
|
||||
echo
|
||||
echo "Mangle Table"
|
||||
echo
|
||||
iptables -t mangle -L $IPT_OPTIONS
|
||||
$IPTABLES -t mangle -L $IPT_OPTIONS
|
||||
echo
|
||||
cat /proc/net/ip_conntrack
|
||||
echo
|
||||
echo "IP Configuration"
|
||||
echo
|
||||
ip addr ls
|
||||
echo
|
||||
echo "IP Stats"
|
||||
echo
|
||||
ip -stat link ls
|
||||
|
||||
if qt which brctl; then
|
||||
echo
|
||||
@ -902,9 +999,10 @@ case "$1" in
|
||||
echo
|
||||
|
||||
show_proc /proc/sys/net/ipv4/ip_forward
|
||||
show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
|
||||
for directory in /proc/sys/net/ipv4/conf/*; do
|
||||
for file in proxy_arp arp_filter rp_filter; do
|
||||
for file in proxy_arp arp_filter rp_filter log_martians; do
|
||||
show_proc $directory/$file
|
||||
done
|
||||
done
|
||||
@ -920,11 +1018,17 @@ case "$1" in
|
||||
echo
|
||||
ip route ls table $table
|
||||
done
|
||||
|
||||
if qt which lsmod; then
|
||||
echo
|
||||
echo "Modules"
|
||||
echo
|
||||
lsmod | grep -E '^ip_|^ipt_'
|
||||
fi
|
||||
;;
|
||||
hits)
|
||||
[ -n "$debugging" ] && set -x
|
||||
[ $# -eq 1 ] || usage 1
|
||||
get_config
|
||||
clear
|
||||
echo "Shorewall-$version Hits at $HOSTNAME - $(date)"
|
||||
echo
|
||||
@ -972,10 +1076,10 @@ case "$1" in
|
||||
[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
|
||||
[ $# -lt 2 -o $# -gt 3 ] && usage 1
|
||||
if ! $0 $debugging -c $2 restart; then
|
||||
if ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
||||
if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||
$0 start
|
||||
fi
|
||||
elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
|
||||
elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then
|
||||
$0 start
|
||||
elif [ $# -eq 3 ]; then
|
||||
sleep $3
|
||||
@ -998,9 +1102,9 @@ case "$1" in
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
qt iptables -D dynamic -s $1 -j reject
|
||||
qt iptables -D dynamic -s $1 -j DROP
|
||||
iptables -A dynamic -s $1 -j DROP || break 1
|
||||
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||
$IPTABLES -A dynamic -s $1 -j DROP || break 1
|
||||
echo "$1 Dropped"
|
||||
done
|
||||
mutex_off
|
||||
@ -1011,9 +1115,9 @@ case "$1" in
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
qt iptables -D dynamic -s $1 -j reject
|
||||
qt iptables -D dynamic -s $1 -j DROP
|
||||
iptables -A dynamic -s $1 -j reject || break 1
|
||||
qt $IPTABLES -D dynamic -s $1 -j reject
|
||||
qt $IPTABLES -D dynamic -s $1 -j DROP
|
||||
$IPTABLES -A dynamic -s $1 -j reject || break 1
|
||||
echo "$1 Rejected"
|
||||
done
|
||||
mutex_off
|
||||
@ -1024,7 +1128,7 @@ case "$1" in
|
||||
mutex_on
|
||||
while [ $# -gt 1 ]; do
|
||||
shift
|
||||
if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
|
||||
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
|
||||
echo "$1 Allowed"
|
||||
else
|
||||
echo "$1 Not Dropped or Rejected"
|
||||
@ -1035,8 +1139,6 @@ case "$1" in
|
||||
save)
|
||||
[ -n "$debugging" ] && set -x
|
||||
|
||||
get_config
|
||||
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
@ -1053,7 +1155,7 @@ case "$1" in
|
||||
|
||||
mutex_on
|
||||
|
||||
if qt iptables -L shorewall -n; then
|
||||
if qt $IPTABLES -L shorewall -n; then
|
||||
[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
|
||||
|
||||
if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
|
||||
@ -1064,11 +1166,11 @@ case "$1" in
|
||||
echo " ERROR: Reserved file name: $RESTOREFILE"
|
||||
;;
|
||||
*)
|
||||
if iptables -L dynamic -n > /var/lib/shorewall/save; then
|
||||
if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
|
||||
echo " Dynamic Rules Saved"
|
||||
if [ -f /var/lib/shorewall/restore-base ]; then
|
||||
cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
|
||||
if iptables-save >> /var/lib/shorewall/restore-$$ ; then
|
||||
if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
|
||||
echo __EOF__ >> /var/lib/shorewall/restore-$$
|
||||
[ -f /var/lib/shorewall/restore-tail ] && \
|
||||
cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
|
||||
@ -1094,7 +1196,6 @@ case "$1" in
|
||||
mutex_off
|
||||
;;
|
||||
forget)
|
||||
get_config
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
