forked from extern/shorewall_code
LEAF sutff no longer here..
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3522 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
4033e6051b
commit
67a087c002
@ -1,74 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
RCDLINKS="2,S41 3,S41 6,K41"
|
|
||||||
#
|
|
||||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
||||||
#
|
|
||||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# On most distributions, this file should be called /etc/init.d/shorewall.
|
|
||||||
#
|
|
||||||
# Complete documentation is available at http://shorewall.net
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
|
||||||
#
|
|
||||||
# If an error occurs while starting or restarting the firewall, the
|
|
||||||
# firewall is automatically stopped.
|
|
||||||
#
|
|
||||||
# Commands are:
|
|
||||||
#
|
|
||||||
# shorewall start Starts the firewall
|
|
||||||
# shorewall restart Restarts the firewall
|
|
||||||
# shorewall stop Stops the firewall
|
|
||||||
# shorewall status Displays firewall status
|
|
||||||
#
|
|
||||||
#### BEGIN INIT INFO
|
|
||||||
# Provides: shorewall
|
|
||||||
# Required-Start: $network
|
|
||||||
# Required-Stop:
|
|
||||||
# Default-Start: 2 3 5
|
|
||||||
# Default-Stop: 0 1 6
|
|
||||||
# Description: starts and stops the shorewall firewall
|
|
||||||
### END INIT INFO
|
|
||||||
|
|
||||||
# chkconfig: 2345 25 90
|
|
||||||
# description: Packet filtering firewall
|
|
||||||
#
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# Give Usage Information #
|
|
||||||
################################################################################
|
|
||||||
usage() {
|
|
||||||
echo "Usage: $0 start|stop|restart|status"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# E X E C U T I O N B E G I N S H E R E #
|
|
||||||
################################################################################
|
|
||||||
command="$1"
|
|
||||||
|
|
||||||
case "$command" in
|
|
||||||
|
|
||||||
stop|start|restart|status)
|
|
||||||
|
|
||||||
exec /sbin/shorewall $@
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
|
|
||||||
usage
|
|
||||||
;;
|
|
||||||
|
|
||||||
esac
|
|
@ -1,73 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall version 2.0 - Accounting File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/accounting
|
|
||||||
#
|
|
||||||
# Accounting rules exist simply to count packets and bytes in categories
|
|
||||||
# that you define in this file. You may display these rules and their
|
|
||||||
# packet and byte counters using the "shorewall show accounting" command.
|
|
||||||
#
|
|
||||||
# Please see http://shorewall.net/Accounting.html for examples and
|
|
||||||
# additional information about how to use this file.
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# ACTION - What to do when a match is found.
|
|
||||||
#
|
|
||||||
# COUNT - Simply count the match and continue
|
|
||||||
# with the next rule
|
|
||||||
# DONE - Count the match and don't attempt
|
|
||||||
# to match any other accounting rules
|
|
||||||
# in the chain specified in the CHAIN
|
|
||||||
# column.
|
|
||||||
# <chain>[:COUNT]
|
|
||||||
# - Where <chain> is the name of
|
|
||||||
# a chain. Shorewall will create
|
|
||||||
# the chain automatically if it
|
|
||||||
# doesn't already exist. Causes
|
|
||||||
# a jump to that chain. If :COUNT
|
|
||||||
# is including, a counting rule
|
|
||||||
# matching this record will be
|
|
||||||
# added to <chain>
|
|
||||||
#
|
|
||||||
# CHAIN - The name of a chain. If specified as "-" the
|
|
||||||
# 'accounting' chain is assumed. This is the chain
|
|
||||||
# where the accounting rule is added. The chain will
|
|
||||||
# be created if it doesn't already exist.
|
|
||||||
#
|
|
||||||
# SOURCE - Packet Source
|
|
||||||
#
|
|
||||||
# The name of an interface, an address (host or net) or
|
|
||||||
# an interface name followed by ":"
|
|
||||||
# and a host or net address.
|
|
||||||
#
|
|
||||||
# DESTINATION - Packet Destination
|
|
||||||
#
|
|
||||||
# Format the same as the SOURCE column.
|
|
||||||
#
|
|
||||||
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
|
||||||
# number.
|
|
||||||
#
|
|
||||||
# DEST PORT Destination Port number
|
|
||||||
#
|
|
||||||
# Service name from /etc/services or port number. May
|
|
||||||
# only be specified if the protocol is TCP or UDP (6
|
|
||||||
# or 17).
|
|
||||||
#
|
|
||||||
# SOURCE PORT Source Port number
|
|
||||||
#
|
|
||||||
# Service name from /etc/services or port number. May
|
|
||||||
# only be specified if the protocol is TCP or UDP (6
|
|
||||||
# or 17).
|
|
||||||
#
|
|
||||||
# In all of the above columns except ACTION and CHAIN, the values "-",
|
|
||||||
# "any" and "all" may be used as wildcards
|
|
||||||
#
|
|
||||||
# Please see http://shorewall.net/Accounting.html for examples and
|
|
||||||
# additional information about how to use this file.
|
|
||||||
#
|
|
||||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE
|
|
||||||
# PORT PORT
|
|
||||||
#
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,131 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 1.4 /etc/shorewall/action.template
|
|
||||||
#
|
|
||||||
# This file is a template for files with names of the form
|
|
||||||
# /etc/shorewall/action.<action-name> where <action> is an
|
|
||||||
# ACTION defined in /etc/shorewall/actions.
|
|
||||||
#
|
|
||||||
# To define a new action:
|
|
||||||
#
|
|
||||||
# 1. Add the <action name> to /etc/shorewall/actions
|
|
||||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
|
||||||
# 3. Add the desired rules to that file.
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
|
|
||||||
# previously-defined <action>
|
|
||||||
#
|
|
||||||
# ACCEPT -- allow the connection request
|
|
||||||
# DROP -- ignore the request
|
|
||||||
# REJECT -- disallow the request and return an
|
|
||||||
# icmp-unreachable or an RST packet.
|
|
||||||
# LOG -- Simply log the packet and continue.
|
|
||||||
# QUEUE -- Queue the packet to a user-space
|
|
||||||
# application such as p2pwall.
|
|
||||||
# <action> -- An <action> defined in
|
|
||||||
# /etc/shorewall/actions. The <action>
|
|
||||||
# must appear in that file BEFORE the
|
|
||||||
# one being defined in this file.
|
|
||||||
#
|
|
||||||
# The TARGET may optionally be followed
|
|
||||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
|
||||||
# ACCEPT:debugging). This causes the packet to be
|
|
||||||
# logged at the specified level.
|
|
||||||
#
|
|
||||||
# You may also specify ULOG (must be in upper case) as a
|
|
||||||
# log level.This will log to the ULOG target for routing
|
|
||||||
# to a separate log through use of ulogd
|
|
||||||
# (http://www.gnumonks.org/projects/ulogd).
|
|
||||||
#
|
|
||||||
# SOURCE Source hosts to which the rule applies.
|
|
||||||
# A comma-separated list of subnets
|
|
||||||
# and/or hosts. Hosts may be specified by IP or MAC
|
|
||||||
# address; mac addresses must begin with "~" and must use
|
|
||||||
# "-" as a separator.
|
|
||||||
#
|
|
||||||
# 192.168.2.2 Host 192.168.2.2
|
|
||||||
#
|
|
||||||
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
|
||||||
#
|
|
||||||
# 192.168.1.1,192.168.1.2
|
|
||||||
# Hosts 192.168.1.1 and
|
|
||||||
# 192.168.1.2.
|
|
||||||
# ~00-A0-C9-15-39-78 Host with
|
|
||||||
# MAC address 00:A0:C9:15:39:78.
|
|
||||||
#
|
|
||||||
# Alternatively, clients may be specified by interface
|
|
||||||
# name. For example, eth1 specifies a
|
|
||||||
# client that communicates with the firewall system
|
|
||||||
# through eth1. This may be optionally followed by
|
|
||||||
# another colon (":") and an IP/MAC/subnet address
|
|
||||||
# as described above (e.g., eth1:192.168.1.5).
|
|
||||||
#
|
|
||||||
# DEST Location of Server. Same as above with the exception that
|
|
||||||
# MAC addresses are not allowed.
|
|
||||||
#
|
|
||||||
# Unlike in the SOURCE column, you may specify a range of
|
|
||||||
# up to 256 IP addresses using the syntax
|
|
||||||
# <first ip>-<last ip>.
|
|
||||||
#
|
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
|
||||||
# "all".
|
|
||||||
#
|
|
||||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
|
||||||
# names (from /etc/services), port numbers or port
|
|
||||||
# ranges; if the protocol is "icmp", this column is
|
|
||||||
# interpreted as the destination icmp-type(s).
|
|
||||||
#
|
|
||||||
# A port range is expressed as <low port>:<high port>.
|
|
||||||
#
|
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
|
||||||
# entered if any of the following ields are supplied.
|
|
||||||
# In that case, it is suggested that this field contain
|
|
||||||
# "-"
|
|
||||||
#
|
|
||||||
# If your kernel contains multi-port match support, then
|
|
||||||
# only a single Netfilter rule will be generated if in
|
|
||||||
# this list and the CLIENT PORT(S) list below:
|
|
||||||
# 1. There are 15 or less ports listed.
|
|
||||||
# 2. No port ranges are included.
|
|
||||||
# Otherwise, a separate rule will be generated for each
|
|
||||||
# port.
|
|
||||||
#
|
|
||||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
|
||||||
# any source port is acceptable. Specified as a comma-
|
|
||||||
# separated list of port names, port numbers or port
|
|
||||||
# ranges.
|
|
||||||
#
|
|
||||||
# If you don't want to restrict client ports but need to
|
|
||||||
# specify an ADDRESS in the next column, then place "-"
|
|
||||||
# in this column.
|
|
||||||
#
|
|
||||||
# If your kernel contains multi-port match support, then
|
|
||||||
# only a single Netfilter rule will be generated if in
|
|
||||||
# this list and the DEST PORT(S) list above:
|
|
||||||
# 1. There are 15 or less ports listed.
|
|
||||||
# 2. No port ranges are included.
|
|
||||||
# Otherwise, a separate rule will be generated for each
|
|
||||||
# port.
|
|
||||||
#
|
|
||||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
|
||||||
# this column:
|
|
||||||
#
|
|
||||||
# <rate>/<interval>[:<burst>]
|
|
||||||
#
|
|
||||||
# where <rate> is the number of connections per
|
|
||||||
# <interval> ("sec" or "min") and <burst> is the
|
|
||||||
# largest burst permitted. If no <burst> is given,
|
|
||||||
# a value of 5 is assumed. There may be no
|
|
||||||
# no whitespace embedded in the specification.
|
|
||||||
#
|
|
||||||
# Example: 10/sec:20
|
|
||||||
#
|
|
||||||
# If you place a rate limit in this column, you may not
|
|
||||||
# place a similar limit in the TARGET column.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
||||||
# PORT PORT(S) DEST LIMIT
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,29 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.1 /etc/shorewall/actions
|
|
||||||
#
|
|
||||||
# This file allows you to define new ACTIONS for use in rules
|
|
||||||
# (/etc/shorewall/rules). You define the iptables rules to
|
|
||||||
# be performed in an ACTION in
|
|
||||||
# /etc/shorewall/action.<action-name>.
|
|
||||||
#
|
|
||||||
# ACTION names should begin with an upper-case letter to
|
|
||||||
# distinguish them from Shorewall-generated chain names and
|
|
||||||
# they must need the requirements of a Netfilter chain. If
|
|
||||||
# you intend to log from the action then the name must be
|
|
||||||
# no longer than 11 character in length. Names must also
|
|
||||||
# meet the requirements for a Bourne Shell identifier (must
|
|
||||||
# begin with a letter and be composed of letters, digits and
|
|
||||||
# underscore characters).
|
|
||||||
#
|
|
||||||
# If you follow the action name with ":DROP", ":REJECT" or
|
|
||||||
# :ACCEPT then the action will be taken before a DROP, REJECT or
|
|
||||||
# ACCEPT policy respectively is enforced. If you specify ":DROP",
|
|
||||||
# ":REJECT" or ":ACCEPT" on more than one action then only the
|
|
||||||
# last such action will be taken.
|
|
||||||
#
|
|
||||||
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
|
|
||||||
# itself, the associated policy will have no common action.
|
|
||||||
#
|
|
||||||
#ACTION
|
|
||||||
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
@ -1,43 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 -- Blacklist File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/blacklist
|
|
||||||
#
|
|
||||||
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
|
|
||||||
#
|
|
||||||
# MAC addresses must be prefixed with "~" and use "-"
|
|
||||||
# as a separator.
|
|
||||||
#
|
|
||||||
# Example: ~00-A0-C9-15-39-78
|
|
||||||
#
|
|
||||||
# PROTOCOL - Optional. If specified, must be a protocol number
|
|
||||||
# or a protocol name from /etc/protocols.
|
|
||||||
#
|
|
||||||
# PORTS - Optional. May only be specified if the protocol
|
|
||||||
# is TCP (6) or UDP (17). A comma-separated list
|
|
||||||
# of port numbers or service names from /etc/services.
|
|
||||||
#
|
|
||||||
# When a packet arrives on in interface that has the 'blacklist' option
|
|
||||||
# specified, its source IP address is checked against this file and disposed of
|
|
||||||
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
|
|
||||||
# /etc/shorewall/shorewall.conf
|
|
||||||
#
|
|
||||||
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
|
||||||
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# To block DNS queries from address 192.0.2.126:
|
|
||||||
#
|
|
||||||
# ADDRESS/SUBNET PROTOCOL PORT
|
|
||||||
# 192.0.2.126 udp 53
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
#ADDRESS/SUBNET PROTOCOL PORT
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
||||||
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 - /etc/shorewall/ecn
|
|
||||||
#
|
|
||||||
# Use this file to list the destinations for which you want to
|
|
||||||
# disable ECN.
|
|
||||||
#
|
|
||||||
# This feature requires kernel 2.4.20 or later. If you run 2.4.20,
|
|
||||||
# you also need the patch found at http://www.shorewall.net/ecn/patch.
|
|
||||||
# That patch is included in kernels 2.4.21 and later.
|
|
||||||
#
|
|
||||||
# INTERFACE - Interface through which host(s) communicate with
|
|
||||||
# the firewall
|
|
||||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
|
||||||
# If left empty or supplied as "-",
|
|
||||||
# 0.0.0.0/0 is assumed.
|
|
||||||
##############################################################################
|
|
||||||
#INTERFACE HOST(S)
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,128 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 - /etc/shorewall/hosts
|
|
||||||
#
|
|
||||||
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
|
||||||
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
|
||||||
#
|
|
||||||
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
|
|
||||||
#------------------------------------------------------------------------------
|
|
||||||
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
|
|
||||||
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
|
|
||||||
# ZONE AND INTERFACE IN THIS FILE.
|
|
||||||
#------------------------------------------------------------------------------
|
|
||||||
# This file is used to define zones in terms of subnets and/or
|
|
||||||
# individual IP addresses. Most simple setups don't need to
|
|
||||||
# (should not) place anything in this file.
|
|
||||||
#
|
|
||||||
# The order of entries in this file is not significant in
|
|
||||||
# determining zone composition. Rather, the order that the zones
|
|
||||||
# are defined in /etc/shorewall/zones determines the order in
|
|
||||||
# which the records in this file are interpreted.
|
|
||||||
#
|
|
||||||
# ZONE - The name of a zone defined in /etc/shorewall/zones
|
|
||||||
#
|
|
||||||
# HOST(S) - The name of an interface defined in the
|
|
||||||
# /etc/shorewall/interfaces file followed by a colon (":") and
|
|
||||||
# a comma-separated list whose elements are either:
|
|
||||||
#
|
|
||||||
# a) The IP address of a host
|
|
||||||
# b) A subnetwork in the form
|
|
||||||
# <subnet-address>/<mask width>
|
|
||||||
# c) A physical port name; only allowed when the
|
|
||||||
# interface names a bridge created by the
|
|
||||||
# brctl addbr command. This port must not
|
|
||||||
# be defined in /etc/shorewall/interfaces and may
|
|
||||||
# optionally followed by a colon (":") and a
|
|
||||||
# host or network IP.
|
|
||||||
# See http://www.shorewall.net/Bridge.html for details.
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#
|
|
||||||
# eth1:192.168.1.3
|
|
||||||
# eth2:192.168.2.0/24
|
|
||||||
# eth3:192.168.2.0/24,192.168.3.1
|
|
||||||
# br0:eth4
|
|
||||||
# br0:eth0:192.168.1.16/28
|
|
||||||
#
|
|
||||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
|
||||||
# options are:
|
|
||||||
#
|
|
||||||
# maclist - Connection requests from these hosts
|
|
||||||
# are compared against the contents of
|
|
||||||
# /etc/shorewall/maclist. If this option
|
|
||||||
# is specified, the interface must be
|
|
||||||
# an ethernet NIC and must be up before
|
|
||||||
# Shorewall is started.
|
|
||||||
#
|
|
||||||
# routeback - Shorewall should set up the infrastructure
|
|
||||||
# to pass packets from this/these
|
|
||||||
# address(es) back to themselves. This is
|
|
||||||
# necessary if hosts in this group use the
|
|
||||||
# services of a transparent proxy that is
|
|
||||||
# a member of the group or if DNAT is used
|
|
||||||
# to send requests originating from this
|
|
||||||
# group to a server in the group.
|
|
||||||
#
|
|
||||||
# norfc1918 - This option only makes sense for ports
|
|
||||||
# on a bridge.
|
|
||||||
#
|
|
||||||
# The port should not accept
|
|
||||||
# any packets whose source is in one
|
|
||||||
# of the ranges reserved by RFC 1918
|
|
||||||
# (i.e., private or "non-routable"
|
|
||||||
# addresses. If packet mangling or
|
|
||||||
# connection-tracking match is enabled in
|
|
||||||
# your kernel, packets whose destination
|
|
||||||
# addresses are reserved by RFC 1918 are
|
|
||||||
# also rejected.
|
|
||||||
#
|
|
||||||
# nobogons - This option only makes sense for ports
|
|
||||||
# on a bridge.
|
|
||||||
#
|
|
||||||
# This port should not accept
|
|
||||||
# any packets whose source is in one
|
|
||||||
# of the ranges reserved by IANA (this
|
|
||||||
# option does not cover those ranges
|
|
||||||
# reserved by RFC 1918 -- see
|
|
||||||
# 'norfc1918' above).
|
|
||||||
#
|
|
||||||
# blacklist - This option only makes sense for ports
|
|
||||||
# on a bridge.
|
|
||||||
#
|
|
||||||
# Check packets arriving on this port
|
|
||||||
# against the /etc/shorewall/blacklist
|
|
||||||
# file.
|
|
||||||
#
|
|
||||||
# tcpflags - Packets arriving from these hosts are
|
|
||||||
# checked for certain illegal combinations
|
|
||||||
# of TCP flags. Packets found to have
|
|
||||||
# such a combination of flags are handled
|
|
||||||
# according to the setting of
|
|
||||||
# TCP_FLAGS_DISPOSITION after having been
|
|
||||||
# logged according to the setting of
|
|
||||||
# TCP_FLAGS_LOG_LEVEL.
|
|
||||||
#
|
|
||||||
# nosmurfs - This option only makes sense for ports
|
|
||||||
# on a bridge.
|
|
||||||
#
|
|
||||||
# Filter packets for smurfs
|
|
||||||
# (packets with a broadcast
|
|
||||||
# address as the source).
|
|
||||||
#
|
|
||||||
# Smurfs will be optionally logged based
|
|
||||||
# on the setting of SMURF_LOG_LEVEL in
|
|
||||||
# shorewall.conf. After logging, the
|
|
||||||
# packets are dropped.
|
|
||||||
#
|
|
||||||
# newnotsyn - TCP packets that don't have the SYN
|
|
||||||
# flag set and which are not part of an
|
|
||||||
# established connection will be accepted
|
|
||||||
# from these hosts, even if
|
|
||||||
# NEWNOTSYN=No has been specified in
|
|
||||||
# /etc/shorewall/shorewall.conf.
|
|
||||||
#
|
|
||||||
# This option has no effect if
|
|
||||||
# NEWNOTSYN=Yes.
|
|
||||||
#
|
|
||||||
#ZONE HOST(S) OPTIONS
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
|
@ -1,6 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
# Shorewall 1.3 /etc/shorewall/icmp.def
|
|
||||||
#
|
|
||||||
# This file is obsolete and is included for compatibility with existing
|
|
||||||
# icmpdef extension scripts that source it.
|
|
||||||
#
|
|
@ -1,6 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 2.0 -- /etc/shorewall/init
|
|
||||||
#
|
|
||||||
# Add commands below that you want to be executed at the beginning of
|
|
||||||
# a "shorewall start" or "shorewall restart" command.
|
|
||||||
#
|
|
@ -1,195 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 -- Interfaces File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/interfaces