@ -1114,7 +1215,7 @@ case "$1" in
|
||||
rm -f $RESTOREPATH
|
||||
echo " $RESTOREPATH removed"
|
||||
elif [ -f $RESTOREPATH ]; then
|
||||
echo " ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
echo " $RESTOREPATH exists and is not a saved Shorewall configuration"
|
||||
fi
|
||||
;;
|
||||
ipcalc)
|
||||
@ -1153,7 +1254,6 @@ case "$1" in
|
||||
esac
|
||||
;;
|
||||
restore)
|
||||
get_config
|
||||
case $# in
|
||||
1)
|
||||
;;
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowAuth
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
|
||||
#
|
||||
# This action accepts Auth (identd) traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowDNS
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS
|
||||
#
|
||||
# This action accepts DNS traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowFTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP
|
||||
#
|
||||
# This action accepts FTP traffic. See
|
||||
# http://www.shorewall.net/FTP.html for additional considerations.
|
||||
|
11
Lrp2/usr/share/shorewall/action.AllowICMPs
Normal file
11
Lrp2/usr/share/shorewall/action.AllowICMPs
Normal file
@ -0,0 +1,11 @@
|
||||
#
|
||||
# Shorewall 2.1 /usr/share/shorewall/action.AllowICMPs
|
||||
#
|
||||
# ACCEPT needed ICMP types
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#
|
||||
ACCEPT - - icmp fragmentation-needed
|
||||
ACCEPT - - icmp time-exceeded
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP
|
||||
#
|
||||
# This action accepts IMAP traffic (secure and insecure):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP
|
||||
#
|
||||
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowNTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP
|
||||
#
|
||||
# This action accepts NTP traffic (ntpd).
|
||||
#
|
||||
@ -7,4 +7,5 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT - - udp 123
|
||||
ACCEPT - - udp 1024: 123
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPCA
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA
|
||||
#
|
||||
# This action accepts PCAnywere (tm)
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3
|
||||
#
|
||||
# This action accepts POP3 traffic (secure and insecure):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowPing
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowPing
|
||||
#
|
||||
# This action accepts 'ping' requests.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowRdate
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate
|
||||
#
|
||||
# This action accepts remote time retrieval (rdate).
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMB
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
|
||||
#
|
||||
# Allow Microsoft SMB traffic. You need to invoke this action in
|
||||
# both directions.
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP
|
||||
#
|
||||
# This action accepts SMTP (email) traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP
|
||||
#
|
||||
# This action accepts SNMP traffic (including traps):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowSSH
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH
|
||||
#
|
||||
# This action accepts secure shell (SSH) traffic.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet
|
||||
#
|
||||
# This action accepts Telnet traffic. For traffic over the
|
||||
# internet, telnet is inappropriate; use SSH instead
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt
|
||||
#
|
||||
# This action accepts Traceroute (for up to 30 hops):
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC
|
||||
#
|
||||
# This action accepts VNC traffic for VNC display's 0 - 9.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL
|
||||
#
|
||||
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.AllowWeb
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb
|
||||
#
|
||||
# This action accepts WWW traffic (secure and insecure):
|
||||
#
|
||||
@ -7,5 +7,5 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
ACCEPT - - tcp 80
|
||||
ACCEPT - - TCP 443
|
||||
ACCEPT - - tcp 443
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,16 +1,49 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.Drop