|
|
||||||
#
|
|
||||||
# You must add an entry in this file for each network interface on your
|
|
||||||
# firewall system.
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# ZONE Zone for this interface. Must match the short name
|
|
||||||
# of a zone defined in /etc/shorewall/zones.
|
|
||||||
#
|
|
||||||
# If the interface serves multiple zones that will be
|
|
||||||
# defined in the /etc/shorewall/hosts file, you should
|
|
||||||
# place "-" in this column.
|
|
||||||
#
|
|
||||||
# INTERFACE Name of interface. Each interface may be listed only
|
|
||||||
# once in this file. You may NOT specify the name of
|
|
||||||
# an alias (e.g., eth0:0) here; see
|
|
||||||
# http://www.shorewall.net/FAQ.htm#faq18
|
|
||||||
#
|
|
||||||
# You may specify wildcards here. For example, if you
|
|
||||||
# want to make an entry that applies to all PPP
|
|
||||||
# interfaces, use 'ppp+'.
|
|
||||||
#
|
|
||||||
# There is no need to define the loopback interface (lo)
|
|
||||||
# in this file.
|
|
||||||
#
|
|
||||||
# BROADCAST The broadcast address for the subnetwork to which the
|
|
||||||
# interface belongs. For P-T-P interfaces, this
|
|
||||||
# column is left blank.If the interface has multiple
|
|
||||||
# addresses on multiple subnets then list the broadcast
|
|
||||||
# addresses as a comma-separated list.
|
|
||||||
#
|
|
||||||
# If you use the special value "detect", the firewall
|
|
||||||
# will detect the broadcast address for you. If you
|
|
||||||
# select this option, the interface must be up before
|
|
||||||
# the firewall is started, you must have iproute
|
|
||||||
# installed.
|
|
||||||
#
|
|
||||||
# If you don't want to give a value for this column but
|
|
||||||
# you want to enter a value in the OPTIONS column, enter
|
|
||||||
# "-" in this column.
|
|
||||||
#
|
|
||||||
# OPTIONS A comma-separated list of options including the
|
|
||||||
# following:
|
|
||||||
#
|
|
||||||
# dhcp - Specify this option when any of
|
|
||||||
# the following are true:
|
|
||||||
# 1. the interface gets its IP address
|
|
||||||
# via DHCP
|
|
||||||
# 2. the interface is used by
|
|
||||||
# a DHCP server running on the firewall
|
|
||||||
# 3. you have a static IP but are on a LAN
|
|
||||||
# segment with lots of Laptop DHCP
|
|
||||||
# clients.
|
|
||||||
# 4. the interface is a bridge with
|
|
||||||
# a DHCP server on one port and DHCP
|
|
||||||
# clients on another port.
|
|
||||||
#
|
|
||||||
# norfc1918 - This interface should not receive
|
|
||||||
# any packets whose source is in one
|
|
||||||
# of the ranges reserved by RFC 1918
|
|
||||||
# (i.e., private or "non-routable"
|
|
||||||
# addresses. If packet mangling or
|
|
||||||
# connection-tracking match is enabled in
|
|
||||||
# your kernel, packets whose destination
|
|
||||||
# addresses are reserved by RFC 1918 are
|
|
||||||
# also rejected.
|
|
||||||
#
|
|
||||||
# nobogons - This interface should not receive
|
|
||||||
# any packets whose source is in one
|
|
||||||
# of the ranges reserved by IANA (this
|
|
||||||
# option does not cover those ranges
|
|
||||||
# reserved by RFC 1918 -- see above).
|
|
||||||
#
|
|
||||||
# routefilter - turn on kernel route filtering for this
|
|
||||||
# interface (anti-spoofing measure). This
|
|
||||||
# option can also be enabled globally in
|
|
||||||
# the /etc/shorewall/shorewall.conf file.
|
|
||||||
#
|
|
||||||
# . . blacklist - Check packets arriving on this interface
|
|
||||||
# against the /etc/shorewall/blacklist
|
|
||||||
# file.
|
|
||||||
#
|
|
||||||
# maclist - Connection requests from this interface
|
|
||||||
# are compared against the contents of
|
|
||||||
# /etc/shorewall/maclist. If this option
|
|
||||||
# is specified, the interface must be
|
|
||||||
# an ethernet NIC and must be up before
|
|
||||||
# Shorewall is started.
|
|
||||||
#
|
|
||||||
# tcpflags - Packets arriving on this interface are
|
|
||||||
# checked for certain illegal combinations
|
|
||||||
# of TCP flags. Packets found to have
|
|
||||||
# such a combination of flags are handled
|
|
||||||
# according to the setting of
|
|
||||||
# TCP_FLAGS_DISPOSITION after having been
|
|
||||||
# logged according to the setting of
|
|
||||||
# TCP_FLAGS_LOG_LEVEL.
|
|
||||||
#
|
|
||||||
# proxyarp -
|
|
||||||
# Sets
|
|
||||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
|
||||||
# Do NOT use this option if you are
|
|
||||||
# employing Proxy ARP through entries in
|
|
||||||
# /etc/shorewall/proxyarp. This option is
|
|
||||||
# intended soley for use with Proxy ARP
|
|
||||||
# sub-networking as described at:
|
|
||||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
|
||||||
#
|
|
||||||
# newnotsyn - TCP packets that don't have the SYN
|
|
||||||
# flag set and which are not part of an
|
|
||||||
# established connection will be accepted
|
|
||||||
# from this interface, even if
|
|
||||||
# NEWNOTSYN=No has been specified in
|
|
||||||
# /etc/shorewall/shorewall.conf. In other
|
|
||||||
# words, packets coming in on this interface
|
|
||||||
# are processed as if NEWNOTSYN=Yes had been
|
|
||||||
# specified in /etc/shorewall/shorewall.conf.
|
|
||||||
#
|
|
||||||
# This option has no effect if
|
|
||||||
# NEWNOTSYN=Yes.
|
|
||||||
#
|
|
||||||
# It is the opinion of the author that
|
|
||||||
# NEWNOTSYN=No creates more problems than
|
|
||||||
# it solves and I recommend against using
|
|
||||||
# that setting in shorewall.conf (hence
|
|
||||||
# making the use of the 'newnotsyn'
|
|
||||||
# interface option unnecessary).
|
|
||||||
#
|
|
||||||
# routeback - If specified, indicates that Shorewall
|
|
||||||
# should include rules that allow filtering
|
|
||||||
# traffic arriving on this interface back
|
|
||||||
# out that same interface.
|
|
||||||
#
|
|
||||||
# arp_filter - If specified, this interface will only
|
|
||||||
# respond to ARP who-has requests for IP
|
|
||||||
# addresses configured on the interface.
|
|
||||||
# If not specified, the interface can
|
|
||||||
# respond to ARP who-has requests for
|
|
||||||
# IP addresses on any of the firewall's
|
|
||||||
# interface. The interface must be up
|
|
||||||
# when Shorewall is started.
|
|
||||||
#
|
|
||||||
# nosmurfs - Filter packets for smurfs
|
|
||||||
# (packets with a broadcast
|
|
||||||
# address as the source).
|
|
||||||
#
|
|
||||||
# Smurfs will be optionally logged based
|
|
||||||
# on the setting of SMURF_LOG_LEVEL in
|
|
||||||
# shorewall.conf. After logging, the
|
|
||||||
# packets are dropped.
|
|
||||||
#
|
|
||||||
# detectnets - Automatically taylors the zone named
|
|
||||||
# in the ZONE column to include only those
|
|
||||||
# hosts routed through the interface.
|
|
||||||
#
|
|
||||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
|
||||||
# INTERNET INTERFACE.
|
|
||||||
#
|
|
||||||
# The order in which you list the options is not
|
|
||||||
# significant but the list should have no embedded white
|
|
||||||
# space.
|
|
||||||
#
|
|
||||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
|
||||||
# eth1 connected to your local network and that your
|
|
||||||
# local subnet is 192.168.1.0/24. The interface gets
|
|
||||||
# it's IP address via DHCP from subnet
|
|
||||||
# 206.191.149.192/27. You have a DMZ with subnet
|
|
||||||
# 192.168.2.0/24 using eth2.
|
|
||||||
#
|
|
||||||
# Your entries for this setup would look like:
|
|
||||||
#
|
|
||||||
# net eth0 206.191.149.223 dhcp
|
|
||||||
# local eth1 192.168.1.255
|
|
||||||
# dmz eth2 192.168.2.255
|
|
||||||
#
|
|
||||||
# Example 2: The same configuration without specifying broadcast
|
|
||||||
# addresses is:
|
|
||||||
#
|
|
||||||
# net eth0 detect dhcp
|
|
||||||
# loc eth1 detect
|
|
||||||
# dmz eth2 detect
|
|
||||||
#
|
|
||||||
# Example 3: You have a simple dial-in system with no ethernet
|
|
||||||
# connections.
|
|
||||||
#
|
|
||||||
# net ppp0 -
|
|
||||||
##############################################################################
|
|
||||||
#ZONE INTERFACE BROADCAST OPTIONS
|
|
||||||
net eth0 detect dhcp,routefilter,norfc1918
|
|
||||||
loc eth1 detect
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,21 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 - MAC list file
|
|
||||||
#
|
|
||||||
# /etc/shorewall/maclist
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# INTERFACE Network interface to a host. If the interface
|
|
||||||
# names a bridge, it may be optionally followed by
|
|
||||||
# a colon (":") and a physical port name (e.g.,
|
|
||||||
# br0:eth4).
|
|
||||||
#
|
|
||||||
# MAC MAC address of the host -- you do not need to use
|
|
||||||
# the Shorewall format for MAC addresses here
|
|
||||||
#
|
|
||||||
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
|
|
||||||
# must match. This column can contain a comma-separated
|
|
||||||
# list of host and/or subnet addresses.
|
|
||||||
##############################################################################
|
|
||||||
#INTERFACE MAC IP ADDRESSES (Optional)
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
@ -1,141 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 - Masquerade file
|
|
||||||
#
|
|
||||||
# /etc/shorewall/masq
|
|
||||||
#
|
|
||||||
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
|
|
||||||
# (SNAT).
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# INTERFACE -- Outgoing interface. This is usually your internet
|
|
||||||
# interface. If ADD_SNAT_ALIASES=Yes in
|
|
||||||
# /etc/shorewall/shorewall.conf, you may add ":" and
|
|
||||||
# a digit to indicate that you want the alias added with
|
|
||||||
# that name (e.g., eth0:0). This will allow the alias to
|
|
||||||
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
|
||||||
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
|
||||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
|
||||||
#
|
|
||||||
# This may be qualified by adding the character
|
|
||||||
# ":" followed by a destination host or subnet.
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
|
||||||
# a subnet or as an interface. If you give the name of an
|
|
||||||
# interface, you must have iproute installed and the interface
|
|
||||||
# must be up before you start the firewall.
|
|
||||||
#
|
|
||||||
# In order to exclude a subset of the specified SUBNET, you
|
|
||||||
# may append "!" and a comma-separated list of IP addresses
|
|
||||||
# and/or subnets that you wish to exclude.
|
|
||||||
#
|
|
||||||
# Example: eth1!192.168.1.4,192.168.32.0/27
|
|
||||||
#
|
|
||||||
# In that example traffic from eth1 would be masqueraded unless
|
|
||||||
# it came from 192.168.1.4 or 196.168.32.0/27
|
|
||||||
#
|
|
||||||
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
|
||||||
# used and this will be the source address. If
|
|
||||||
# ADD_SNAT_ALIASES is set to Yes or yes in
|
|
||||||
# /etc/shorewall/shorewall.conf then Shorewall
|
|
||||||
# will automatically add this address to the
|
|
||||||
# INTERFACE named in the first column.
|
|
||||||
#
|
|
||||||
# If you have set ADD_SNAT_ALIASES=Yes in
|
|
||||||
# /etc/shorewall/shorewall.conf then DO NOT
|
|
||||||
# PLACE YOUR EXTERNAL INTERFACE'S PRIMARY IP
|
|
||||||
# ADDRESS IN THIS COLUMN -- If you do so, you
|
|
||||||
# will loose your default route when Shorewall
|
|
||||||
# starts.
|
|
||||||
#
|
|
||||||
# You may also specify a range of up to 256
|
|
||||||
# IP addresses if you want the SNAT address to
|
|
||||||
# be assigned from that range in a round-robin
|
|
||||||
# range by connection. The range is specified by
|
|
||||||
# <first ip in range>-<last ip in range>.
|
|
||||||
#
|
|
||||||
# Example: 206.124.146.177-206.124.146.180
|
|
||||||
#
|
|
||||||
# Finally, you may also specify a comma-separated
|
|
||||||
# list of ranges and/or addresses in this column.
|
|
||||||
#
|
|
||||||
# This column may not contain DNS Names.
|
|
||||||
#
|
|
||||||
# If you want to leave this column empty
|
|
||||||
# but you need to specify the next column then
|
|
||||||
# place a hyphen ("-") here.
|
|
||||||
#
|
|
||||||
# PROTO -- (Optional) If you wish to restrict this entry to a
|
|
||||||
# particular protocol then enter the protocol
|
|
||||||
# name (from /etc/protocols) or number here.
|
|
||||||
#
|
|
||||||
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
|
|
||||||
# or UDP (protocol 17) then you may list one
|
|
||||||
# or more port numbers (or names from
|
|
||||||
# /etc/services) separated by commas or you
|
|
||||||
# may list a single port range
|
|
||||||
# (<low port>:<high port>).
|
|
||||||
#
|
|
||||||
# Where a comma-separated list is given, your
|
|
||||||
# kernel and iptables must have multiport match
|
|
||||||
# support and a maximum of 15 ports may be
|
|
||||||
# listed.
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# Example 1:
|
|
||||||
#
|
|
||||||
# You have a simple masquerading setup where eth0 connects to
|
|
||||||
# a DSL or cable modem and eth1 connects to your local network
|
|
||||||
# with subnet 192.168.0.0/24.
|
|
||||||
#
|
|
||||||
# Your entry in the file can be either:
|
|
||||||
#
|
|
||||||
# eth0 eth1
|
|
||||||
#
|
|
||||||
# or
|
|
||||||
#
|
|
||||||
# eth0 192.168.0.0/24
|
|
||||||
#
|
|
||||||
# Example 2:
|
|
||||||
#
|
|
||||||
# You add a router to your local network to connect subnet
|
|
||||||
# 192.168.1.0/24 which you also want to masquerade. You then
|
|
||||||
# add a second entry for eth0 to this file:
|
|
||||||
#
|
|
||||||
# eth0 192.168.1.0/24
|
|
||||||
#
|
|
||||||
# Example 3:
|
|
||||||
#
|
|
||||||
# You have an IPSEC tunnel through ipsec0 and you want to
|
|
||||||
# masquerade packets coming from 192.168.1.0/24 but only if
|
|
||||||
# these packets are destined for hosts in 10.1.1.0/24:
|
|
||||||
#
|
|
||||||
# ipsec0:10.1.1.0/24 196.168.1.0/24
|
|
||||||
#
|
|
||||||
# Example 4:
|
|
||||||
#
|
|
||||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
|
||||||
# eth0 to use source address 206.124.146.176 which is NOT the
|
|
||||||
# primary address of eth0. You want 206.124.146.176 added to
|
|
||||||
# be added to eth0 with name eth0:0.
|
|
||||||
#
|
|
||||||
# eth0:0 192.168.1.0/24 206.124.146.176
|
|
||||||
#
|
|
||||||
# Example 5:
|
|
||||||
#
|
|
||||||
# You want all outgoing SMTP traffic entering the firewall
|
|
||||||
# on eth1 to be sent from eth0 with source IP address
|
|
||||||
# 206.124.146.177. You want all other outgoing traffic
|
|
||||||
# from eth1 to be sent from eth0 with source IP address
|
|
||||||
# 206.124.146.176.
|
|
||||||
#
|
|
||||||
# eth0 eth1 206.124.146.177 tcp smtp
|
|
||||||
# eth0 eth1 206.124.146.176
|
|
||||||
#
|
|
||||||
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
|
|
||||||
eth0 eth1
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
@ -1,21 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
# Shorewall 2.0 /etc/shorewall/modules
|
|
||||||
#
|
|
||||||
# This file loads the modules needed by the firewall.
|
|
||||||
#
|
|
||||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
|
||||||
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
|
|
||||||
# you load M2.
|
|
||||||
#
|
|
||||||
|
|
||||||
loadmodule ip_tables
|
|
||||||
loadmodule iptable_filter
|
|
||||||
loadmodule ip_conntrack
|
|
||||||
loadmodule ip_conntrack_ftp
|
|
||||||
loadmodule ip_conntrack_tftp
|
|
||||||
loadmodule ip_conntrack_irc
|
|
||||||
loadmodule iptable_nat
|
|
||||||
loadmodule ip_nat_ftp
|
|
||||||
loadmodule ip_nat_tftp
|
|
||||||
loadmodule ip_nat_irc
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# Shorewall 2.0 -- Network Address Translation Table
|
|
||||||
#
|
|
||||||
# /etc/shorewall/nat
|
|
||||||
#
|
|
||||||
# This file is used to define one-to-one Network Address Translation
|
|
||||||
# (NAT).
|
|
||||||
#
|
|
||||||
# WARNING: If all you want to do is simple port forwarding, do NOT use this
|
|
||||||
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
|
|
||||||
# cases, Proxy ARP is a better solution that one-to-one NAT.
|
|
||||||
#
|
|
||||||
# Columns must be separated by white space and are:
|
|
||||||
#
|
|
||||||
# EXTERNAL External IP Address - this should NOT be the primary
|
|
||||||
# IP address of the interface named in the next
|
|
||||||
# column and must not be a DNS Name.
|
|
||||||
# INTERFACE Interface that you want to EXTERNAL address to appear
|
|
||||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
|
||||||
# follow the interface name with ":" and a digit to
|
|
||||||
# indicate that you want Shorewall to add the alias
|
|
||||||
# with this name (e.g., "eth0:0"). That allows you to
|
|
||||||
# see the alias with ifconfig. THAT IS THE ONLY THING
|
|
||||||
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
|
||||||
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
|
||||||
# INTERNAL Internal Address (must not be a DNS Name).
|
|
||||||
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
|
|
||||||
# If No or no (or left empty) then NAT will be effective
|
|
||||||
# only through the interface named in the INTERFACE
|
|
||||||
# column
|
|
||||||
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
|
||||||
# system
|
|
||||||
##############################################################################
|
|
||||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
|
||||||
# INTERFACES
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
@ -1,25 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/params
|
|
||||||
#
|
|
||||||
# Assign any variables that you need here.
|
|
||||||
#
|
|
||||||
# It is suggested that variable names begin with an upper case letter
|
|
||||||
# to distinguish them from variables used internally within the
|
|
||||||
# Shorewall programs
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# NET_IF=eth0
|
|
||||||
# NET_BCAST=130.252.100.255
|
|
||||||
# NET_OPTIONS=routefilter,norfc1918
|
|
||||||
#
|
|
||||||
# Example (/etc/shorewall/interfaces record):
|
|
||||||
#
|
|
||||||
# net $NET_IF $NET_BCAST $NET_OPTIONS
|
|
||||||
#
|
|
||||||
# The result will be the same as if the record had been written
|
|
||||||
#
|
|
||||||
# net eth0 130.252.100.255 routefilter,norfc1918
|
|
||||||
#
|
|
||||||
##############################################################################
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
@ -1,89 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 -- Policy File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/policy
|
|
||||||
#
|
|
||||||
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
|
|
||||||
#
|
|
||||||
# This file determines what to do with a new connection request if we
|
|
||||||
# don't get a match from the /etc/shorewall/rules file . For each
|
|
||||||
# source/destination pair, the file is processed in order until a
|
|
||||||
# match is found ("all" will match any client or server).
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# SOURCE Source zone. Must be the name of a zone defined
|
|
||||||
# in /etc/shorewall/zones, $FW or "all".
|
|
||||||
#
|
|
||||||
# DEST Destination zone. Must be the name of a zone defined
|
|
||||||
# in /etc/shorewall/zones, $FW or "all"
|
|
||||||
#
|
|
||||||
# POLICY Policy if no match from the rules file is found. Must
|
|
||||||
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
|
||||||
#
|
|
||||||
# ACCEPT - Accept the connection
|
|
||||||
# DROP - Ignore the connection request
|
|
||||||
# REJECT - For TCP, send RST. For all other, send
|
|
||||||
# "port unreachable" ICMP.
|
|
||||||
# CONTINUE - Pass the connection request past
|
|
||||||
# any other rules that it might also
|
|
||||||
# match (where the source or destination
|
|
||||||
# zone in those rules is a superset of
|
|
||||||
# the SOURCE or DEST in this policy).
|
|
||||||
# NONE - Assume that there will never be any
|
|
||||||
# packets from this SOURCE
|
|
||||||
# to this DEST. Shorewall will not set up
|
|
||||||
# any infrastructure to handle such
|
|
||||||
# packets and you may not have any rules
|
|
||||||
# with this SOURCE and DEST in the
|
|
||||||
# /etc/shorewall/rules file. If such a
|
|
||||||
# packet _is_ received, the result is
|
|
||||||
# undefined. NONE may not be used if the
|
|
||||||
# SOURCE or DEST columns contain the
|
|
||||||
# firewall zone ($FW) or "all".
|
|
||||||
#
|
|
||||||
# If this column contains ACCEPT, DROP or REJECT and a
|
|
||||||
# corresponding common action is defined in
|
|
||||||
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
|
|
||||||
# then that action will be invoked before the policy named in
|
|
||||||
# this column is inforced.
|
|
||||||
#
|
|
||||||
# LOG LEVEL If supplied, each connection handled under the default
|
|
||||||
# POLICY is logged at that level. If not supplied, no
|
|
||||||
# log message is generated. See syslog.conf(5) for a
|
|
||||||
# description of log levels.
|
|
||||||
#
|
|
||||||
# Beginning with Shorewall version 1.3.12, you may
|
|
||||||
# also specify ULOG (must be in upper case). This will
|
|
||||||
# log to the ULOG target and sent to a separate log
|
|
||||||
# through use of ulogd
|
|
||||||
# (http://www.gnumonks.org/projects/ulogd).
|
|
||||||
#
|
|
||||||
# If you don't want to log but need to specify the
|
|
||||||
# following column, place "-" here.
|
|
||||||
#
|
|
||||||
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
|
||||||
# and the size of an acceptable burst. If not specified,
|
|
||||||
# TCP connections are not limited.
|
|
||||||
#
|
|
||||||
# As shipped, the default policies are:
|
|
||||||
#
|
|
||||||
# a) All connections from the local network to the internet are allowed
|
|
||||||
# b) All connections from the internet are ignored but logged at syslog
|
|
||||||
# level KERNEL.INFO.
|
|
||||||
# d) All other connection requests are rejected and logged at level
|
|
||||||
# KERNEL.INFO.
|
|
||||||
###############################################################################
|
|
||||||
#SOURCE DEST POLICY LOG LIMIT:BURST
|
|
||||||
# LEVEL
|
|
||||||
loc net ACCEPT
|
|
||||||
net all DROP ULOG
|
|
||||||
# If you want open access to the Internet from your Firewall
|
|
||||||
# remove the comment from the following line.
|
|
||||||
#fw net ACCEPT
|
|
||||||
|
|
||||||
#
|
|
||||||
# THE FOLLOWING POLICY MUST BE LAST
|
|
||||||
#
|
|
||||||
all all REJECT ULOG
|
|
||||||
#LAST LINE -- DO NOT REMOVE
|
|
@ -1,44 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# Shorewall 2.0 -- Proxy ARP