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.Drop
|
||||
#
|
||||
# The default DROP common rules
|
||||
#
|
||||
# This action is invoked before a DROP policy is enforced. The purpose of the action
|
||||
# is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
|
||||
# Otherwise, you may experience problems establishing connections with
|
||||
# servers that use auth.
|
||||
# c) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Reject 'auth'
|
||||
#
|
||||
RejectAuth
|
||||
#
|
||||
# Don't log broadcasts
|
||||
#
|
||||
dropBcast
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
|
||||
# confuse people when they appear in the log.
|
||||
#
|
||||
dropInvalid
|
||||
#
|
||||
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
DropSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
|
||||
#
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep
|
||||
#
|
||||
# This action silently drops DNS UDP replies
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropPing
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropPing
|
||||
#
|
||||
# This action silently drops 'ping' requests.
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropSMB
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropSMB
|
||||
#
|
||||
# This action silently drops Microsoft SMB traffic
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.DropUPnP
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP
|
||||
#
|
||||
# This action silently drops UPnP probes on UDP port 1900
|
||||
#
|
||||
|
@ -1,16 +1,46 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.Reject
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.Reject
|
||||
#
|
||||
# The default REJECT action common rules
|
||||
#
|
||||
# This action is invoked before a REJECT policy is enforced. The purpose of the action
|
||||
# is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Don't log 'auth' REJECT
|
||||
#
|
||||
RejectAuth
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
|
||||
#
|
||||
dropBcast
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
|
||||
# confuse people when they appear in the log (these ICMPs cannot be rejected).
|
||||
#
|
||||
dropInvalid
|
||||
#
|
||||
# Drop Microsoft noise so that it doesn't clutter up the lot.
|
||||
#
|
||||
RejectSMB
|
||||
DropUPnP
|
||||
dropNotSyn
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
|
||||
#
|
||||
DropDNSrep
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.RejectAuth
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth
|
||||
#
|
||||
# This action silently rejects Auth (tcp 113) traffic
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.RejectSMB
|
||||
# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB
|
||||
#
|
||||
# This action silently rejects Microsoft SMB traffic
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0 /etc/shorewall/action.template
|
||||
# Shorewall 2.2 /etc/shorewall/action.template
|
||||
#
|
||||
# This file is a template for files with names of the form
|
||||
# /etc/shorewall/action.<action-name> where <action> is an
|
||||
@ -37,6 +37,10 @@
|
||||
# ACCEPT:debugging). This causes the packet to be
|
||||
# logged at the specified level.
|
||||
#
|
||||
# The special log level 'none' does not result in logging
|
||||
# but rather exempts the rule from being overridden by a
|
||||
# non-forcing log level when the action is invoked.
|
||||
#
|
||||
# You may also specify ULOG (must be in upper case) as a
|
||||
# log level.This will log to the ULOG target for routing
|
||||
# to a separate log through use of ulogd
|
||||
@ -61,6 +65,10 @@
|
||||
#
|
||||
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
||||
#
|
||||
# 10.0.0.4-10.0.0.9 Range of IP addresses; your
|
||||
# kernel and iptables must have
|
||||
# iprange match support.
|
||||
#
|
||||
# 192.168.1.1,192.168.1.2
|
||||
# Hosts 192.168.1.1 and
|
||||
# 192.168.1.2.
|
||||
@ -77,10 +85,6 @@
|
||||
# DEST Location of Server. Same as above with the exception that
|
||||
# MAC addresses are not allowed.
|
||||
#
|
||||
# Unlike in the SOURCE column, you may specify a range of
|
||||
# up to 256 IP addresses using the syntax
|
||||
# <first ip>-<last ip>.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
#
|
||||
@ -155,6 +159,6 @@
|
||||
# #of the 'kids' group
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
|
||||
# PORT PORT(S) LIMIT
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT PORT(S) LIMIT GROUP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -1,19 +1,17 @@
|
||||
#
|
||||
# Shorewall 2.0 /usr/share/shorewall/actions.std
|
||||
# Shorewall 2.2 /usr/share/shorewall/actions.std
|
||||
#
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# allowBcast #Silently Allow Broadcast/multicast