|
|
||||||
#
|
|
||||||
# /etc/shorewall/proxyarp
|
|
||||||
#
|
|
||||||
# This file is used to define Proxy ARP.
|
|
||||||
#
|
|
||||||
# Columns must be separated by white space and are:
|
|
||||||
#
|
|
||||||
# ADDRESS IP Address
|
|
||||||
#
|
|
||||||
# INTERFACE Local interface where system is connected. If the
|
|
||||||
# local interface is obvious from the subnetting,
|
|
||||||
# you may enter "-" in this column.
|
|
||||||
#
|
|
||||||
# EXTERNAL External Interface to be used to access this system
|
|
||||||
#
|
|
||||||
# HAVEROUTE If there is already a route from the firewall to
|
|
||||||
# the host whose address is given, enter "Yes" or "yes"
|
|
||||||
# in this column. Otherwise, entry "no", "No" or leave
|
|
||||||
# the column empty and Shorewall will add the route for
|
|
||||||
# you. If Shorewall adds the route,the route will be
|
|
||||||
# persistent if the PERSISTENT column contains Yes;
|
|
||||||
# otherwise, "shorewall stop" or "shorewall clear" will
|
|
||||||
# delete the route.
|
|
||||||
#
|
|
||||||
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
|
|
||||||
# column determines if the route added by Shorewall
|
|
||||||
# persists after a "shorewall stop" or a "shorewall
|
|
||||||
# clear". If this column contains "Yes" or "yes" then
|
|
||||||
# the route persists; If the column is empty or contains
|
|
||||||
# "No"or "no" then the route is deleted at "shorewall
|
|
||||||
# stop" or "shorewall clear".
|
|
||||||
#
|
|
||||||
# Example: Host with IP 155.186.235.6 is connected to
|
|
||||||
# interface eth1 and we want hosts attached via eth0
|
|
||||||
# to be able to access it using that address.
|
|
||||||
#
|
|
||||||
# #ADDRESS INTERFACE EXTERNAL
|
|
||||||
# 155.186.235.6 eth1 eth0
|
|
||||||
##############################################################################
|
|
||||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,31 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
|
|
||||||
#
|
|
||||||
# /etc/shorewall/routestopped
|
|
||||||
#
|
|
||||||
# This file is used to define the hosts that are accessible when the
|
|
||||||
# firewall is stopped
|
|
||||||
#
|
|
||||||
# Columns must be separated by white space and are:
|
|
||||||
#
|
|
||||||
# INTERFACE - Interface through which host(s) communicate with
|
|
||||||
# the firewall
|
|
||||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
|
||||||
# If left empty or supplied as "-",
|
|
||||||
# 0.0.0.0/0 is assumed.
|
|
||||||
# OPTIONS - (Optional) A comma-separated list of
|
|
||||||
# options. The currently-supported options are:
|
|
||||||
#
|
|
||||||
# routeback - Set up a rule to ACCEPT traffic from
|
|
||||||
# these hosts back to themselves.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# INTERFACE HOST(S) OPTIONS
|
|
||||||
# eth2 192.168.1.0/24
|
|
||||||
# eth0 192.0.2.44
|
|
||||||
# br0 - routeback
|
|
||||||
##############################################################################
|
|
||||||
#INTERFACE HOST(S) OPTIONS
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,335 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall version 2.0 - Rules File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/rules
|
|
||||||
#
|
|
||||||
# Rules in this file govern connection establishment. Requests and
|
|
||||||
# responses are automatically allowed using connection tracking. For any
|
|
||||||
# particular (source,dest) pair of zones, the rules are evaluated in the
|
|
||||||
# order in which they appear in this file and the first match is the one
|
|
||||||
# that determines the disposition of the request.
|
|
||||||
#
|
|
||||||
# In most places where an IP address or subnet is allowed, you
|
|
||||||
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
|
|
||||||
# indicate that the rule matches all addresses except the address/subnet
|
|
||||||
# given. Notice that no white space is permitted between "!" and the
|
|
||||||
# address/subnet.
|
|
||||||
#------------------------------------------------------------------------------
|
|
||||||
# WARNING: If you masquerade or use SNAT from a local system to the internet,
|
|
||||||
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
|
||||||
# that system. You *must* use a DNAT rule instead.
|
|
||||||
#-------------------------------------------------------------------------------#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
|
||||||
# LOG, QUEUE or an <action>.
|
|
||||||
#
|
|
||||||
# ACCEPT -- allow the connection request
|
|
||||||
# ACCEPT+ -- like ACCEPT but also excludes the
|
|
||||||
# connection from any subsequent
|
|
||||||
# DNAT[-] or REDIRECT[-] rules
|
|
||||||
# NONAT -- Excludes the connection from any
|
|
||||||
# subsequent DNAT[-] or REDIRECT[-]
|
|
||||||
# rules but doesn't generate a rule
|
|
||||||
# to accept the traffic.
|
|
||||||
# DROP -- ignore the request
|
|
||||||
# REJECT -- disallow the request and return an
|
|
||||||
# icmp-unreachable or an RST packet.
|
|
||||||
# DNAT -- Forward the request to another
|
|
||||||
# system (and optionally another
|
|
||||||
# port).
|
|
||||||
# DNAT- -- Advanced users only.
|
|
||||||
# Like DNAT but only generates the
|
|
||||||
# DNAT iptables rule and not
|
|
||||||
# the companion ACCEPT rule.
|
|
||||||
# REDIRECT -- Redirect the request to a local
|
|
||||||
# port on the firewall.
|
|
||||||
# REDIRECT-
|
|
||||||
# -- Advanced users only.
|
|
||||||
# Like REDIRET but only generates the
|
|
||||||
# REDIRECT iptables rule and not
|
|
||||||
# the companion ACCEPT rule.
|
|
||||||
#
|
|
||||||
# CONTINUE -- (For experts only). Do not process
|
|
||||||
# any of the following rules for this
|
|
||||||
# (source zone,destination zone). If
|
|
||||||
# The source and/or destination IP
|
|
||||||
# address falls into a zone defined
|
|
||||||
# later in /etc/shorewall/zones, this
|
|
||||||
# connection request will be passed
|
|
||||||
# to the rules defined for that
|
|
||||||
# (those) zone(s).
|
|
||||||
# LOG -- Simply log the packet and continue.
|
|
||||||
# QUEUE -- Queue the packet to a user-space
|
|
||||||
# application such as ftwall
|
|
||||||
# (http://p2pwall.sf.net).
|
|
||||||
# <action> -- The name of an action defined in
|
|
||||||
# /etc/shorewall/actions or in
|
|
||||||
# /usr/share/shorewall/actions.std.
|
|
||||||
#
|
|
||||||
# The ACTION may optionally be followed
|
|
||||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
|
||||||
# DNAT:debug). This causes the packet to be
|
|
||||||
# logged at the specified level.
|
|
||||||
#
|
|
||||||
# You may also specify ULOG (must be in upper case) as a
|
|
||||||
# log level.This will log to the ULOG target for routing
|
|
||||||
# to a separate log through use of ulogd
|
|
||||||
# (http://www.gnumonks.org/projects/ulogd).
|
|
||||||
#
|
|
||||||
# Actions specifying logging may be followed by a
|
|
||||||
# log tag (a string of alphanumeric characters)
|
|
||||||
# are appended to the string generated by the
|
|
||||||
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
|
||||||
#
|
|
||||||
# Example: ACCEPT:info:ftp would include 'ftp '
|
|
||||||
# at the end of the log prefix generated by the
|
|
||||||
# LOGPREFIX setting.
|
|
||||||
#
|
|
||||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
|
||||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
|
||||||
# firewall itself, or "all" If the ACTION is DNAT or
|
|
||||||
# REDIRECT, sub-zones of the specified zone may be
|
|
||||||
# excluded from the rule by following the zone name with
|
|
||||||
# "!' and a comma-separated list of sub-zone names.
|
|
||||||
#
|
|
||||||
# When "all" is used either in the SOURCE or DEST column
|
|
||||||
# intra-zone traffic is not affected. You must add
|
|
||||||
# separate rules to handle that traffic.
|
|
||||||
#
|
|
||||||
# Except when "all" is specified, clients may be further
|
|
||||||
# restricted to a list of subnets and/or hosts by
|
|
||||||
# appending ":" and a comma-separated list of subnets
|
|
||||||
# and/or hosts. Hosts may be specified by IP or MAC
|
|
||||||
# address; mac addresses must begin with "~" and must use
|
|
||||||
# "-" as a separator.
|
|
||||||
#
|
|
||||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
|
||||||
#
|
|
||||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
|
||||||
# Internet
|
|
||||||
#
|
|
||||||
# loc:192.168.1.1,192.168.1.2
|
|
||||||
# Hosts 192.168.1.1 and
|
|
||||||
# 192.168.1.2 in the local zone.
|
|
||||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
|
||||||
# MAC address 00:A0:C9:15:39:78.
|
|
||||||
#
|
|
||||||
# Alternatively, clients may be specified by interface
|
|
||||||
# by appending ":" to the zone name followed by the
|
|
||||||
# interface name. For example, loc:eth1 specifies a
|
|
||||||
# client that communicates with the firewall system
|
|
||||||
# through eth1. This may be optionally followed by
|
|
||||||
# another colon (":") and an IP/MAC/subnet address
|
|
||||||
# as described above (e.g., loc:eth1:192.168.1.5).
|
|
||||||
#
|
|
||||||
# DEST Location of Server. May be a zone defined in
|
|
||||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
|
||||||
# itself or "all"
|
|
||||||
#
|
|
||||||
# When "all" is used either in the SOURCE or DEST column
|
|
||||||
# intra-zone traffic is not affected. You must add
|
|
||||||
# separate rules to handle that traffic.
|
|
||||||
#
|
|
||||||
# Except when "all" is specified, the server may be
|
|
||||||
# further restricted to a particular subnet, host or
|
|
||||||
# interface by appending ":" and the subnet, host or
|
|
||||||
# interface. See above.
|
|
||||||
#
|
|
||||||
# Restrictions:
|
|
||||||
#
|
|
||||||
# 1. MAC addresses are not allowed.
|
|
||||||
# 2. In DNAT rules, only IP addresses are
|
|
||||||
# allowed; no FQDNs or subnet addresses
|
|
||||||
# are permitted.
|
|
||||||
# 3. You may not specify both an interface and
|
|
||||||
# an address.
|
|
||||||
#
|
|
||||||
# Unlike in the SOURCE column, you may specify a range of
|
|
||||||
# up to 256 IP addresses using the syntax
|
|
||||||
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
|
||||||
# the connections will be assigned to addresses in the
|
|
||||||
# range in a round-robin fashion.
|
|
||||||
#
|
|
||||||
# The port that the server is listening on may be
|
|
||||||
# included and separated from the server's IP address by
|
|
||||||
# ":". If omitted, the firewall will not modifiy the
|
|
||||||
# destination port. A destination port may only be
|
|
||||||
# included if the ACTION is DNAT or REDIRECT.
|
|
||||||
#
|
|
||||||
# Example: loc:192.168.1.3:3128 specifies a local
|
|
||||||
# server at IP address 192.168.1.3 and listening on port
|
|
||||||
# 3128. The port number MUST be specified as an integer
|
|
||||||
# and not as a name from /etc/services.
|
|
||||||
#
|
|
||||||
# if the ACTION is REDIRECT, this column needs only to
|
|
||||||
# contain the port number on the firewall that the
|
|
||||||
# request should be redirected to.
|
|
||||||
#
|
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
|
||||||
# "all".
|
|
||||||
#
|
|
||||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
|
||||||
# names (from /etc/services), port numbers or port
|
|
||||||
# ranges; if the protocol is "icmp", this column is
|
|
||||||
# interpreted as the destination icmp-type(s).
|
|
||||||
#
|
|
||||||
# A port range is expressed as <low port>:<high port>.
|
|
||||||
#
|
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
|
||||||
# entered if any of the following ields are supplied.
|
|
||||||
# In that case, it is suggested that this field contain
|
|
||||||
# "-"
|
|
||||||
#
|
|
||||||
# If your kernel contains multi-port match support, then
|
|
||||||
# only a single Netfilter rule will be generated if in
|
|
||||||
# this list and the CLIENT PORT(S) list below:
|
|
||||||
# 1. There are 15 or less ports listed.
|
|
||||||
# 2. No port ranges are included.
|
|
||||||
# Otherwise, a separate rule will be generated for each
|
|
||||||
# port.
|
|
||||||
#
|
|
||||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
|
||||||
# any source port is acceptable. Specified as a comma-
|
|
||||||
# separated list of port names, port numbers or port
|
|
||||||
# ranges.
|
|
||||||
#
|
|
||||||
# If you don't want to restrict client ports but need to
|
|
||||||
# specify an ORIGINAL DEST in the next column, then place
|
|
||||||
# "-" in this column.
|
|
||||||
#
|
|
||||||
# If your kernel contains multi-port match support, then
|
|
||||||
# only a single Netfilter rule will be generated if in
|
|
||||||
# this list and the DEST PORT(S) list above:
|
|
||||||
# 1. There are 15 or less ports listed.
|
|
||||||
# 2. No port ranges are included.
|
|
||||||
# Otherwise, a separate rule will be generated for each
|
|
||||||
# port.
|
|
||||||
#
|
|
||||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
|
|
||||||
# REDIRECT[-]) If included and different from the IP
|
|
||||||
# address given in the SERVER column, this is an address
|
|
||||||
# on some interface on the firewall and connections to
|
|
||||||
# that address will be forwarded to the IP and port
|
|
||||||
# specified in the DEST column.
|
|
||||||
#
|
|
||||||
# A comma-separated list of addresses may also be used.
|
|
||||||
# This is usually most useful with the REDIRECT target
|
|
||||||
# where you want to redirect traffic destined for
|
|
||||||
# particular set of hosts.
|
|
||||||
#
|
|
||||||
# Finally, if the list of addresses begins with "!" then
|
|
||||||
# the rule will be followed only if the original
|
|
||||||
# destination address in the connection request does not
|
|
||||||
# match any of the addresses listed.
|
|
||||||
#
|
|
||||||
# The address (list) may optionally be followed by
|
|
||||||
# a colon (":") and a second IP address. This causes
|
|
||||||
# Shorewall to use the second IP address as the source
|
|
||||||
# address in forwarded packets. See the Shorewall
|
|
||||||
# documentation for restrictions concerning this feature.
|
|
||||||
# If no source IP address is given, the original source
|
|
||||||
# address is not altered.
|
|
||||||
#
|
|
||||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
|
||||||
# this colume:
|
|
||||||
#
|
|
||||||
# <rate>/<interval>[:<burst>]
|
|
||||||
#
|
|
||||||
# where <rate> is the number of connections per
|
|
||||||
# <interval> ("sec" or "min") and <burst> is the
|
|
||||||
# largest burst permitted. If no <burst> is given,
|
|
||||||
# a value of 5 is assumed. There may be no
|
|
||||||
# no whitespace embedded in the specification.
|
|
||||||
#
|
|
||||||
# Example: 10/sec:20
|
|
||||||
#
|
|
||||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
|
||||||
# the firewall itself.
|
|
||||||
#
|
|
||||||
# The column may contain:
|
|
||||||
#
|
|
||||||
# [!][<user name or number>][:<group name or number>]
|
|
||||||
#
|
|
||||||
# When this column is non-empty, the rule applies only
|
|
||||||
# if the program generating the output is running under
|
|
||||||
# the effective <user> and/or <group> specified (or is
|
|
||||||
# NOT running under that id if "!" is given).
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#
|
|
||||||
# joe #program must be run by joe
|
|
||||||
# :kids #program must be run by a member of
|
|
||||||
# #the 'kids' group
|
|
||||||
# !:kids #program must not be run by a member
|
|
||||||
# #of the 'kids' group
|
|
||||||
#
|
|
||||||
# Example: Accept SMTP requests from the DMZ to the internet
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# ACCEPT dmz net tcp smtp
|
|
||||||
#
|
|
||||||
# Example: Forward all ssh and http connection requests from the internet
|
|
||||||
# to local system 192.168.1.3
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# DNAT net loc:192.168.1.3 tcp ssh,http
|
|
||||||
#
|
|
||||||
# Example: Forward all http connection requests from the internet
|
|
||||||
# to local system 192.168.1.3 with a limit of 3 per second and
|
|
||||||
# a maximum burst of 10
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
|
|
||||||
#
|
|
||||||
# Example: Redirect all locally-originating www connection requests to
|
|
||||||
# port 3128 on the firewall (Squid running on the firewall
|
|
||||||
# system) except when the destination address is 192.168.2.2
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
|
||||||
#
|
|
||||||
# Example: All http requests from the internet to address
|
|
||||||
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
|
||||||
#
|
|
||||||
# Example: You want to accept SSH connections to your firewall only
|
|
||||||
# from internet IP addresses 130.252.100.69 and 130.252.100.70
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
|
|
||||||
# tcp 22
|
|
||||||
####################################################################################################
|
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
|
||||||
# PORT PORT(S) DEST LIMIT
|
|
||||||
# Accept DNS connections from the firewall to the network
|
|
||||||
#
|
|
||||||
ACCEPT fw net tcp 53
|
|
||||||
ACCEPT fw net udp 53
|
|
||||||
# Accept SSH connections from the local network for administration
|
|
||||||
#
|
|
||||||
ACCEPT loc fw tcp 22
|
|
||||||
# Allow Ping To And From Firewall
|
|
||||||
#
|
|
||||||
ACCEPT loc fw icmp 8
|
|
||||||
ACCEPT net fw icmp 8
|
|
||||||
ACCEPT fw loc icmp 8
|
|
||||||
ACCEPT fw net icmp 8
|
|
||||||
#
|
|
||||||
# Bering specific rules:
|
|
||||||
# allow loc to fw udp/53 for local/caching DNS servers to work
|
|
||||||
# allow loc to fw tcp/80 for weblet to work
|
|
||||||
# allow loc to fw udp/67 and udp/68 for dnsmasq's dhcpd to work
|
|
||||||
ACCEPT loc fw udp 53
|
|
||||||
ACCEPT loc fw tcp 80
|
|
||||||
ACCEPT loc fw udp 67,68
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,695 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
# /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
|
|
||||||
# match your setup
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
||||||
#
|
|
||||||
# This file should be placed in /etc/shorewall
|
|
||||||
#
|
|
||||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
##############################################################################
|
|
||||||
# L O G G I N G
|
|
||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# General note about log levels. Log levels are a method of describing
|
|
||||||
# to syslog (8) the importance of a message and a number of parameters
|
|
||||||
# in this file have log levels as their value.
|
|
||||||
#
|
|
||||||
# Valid levels are:
|
|
||||||
#
|
|
||||||
# 7 debug
|
|
||||||
# 6 info
|
|
||||||
# 5 notice
|
|
||||||
# 4 warning
|
|
||||||
# 3 err
|
|
||||||
# 2 crit
|
|
||||||
# 1 alert
|
|
||||||
# 0 emerg
|
|
||||||
#
|
|
||||||
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
|
||||||
# log messages are generated by NetFilter and are logged using facility
|
|
||||||
# 'kern' and the level that you specifify. If you are unsure of the level
|
|
||||||
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
|
||||||
# number.
|
|
||||||
#
|
|
||||||
# If you have built your kernel with ULOG target support, you may also
|
|
||||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
|
||||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
|
||||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
|
||||||
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
|
|
||||||
# configured to log all Shorewall message to their own log file
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# LOG FILE LOCATION
|
|
||||||
#
|
|
||||||
# This variable tells the /sbin/shorewall program where to look for Shorewall
|
|
||||||
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
|
||||||
# /var/log/messages is assumed.
|
|
||||||
#
|
|
||||||
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
|
|
||||||
# look for Shorewall messages.It does NOT control the destination for
|
|
||||||
# these messages. For information about how to do that, see
|
|
||||||
#
|
|
||||||
# http://www.shorewall.net/shorewall_logging.html
|
|
||||||
|
|
||||||
LOGFILE=/var/log/shorewall.log
|
|
||||||
|
|
||||||
#
|
|
||||||
# LOG FORMAT
|
|
||||||
#
|
|
||||||
# Shell 'printf' Formatting template for the --log-prefix value in log messages
|
|
||||||
# generated by Shorewall to identify Shorewall log messages. The supplied
|
|
||||||
# template is expected to accept either two or three arguments; the first is
|
|
||||||
# the chain name, the second (optional) is the logging rule number within that
|
|
||||||
# chain and the third is the ACTION specifying the disposition of the packet
|
|
||||||
# being logged. You must use the %d formatting type for the rule number; if your
|
|
||||||
# template does not contain %d then the rule number will not be included.
|
|
||||||
#
|
|
||||||
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
|
|
||||||
#
|
|
||||||
# LOGFORMAT="fp=%s:%d a=%s "
|
|
||||||
#
|
|
||||||
# If not specified or specified as empty (LOGFORMAT="") then the value
|
|
||||||
# "Shorewall:%s:%s:" is assumed.
|
|
||||||
#
|
|
||||||
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
|
|
||||||
# to but not including the first '%') to find log messages in the 'show log',
|
|
||||||
# 'status' and 'hits' commands. This part should not be omitted (the
|
|
||||||
# LOGFORMAT should not begin with "%") and the leading part should be
|
|
||||||
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
|
|
||||||
|
|
||||||
LOGFORMAT="Shorewall:%s:%s:"
|
|
||||||
|
|
||||||
#
|
|
||||||
# LOG RATE LIMITING
|
|
||||||
#
|
|
||||||
# The next two variables can be used to control the amount of log output
|
|
||||||
# generated. LOGRATE is expressed as a number followed by an optional
|
|
||||||
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
|
|
||||||
# rate at which a particular message will occur. LOGBURST determines the
|
|
||||||
# maximum initial burst size that will be logged. If set empty, the default
|
|
||||||
# value of 5 will be used.
|
|
||||||
#
|
|
||||||
# If BOTH variables are set empty then logging will not be rate-limited.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# LOGRATE=10/minute