|
||||
# dropBcast #Silently Drop Broadcast/multicast
|
||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
||||
# logNonSyn #Log Non-syn TCP packets with disposition LOG
|
||||
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
|
||||
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
|
||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
# allowInvalid #Accept packets that are in the INVALID conntrack
|
||||
# #state
|
||||
# allowInvalid #Accept packets that are in the INVALID
|
||||
# #conntrack state.
|
||||
#
|
||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
||||
@ -36,6 +34,7 @@ AllowSMB #Allow MS Networking
|
||||
AllowAuth #Allow Auth (identd)
|
||||
AllowSMTP #Allow SMTP (Email)
|
||||
AllowPOP3 #Allow reading mail via POP3
|
||||
AllowICMPs #Allows critical ICMP types
|
||||
AllowIMAP #Allow reading mail via IMAP
|
||||
AllowTelnet #Allow Telnet Access (not recommended for use over the
|
||||
#Internet)
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0-- Bogons File
|
||||
# Shorewall 2.2-- Bogons File
|
||||
#
|
||||
# /etc/shorewall/bogons
|
||||
#
|
||||
@ -14,7 +14,9 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SUBNET The subnet (host addresses also allowed)
|
||||
# SUBNET The subnet (host addresses also allowed as are IP
|
||||
# address ranges provided that your kernel and iptables
|
||||
# include iprange match support).
|
||||
# TARGET Where to send packets to/from this subnet
|
||||
# RETURN - let the packet be processed normally
|
||||
# DROP - silently drop the packet
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,27 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall 2.0 -- /usr/share/shorewall/functions
|
||||
# Shorewall 2.2 -- /usr/share/shorewall/functions
|
||||
|
||||
# Function to truncate a string -- It uses 'cut -b -<n>'
|
||||
# rather than ${v:first:last} because light-weight shells like ash and
|
||||
# dash do not support that form of expansion.
|
||||
#
|
||||
|
||||
truncate() # $1 = length
|
||||
{
|
||||
cut -b -${1}
|
||||
}
|
||||
|
||||
#
|
||||
# Split a colon-separated list into a space-separated list
|
||||
#
|
||||
split() {
|
||||
local ifs=$IFS
|
||||
IFS=:
|
||||
set -- $1
|
||||
echo $*
|
||||
IFS=$ifs
|
||||
}
|
||||
|
||||
#
|
||||
# Search a list looking for a match -- returns zero if a match found
|
||||
@ -229,7 +250,7 @@ find_zones() # $1 = name of the zone file
|
||||
\#*)
|
||||
;;
|
||||
$FW)
|
||||
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
|
||||
echo " Warning: Reserved zone name \"$zone\" in zones file ignored" >&2
|
||||
;;
|
||||
*)
|
||||
echo $zone
|
||||
@ -255,12 +276,16 @@ determine_zones()
|
||||
multi_display=Multi-zone
|
||||
strip_file zones $zonefile
|
||||
zones=$(find_zones $TMP_DIR/zones)
|
||||
zones=$(echo $zones) # Remove extra trash
|
||||
newzones=
|
||||
|
||||
for zone in $zones; do
|
||||
dsply=$(find_display $zone $TMP_DIR/zones)
|
||||
[ ${#zone} -gt 5 ] && echo " Warning: Zone name longer than 5 characters: $zone" >&2
|
||||
eval ${zone}_display=\$dsply
|
||||
newzones="$newzones $zone"
|
||||
done
|
||||
|
||||
zones=${newzones# }
|
||||
}
|
||||
|
||||
#
|
||||
@ -377,7 +402,7 @@ mktempfile() {
|
||||
> $1/shorewall-$$ && echo $1/shorewall-$$
|
||||
;;
|
||||
*)
|
||||
echo " ERROR:Internal error in mktempfile"
|
||||
echo " ERROR:Internal error in mktempfile" >&2
|
||||
;;
|
||||
esac
|
||||
else
|
||||
@ -393,7 +418,7 @@ mktempfile() {
|
||||
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
||||
;;
|
||||
*)
|
||||
echo " ERROR:Internal error in mktempfile"
|
||||
echo " ERROR:Internal error in mktempfile" >&2
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@ -417,10 +442,10 @@ mktempdir() {
|
||||
mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
||||
;;
|
||||
*)
|
||||
echo " ERROR:Internal error in mktempdir"
|
||||
echo " ERROR:Internal error in mktempdir" >&2