|
|
||||||
# LOGBURST=5
|
|
||||||
#
|
|
||||||
# For each logging rule, the first time the rule is reached, the packet
|
|
||||||
# will be logged; in fact, since the burst is 5, the first five packets
|
|
||||||
# will be logged. After this, it will be 6 seconds (1 minute divided by
|
|
||||||
# the rate of 10) before a message will be logged from the rule, regardless
|
|
||||||
# of how many packets reach it. Also, every 6 seconds which passes without
|
|
||||||
# matching a packet, one of the bursts will be regained; if no packets hit
|
|
||||||
# the rule for 30 seconds, the burst will be fully recharged; back where
|
|
||||||
# we started.
|
|
||||||
#
|
|
||||||
|
|
||||||
LOGRATE=
|
|
||||||
LOGBURST=
|
|
||||||
|
|
||||||
#
|
|
||||||
# BLACKLIST LOG LEVEL
|
|
||||||
#
|
|
||||||
# Set this variable to the syslogd level that you want blacklist packets logged
|
|
||||||
# (beware of DOS attacks resulting from such logging). If not set, no logging
|
|
||||||
# of blacklist packets occurs.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
BLACKLIST_LOGLEVEL=
|
|
||||||
|
|
||||||
#
|
|
||||||
# LOGGING 'New not SYN' rejects
|
|
||||||
#
|
|
||||||
# This variable only has an effect when NEWNOTSYN=No (see below).
|
|
||||||
#
|
|
||||||
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
|
||||||
# flags clear then unless the packet is part of an established connection,
|
|
||||||
# it will be rejected by the firewall. If you want these rejects logged,
|
|
||||||
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
# Example: LOGNEWNOTSYN=debug
|
|
||||||
|
|
||||||
|
|
||||||
LOGNEWNOTSYN=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# MAC List Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for connection requests that fail MAC
|
|
||||||
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
|
||||||
# such connection requests will not be logged.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
MACLIST_LOG_LEVEL=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# TCP FLAGS Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for packets that fail TCP Flags
|
|
||||||
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
|
|
||||||
# such packets will not be logged.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# RFC1918 Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for packets that fail RFC 1918
|
|
||||||
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
|
|
||||||
# RFC1918_LOG_LEVEL=info is assumed.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
RFC1918_LOG_LEVEL=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# SMURF Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for smurf packets dropped by the
|
|
||||||
#'nosmurfs' interface option in /etc/shorewall/interfaces and in
|
|
||||||
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
|
|
||||||
# ) then dropped smurfs are not logged.
|
|
||||||
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
SMURF_LOG_LEVEL=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# BOGON Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for bogon packets dropped by the
|
|
||||||
#'nobogons' interface option in /etc/shorewall/interfaces and in
|
|
||||||
# /etc/shorewall/hosts. If set to the empty value
|
|
||||||
# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop'
|
|
||||||
# in /usr/share/shorewall/bogons are logged at the 'info' level.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
BOGON_LOG_LEVEL=ULOG
|
|
||||||
################################################################################
|
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# PATH - Change this if you want to change the order in which Shorewall
|
|
||||||
# searches directories for executable files.
|
|
||||||
#
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
|
||||||
|
|
||||||
#
|
|
||||||
# SHELL
|
|
||||||
#
|
|
||||||
# The firewall script is normally interpreted by /bin/sh. If you wish to change
|
|
||||||
# the shell used to interpret that script, specify the shell here.
|
|
||||||
|
|
||||||
SHOREWALL_SHELL=/bin/sh
|
|
||||||
|
|
||||||
# SUBSYSTEM LOCK FILE
|
|
||||||
#
|
|
||||||
# Set this to the name of the lock file expected by your init scripts. For
|
|
||||||
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
|
|
||||||
# use lock files, set this to "".
|
|
||||||
#
|
|
||||||
|
|
||||||
SUBSYSLOCK=/var/run/shorewall
|
|
||||||
|
|
||||||
#
|
|
||||||
# SHOREWALL TEMPORARY STATE DIRECTORY
|
|
||||||
#
|
|
||||||
# This is the directory where the firewall maintains state information while
|
|
||||||
# it is running
|
|
||||||
#
|
|
||||||
|
|
||||||
STATEDIR=/var/state/shorewall
|
|
||||||
|
|
||||||
#
|
|
||||||
# KERNEL MODULE DIRECTORY
|
|
||||||
#
|
|
||||||
# If your netfilter kernel modules are in a directory other than
|
|
||||||
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
|
|
||||||
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
|
||||||
|
|
||||||
MODULESDIR=
|
|
||||||
|
|
||||||
#
|
|
||||||
# CONFIGURATION SEARCH PATH
|
|
||||||
#
|
|
||||||
# This option holds a list of directory names separated by colons
|
|
||||||
# (":"). Shorewall will search each directory in turn when looking for a
|
|
||||||
# configuration file. When processing a 'try' command or a command
|
|
||||||
# containing the "-c" option, Shorewall will automatically add the
|
|
||||||
# directory specified in the command to the front of this list.
|
|
||||||
#
|
|
||||||
# If not specified or specified as null ("CONFIG_PATH=""),
|
|
||||||
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
|
|
||||||
|
|
||||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
|
||||||
|
|
||||||
#
|
|
||||||
# RESTORE SCRIPT
|
|
||||||
#
|
|
||||||
# This option determines the script to be run in the following cases:
|
|
||||||
#
|
|
||||||
# shorewall -f start
|
|
||||||
# shorewall restore
|
|
||||||
# shorewall save
|
|
||||||
# shorewall forget
|
|
||||||
# Failure of shorewall start or shorewall restart
|
|
||||||
#
|
|
||||||
# The value of the option must be the name of an executable file in the
|
|
||||||
# directory /var/lib/shorewall. If this option is not set or if it is
|
|
||||||
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
|
|
||||||
# assumed.
|
|
||||||
|
|
||||||
RESTOREFILE=
|
|
||||||
################################################################################
|
|
||||||
# F I R E W A L L O P T I O N S
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
# NAME OF THE FIREWALL ZONE
|
|
||||||
#
|
|
||||||
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
|
||||||
# is assumed.
|
|
||||||
#
|
|
||||||
FW=fw
|
|
||||||
|
|
||||||
#
|
|
||||||
# ENABLE IP FORWARDING
|
|
||||||
#
|
|
||||||
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
|
|
||||||
# say "Off" or "off", packet forwarding will be disabled. You would only want
|
|
||||||
# to disable packet forwarding if you are installing Shorewall on a
|
|
||||||
# standalone system or if you want all traffic through the Shorewall system
|
|
||||||
# to be handled by proxies.
|
|
||||||
#
|
|
||||||
# If you set this variable to "Keep" or "keep", Shorewall will neither
|
|
||||||
# enable nor disable packet forwarding.
|
|
||||||
#
|
|
||||||
IP_FORWARDING=On
|
|
||||||
|
|
||||||
#
|
|
||||||
# AUTOMATICALLY ADD NAT IP ADDRESSES
|
|
||||||
#
|
|
||||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
|
||||||
# for each NAT external address that you give in /etc/shorewall/nat. If you say
|
|
||||||
# "No" or "no", you must add these aliases youself.
|
|
||||||
#
|
|
||||||
ADD_IP_ALIASES=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# AUTOMATICALLY ADD SNAT IP ADDRESSES
|
|
||||||
#
|
|
||||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
|
||||||
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
|
|
||||||
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
|
|
||||||
# you are sure that you need it -- most people don't!!!
|
|
||||||
#
|
|
||||||
ADD_SNAT_ALIASES=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# ENABLE TRAFFIC SHAPING
|
|
||||||
#
|
|
||||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
|
||||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
|
||||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
|
|
||||||
# you must enable packet mangling above.
|
|
||||||
#
|
|
||||||
TC_ENABLED=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# Clear Traffic Shapping/Control
|
|
||||||
#
|
|
||||||
# If this option is set to 'No' then Shorewall won't clear the current
|
|
||||||
# traffic control rules during [re]start. This setting is intended
|
|
||||||
# for use by people that prefer to configure traffic shaping when
|
|
||||||
# the network interfaces come up rather than when the firewall
|
|
||||||
# is started. If that is what you want to do, set TC_ENABLED=Yes and
|
|
||||||
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
|
||||||
# way, your traffic shaping rules can still use the 'fwmark'
|
|
||||||
# classifier based on packet marking defined in /etc/shorewall/tcrules.
|
|
||||||
#
|
|
||||||
# If omitted, CLEAR_TC=Yes is assumed.
|
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# Mark Packets in the forward chain