|
||||
;;
|
||||
esac
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Read a file and handle "INCLUDE" directives
|
||||
@ -531,13 +556,20 @@ encodeaddr() {
|
||||
ip_range() {
|
||||
local first last l x y z vlsm
|
||||
|
||||
case $1 in
|
||||
[0-9]*.*.*.*-*.*.*.*)
|
||||
;;
|
||||
*)
|
||||
echo $1
|
||||
return
|
||||
;;
|
||||
case $1 in
|
||||
!*)
|
||||
#
|
||||
# Let iptables complain if it's a range
|
||||
#
|
||||
echo $1
|
||||
return
|
||||
;;
|
||||
[0-9]*.*.*.*-*.*.*.*)
|
||||
;;
|
||||
*)
|
||||
echo $1
|
||||
return
|
||||
;;
|
||||
esac
|
||||
|
||||
first=$(decodeaddr ${1%-*})
|
||||
@ -680,6 +712,9 @@ chain_base() #$1 = interface
|
||||
*-*)
|
||||
c="${c%-*}_${c##*-}"
|
||||
;;
|
||||
*%*)
|
||||
c="${c%\%*}_${c##*%}"
|
||||
;;
|
||||
*)
|
||||
echo ${c:=common}
|
||||
return
|
||||
@ -699,11 +734,7 @@ if_match() # $1 = Name in interfaces file - may end in "+"
|
||||
|
||||
case $1 in
|
||||
*+)
|
||||
#
|
||||
# Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
|
||||
# variable expansion :-(
|
||||
#
|
||||
test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
|
||||
test "x$(echo $2 | truncate ${#pattern} )" = "x${pattern}"
|
||||
;;
|
||||
*)
|
||||
test "x$1" = "x$2"
|
||||
@ -767,3 +798,11 @@ find_interface_by_address() {
|
||||
[ -n "$dev" ] && echo $dev
|
||||
}
|
||||
|
||||
#
|
||||
# Find interface addresses--returns the set of addresses assigned to the passed
|
||||
# device
|
||||
#
|
||||
find_interface_addresses() # $1 = interface
|
||||
{
|
||||
ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
|
||||
}
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Shorewall help subsystem - V2.0 - 2/14/2004
|
||||
# Shorewall help subsystem - V2.2
|
||||
#
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
@ -29,11 +29,18 @@
|
||||
case $1 in
|
||||
|
||||
add)
|
||||
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
|
||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
||||
echo "add: add <interface>[:<host-list>] ... <zone>
|
||||
Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall add interface[:port][:host] zone - Adds the specified interface
|
||||
(and bridge port/host if included) to the specified zone.
|
||||
shorewall add interface:host-list ... zone - Adds the specified interface
|
||||
(and host-list if included) to the specified zone.
|
||||
|
||||
A host-list is a comma-separated list whose elements are:
|
||||
|
||||
A host or network address
|
||||
The name of a bridge port
|
||||
The name of a bridge port followed by a colon (":") and a host or
|
||||
network address.
|
||||
|
||||
Example:
|
||||
|
||||
@ -46,7 +53,9 @@ add)
|
||||
address|host)
|
||||
echo "<$1>:
|
||||
May be either a host IP address such as 192.168.1.4 or a network address in
|
||||
CIDR format like 192.168.1.0/24"
|
||||
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
|
||||
match support then IP address ranges of the form <low address>-<high address>
|
||||
are also permitted."
|
||||
;;
|
||||
|
||||
allow)
|
||||
@ -60,7 +69,7 @@ allow)
|
||||
;;
|
||||
|
||||
check)
|
||||
echo "check: check [ -c <configuration-directory> ]
|
||||
echo "check: check [ <configuration-directory> ]
|
||||
Performs a cursory validation of the zones, interfaces, hosts,
|
||||
rules and policy files. Use this if you are unsure of any edits
|
||||
you have made to the shorewall configuration. See the try command
|
||||
@ -93,11 +102,18 @@ debug)
|
||||
;;
|
||||
|
||||
delete)
|
||||
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
|
||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
||||
echo "delete: delete <interface>[:<host-list>] ... <zone>
|
||||
Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
|
||||
|
||||
shorewall delete interface[:port][:host] zone - Deletes the specified
|
||||
interface (and bridge port/host if included) from the specified zone.
|
||||
shorewall delete interface[:host-list] ... zone - Deletes the specified
|
||||
interfaces (and host list if included) from the specified zone.
|
||||
|
||||
A host-list is a comma-separated list whose elements are:
|
||||
|
||||
A host or network address
|
||||
The name of a bridge port
|
||||
The name of a bridge port followed by a colon (":") and a host or
|
||||
network address.
|
||||
|
||||
Example:
|
||||
|
||||
@ -187,7 +203,7 @@ reset)
|
||||
;;
|
||||
|
||||
restart)
|
||||
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
|
||||
echo "restart: [ -q ] restart [ <configuration-directory> ]
|
||||
Restart is the same as a shorewall stop && shorewall start.
|
||||
Existing connections are maintained.
|
||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
||||
@ -217,7 +233,7 @@ save)
|
||||
;;
|
||||
|
||||
show)
|
||||
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
||||
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos|zones]
|
||||
|
||||
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
||||
(iptables -L chain -n -v)
|
||||
@ -236,17 +252,20 @@ show)
|
||||
shorewall show tc - displays information about the traffic
|
||||
control/shaping configuration.
|
||||
|
||||
shorewall show zones - displays the contents of all zones.
|
||||
|
||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
||||
;;
|
||||
|
||||
start)
|
||||
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
|
||||
echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
|
||||
Start shorewall. Existing connections through shorewall managed
|
||||
interfaces are untouched. New connections will be allowed only
|
||||
if they are allowed by the firewall rules or policies.
|
||||
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
||||
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
||||
in shorewall.conf will be restored if that saved configuration exists"
|
||||
in shorewall.conf will be restored if that saved configuration exists. In that
|
||||
case, a <configuration-directory> may not be specified".
|
||||
;;
|
||||
|
||||
stop)
|
||||
|
@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall 2.0-- RFC1918 File
|
||||
# Shorewall 2.2 -- RFC1918 File
|
||||
#
|
||||
# /etc/shorewall/rfc1918
|
||||
#
|
||||
@ -12,14 +12,17 @@
|
||||
#
|
||||
# Columns are:
|
||||
#
|
||||
# SUBNET The subnet (host addresses also allowed)
|
||||
# SUBNETS A comma-separated list of subnet addresses
|
||||
# (host addresses also allowed as are IP
|
||||
# address ranges provided that your kernel and iptables
|
||||
# have iprange match support).
|
||||
# TARGET Where to send packets to/from this subnet
|
||||
# RETURN - let the packet be processed normally
|
||||
# DROP - silently drop the packet
|
||||
# logdrop - log then drop
|
||||
#
|
||||
###############################################################################
|
||||
#SUBNET TARGET
|
||||
#SUBNETS TARGET
|
||||
172.16.0.0/12 logdrop # RFC 1918
|
||||
192.168.0.0/16 logdrop # RFC 1918
|
||||
10.0.0.0/8 logdrop # RFC 1918
|
||||
|
@ -1 +1 @@
|
||||
2.0.16
|
||||
2.2.0
|
||||
|
@ -1,6 +1,7 @@
|
||||
/etc/shorewall/params Params Assign parameter values
|
||||
/etc/shorewall/zones Zones Partition the network into Zones
|
||||
/etc/shorewall/interfaces Ifaces Shorewall Networking Interfaces
|
||||
/etc/shorewall/ipsec Ipsec Define Zone IPSEC Properties
|
||||
/etc/shorewall/hosts Hosts Define specific zones
|
||||
/etc/shorewall/policy Policy Firewall high-level policy
|
||||
/etc/shorewall/rules Rules Exceptions to policy
|
||||
|
@ -1 +1 @@
|
||||
2.0.2c
|
||||
2.0.16
|
||||
|
Loading…
Reference in New Issue
Block a user