|
|
||||||
#
|
|
||||||
# When processing the tcrules file, Shorewall normally marks packets in the
|
|
||||||
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
|
|
||||||
# this to "Yes". If not specified or if set to the empty value (e.g.,
|
|
||||||
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
|
|
||||||
#
|
|
||||||
# Marking packets in the FORWARD chain has the advantage that inbound
|
|
||||||
# packets destined for Masqueraded/SNATed local hosts have had their destination
|
|
||||||
# address rewritten so they can be marked based on their destination. When
|
|
||||||
# packets are marked in the PREROUTING chain, packets destined for
|
|
||||||
# Masqueraded/SNATed local hosts still have a destination address corresponding
|
|
||||||
# to the firewall's external interface.
|
|
||||||
#
|
|
||||||
# Note: Older kernels do not support marking packets in the FORWARD chain and
|
|
||||||
# setting this variable to Yes may cause startup problems.
|
|
||||||
|
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# MSS CLAMPING
|
|
||||||
#
|
|
||||||
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
|
|
||||||
# option. This option is most commonly required when your internet
|
|
||||||
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
|
|
||||||
# have CONFIG_IP_NF_TARGET_TCPMSS set.
|
|
||||||
#
|
|
||||||
# [From the kernel help:
|
|
||||||
#
|
|
||||||
# This option adds a `TCPMSS' target, which allows you to alter the
|
|
||||||
# MSS value of TCP SYN packets, to control the maximum size for that
|
|
||||||
# connection (usually limiting it to your outgoing interface's MTU
|
|
||||||
# minus 40).
|
|
||||||
#
|
|
||||||
# This is used to overcome criminally braindead ISPs or servers which
|
|
||||||
# block ICMP Fragmentation Needed packets. The symptoms of this
|
|
||||||
# problem are that everything works fine from your Linux
|
|
||||||
# firewall/router, but machines behind it can never exchange large
|
|
||||||
# packets:
|
|
||||||
# 1) Web browsers connect, then hang with no data received.
|
|
||||||
# 2) Small mail works fine, but large emails hang.
|
|
||||||
# 3) ssh works fine, but scp hangs after initial handshaking.
|
|
||||||
# ]
|
|
||||||
#
|
|
||||||
# If left blank, or set to "No" or "no", the option is not enabled.
|
|
||||||
#
|
|
||||||
CLAMPMSS=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# ROUTE FILTERING
|
|
||||||
#
|
|
||||||
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
|
||||||
# interfaces started while Shorewall is started (anti-spoofing measure).
|
|
||||||
#
|
|
||||||
# If this variable is not set or is set to the empty value, "No" is assumed.
|
|
||||||
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
|
|
||||||
# on individual interfaces using the 'routefilter' option in the
|
|
||||||
# /etc/shorewall/interfaces file.
|
|
||||||
|
|
||||||
ROUTE_FILTER=No
|
|
||||||
|
|
||||||
# DNAT IP ADDRESS DETECTION
|
|
||||||
#
|
|
||||||
# Normally when Shorewall encounters the following rule:
|
|
||||||
#
|
|
||||||
# DNAT net loc:192.168.1.3 tcp 80
|
|
||||||
#
|
|
||||||
# it will forward TCP port 80 connections from the net to 192.168.1.3
|
|
||||||
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
|
|
||||||
# convenient for two reasons:
|
|
||||||
#
|
|
||||||
# a) If the the network interface has a dynamic IP address, the
|
|
||||||
# firewall configuration will work even when the address
|
|
||||||
# changes.
|
|
||||||
#
|
|
||||||
# b) It saves having to configure the IP address in the rule
|
|
||||||
# while still allowing the firewall to be started before the
|
|
||||||
# internet interface is brought up.
|
|
||||||
#
|
|
||||||
# This default behavior can also have a negative effect. If the
|
|
||||||
# internet interface has more than one IP address then the above
|
|
||||||
# rule will forward connection requests on all of these addresses;
|
|
||||||
# that may not be what is desired.
|
|
||||||
#
|
|
||||||
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
|
|
||||||
# only if the original destination address is the primary IP address of
|
|
||||||
# one of the interfaces associated with the source zone. Note that this
|
|
||||||
# requires all interfaces to the source zone to be up when the firewall
|
|
||||||
# is [re]started.
|
|
||||||
|
|
||||||
DETECT_DNAT_IPADDRS=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# MUTEX TIMEOUT
|
|
||||||
#
|
|
||||||
# The value of this variable determines the number of seconds that programs
|
|
||||||
# will wait for exclusive access to the Shorewall lock file. After the number
|
|
||||||
# of seconds corresponding to the value of this variable, programs will assume
|
|
||||||
# that the last program to hold the lock died without releasing the lock.
|
|
||||||
#
|
|
||||||
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
|
|
||||||
#
|
|
||||||
# An appropriate value for this parameter would be twice the length of time
|
|
||||||
# that it takes your firewall system to process a "shorewall restart" command.
|
|
||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
|
||||||
|
|
||||||
#
|
|
||||||
# NEWNOTSYN
|
|
||||||
#
|
|
||||||
# TCP connections are established using the familiar three-way "handshake":
|
|
||||||
#
|
|
||||||
# CLIENT SERVER
|
|
||||||
#
|
|
||||||
# SYN-------------------->
|
|
||||||
# <------------------SYN,ACK
|
|
||||||
# ACK-------------------->
|
|
||||||
#
|
|
||||||
# The first packet in that exchange (packet with the SYN flag on and the ACK
|
|
||||||
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
|
|
||||||
# A packet is said to be NEW if it is not part of or related to an already
|
|
||||||
# established connection.
|
|
||||||
#
|
|
||||||
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
|
|
||||||
# SYN off or with ACK or RST on) that are not associated with an already
|
|
||||||
# established connection.
|
|
||||||
#
|
|
||||||
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
|
|
||||||
# part of an already established connection will be dropped by the
|
|
||||||
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
|
|
||||||
# logged before they are dropped.
|
|
||||||
#
|
|
||||||
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
|
|
||||||
# dropped but will pass through the normal rule/policy processing.
|
|
||||||
#
|
|
||||||
# Users with a High-availability setup with two firewall's and one acting
|
|
||||||
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
|
||||||
# also need to select NEWNOTSYN=Yes.
|
|
||||||
#
|
|
||||||
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
|
|
||||||
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
|
|
||||||
# network or host basis using the same option in /etc/shorewall/hosts.
|
|
||||||
|
|
||||||
#
|
|
||||||
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
|
|
||||||
# connections because any network timeout during TCP session tear down
|
|
||||||
# results in retries being dropped (Netfilter has removed the
|
|
||||||
# connection from the conntrack table but the end-points haven't
|
|
||||||
# completed shutting down the connection). I therefore have chosen
|
|
||||||
# NEWNOTSYN=Yes as the default value.
|
|
||||||
|
|
||||||
NEWNOTSYN=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
|
|
||||||
#
|
|
||||||
# Normally, when a "shorewall stop" command is issued or an error occurs during
|
|
||||||
# the execution of another shorewall command, Shorewall puts the firewall into
|
|
||||||
# a state where only traffic to/from the hosts listed in
|
|
||||||
# /etc/shorewall/routestopped is accepted.
|
|
||||||
#
|
|
||||||
# When performing remote administration on a Shorewall firewall, it is
|
|
||||||
# therefore recommended that the IP address of the computer being used for
|
|
||||||
# administration be added to the firewall's /etc/shorewall/routestopped file.
|
|
||||||
#
|
|
||||||
# Some administrators have a hard time remembering to do this with the result
|
|
||||||
# that they get to drive across town in the middle of the night to restart
|
|
||||||
# a remote firewall (or worse, they have to get someone out of bed to drive
|
|
||||||
# across town to restart a very remote firewall).
|
|
||||||
#
|
|
||||||
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
|
|
||||||
# when the firewall enters the 'stopped' state:
|
|
||||||
#
|
|
||||||
# All traffic that is part of or related to established connections is still
|
|
||||||
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
|
|
||||||
# to and from hosts listed in /etc/shorewall/routestopped.
|
|
||||||
#
|
|
||||||
# If this variable is not set or it is set to the null value then
|
|
||||||
# ADMINISABSENTMINDED=No is assumed.
|
|
||||||
#
|
|
||||||
ADMINISABSENTMINDED=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# BLACKLIST Behavior
|
|
||||||
#
|
|
||||||
# Shorewall offers two types of blacklisting:
|
|
||||||
#
|
|
||||||
# - static blacklisting through the /etc/shorewall/blacklist file together
|
|
||||||
# with the 'blacklist' interface option.
|
|
||||||
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
|
|
||||||
#
|
|
||||||
# The following variable determines whether the blacklist is checked for each
|
|
||||||
# packet or for each new connection.
|
|
||||||
#
|
|
||||||
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
|
|
||||||
# requests
|
|
||||||
#
|
|
||||||
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
|
|
||||||
#
|
|
||||||
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
|
|
||||||
# BLACKLISTNEWONLY=No is assumed.
|
|
||||||
#
|
|
||||||
BLACKLISTNEWONLY=Yes
|
|
||||||
|
|
||||||
# MODULE NAME SUFFIX
|
|
||||||
#
|
|
||||||
# When loading a module named in /etc/shorewall/modules, Shorewall normally
|
|
||||||
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
|
|
||||||
# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a
|
|
||||||
# different naming convention then you can specify the suffix (extension) for
|
|
||||||
# module names in this variable.
|
|
||||||
#
|
|
||||||
# To see what suffix is used by your distribution:
|
|
||||||
#
|
|
||||||
# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
|
||||||
#
|
|
||||||
# All of the file names listed should have the same suffix (extension). Set
|
|
||||||
# MODULE_SUFFIX to that suffix.
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#
|
|
||||||
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
|
|
||||||
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
|
|
||||||
#
|
|
||||||
|
|
||||||
MODULE_SUFFIX=
|
|
||||||
|
|
||||||
#
|
|
||||||
# DISABLE IPV6
|
|
||||||
#
|
|
||||||
# Distributions (notably SuSE) are beginning to ship with IPV6
|
|
||||||
# enabled. If you are not using IPV6, you are at risk of being
|
|
||||||
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause
|
|
||||||
# Shorewall to disable IPV6 traffic to/from and through your
|
|
||||||
# firewall system. This requires that you have ip6tables installed.
|
|
||||||
# Should be set to "No" for LEAF/LRP
|
|
||||||
|
|
||||||
DISABLE_IPV6=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# BRIDGING
|
|
||||||
#
|
|
||||||
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
|
|
||||||
# then set BRIDGING=Yes. Your kernel must have the physdev match option
|
|
||||||
# enabled; that option is available at the above URL for 2.4 kernels and
|
|
||||||
# is included as a standard part of the 2.6 series kernels. If not
|
|
||||||
# specified or specified as empty (BRIDGING="") then "No" is assumed.
|
|
||||||
#
|
|
||||||
|
|
||||||
BRIDGING=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# DYNAMIC ZONES
|
|
||||||
#
|
|
||||||
# If you need to be able to add and delete hosts from zones dynamically then
|
|
||||||
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
|
|
||||||
|
|
||||||
DYNAMIC_ZONES=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# USE PKTTYPE MATCH
|
|
||||||
#
|
|
||||||
# Some users have reported problems with the PKTTYPE match extension not being
|
|
||||||
# able to match certain broadcast packets.
|
|
||||||
#
|
|
||||||
# Other users have complained of the following message when
|
|
||||||
# starting Shorewall:
|
|
||||||
#
|
|
||||||
# modprobe: cant locate module ipt_pkttype
|
|
||||||
#
|
|
||||||
# If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
|
|
||||||
# broadcasts rather than pkttype. If not given or if given as empty
|
|
||||||
# (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
|
||||||
|
|
||||||
PKTTYPE=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# DROP INVALID PACKETS
|
|
||||||
#
|
|
||||||
# Netfilter classifies packets relative to its connection tracking table into
|
|
||||||
# four states:
|
|
||||||
#
|
|
||||||
# NEW - thes packet initiates a new connection
|
|
||||||
# ESTABLISHED - thes packet is part of an established connection
|
|
||||||
# RELATED - thes packet is related to an established connection; it may
|
|
||||||
# establish a new connection
|
|
||||||
# INVALID - the packet does not related to the table in any sensible way.
|
|
||||||
#
|
|
||||||
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
|
|
||||||
# Window analysis. This can cause packets that were previously classified as
|
|
||||||
# NEW or ESTABLISHED to be classified as INVALID.
|
|
||||||
#
|
|
||||||
# The new kernel code can be disabled by including this command in your
|
|
||||||
# /etc/shorewall/init file:
|
|
||||||
#
|
|
||||||
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
|
|
||||||
#
|
|
||||||
# Additional kernel logging about INVALID TCP packets may be obtained by
|
|
||||||
# adding this command to /etc/shorewall/init:
|
|
||||||
#
|
|
||||||
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
|
|
||||||
#
|
|
||||||
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
|
|
||||||
# option allows INVALID packets to be passed through the normal rules chains by
|
|
||||||
# setting DROPINVALID=No.
|
|
||||||
#
|
|
||||||
# If not specified or if specified as empty (e.g., DROPINVALID="") then
|
|
||||||
# DROPINVALID=Yes is assumed.
|
|
||||||
|
|
||||||
DROPINVALID=No
|
|
||||||
################################################################################
|
|
||||||
# P A C K E T D I S P O S I T I O N
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# BLACKLIST DISPOSITION
|
|
||||||
#
|
|
||||||
# Set this variable to the action that you want to perform on packets from
|
|
||||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
|
||||||
# DROP is assumed.
|
|
||||||
#
|
|
||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
|
||||||
|
|
||||||
#
|
|
||||||
# MAC List Disposition
|
|
||||||
#
|
|
||||||
# This variable determines the disposition of connection requests arriving
|
|
||||||
# on interfaces that have the 'maclist' option and that are from a device
|
|
||||||
# that is not listed for that interface in /etc/shorewall/maclist. Valid
|
|
||||||
# values are ACCEPT, DROP and REJECT. If not specified or specified as
|
|
||||||
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
|
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
|
||||||
|
|
||||||
#
|
|
||||||
# TCP FLAGS Disposition
|
|
||||||
#
|
|
||||||
# This variable determins the disposition of packets having an invalid
|
|
||||||
# combination of TCP flags that are received on interfaces having the
|
|
||||||
# 'tcpflags' option specified in /etc/shorewall/interfaces or in
|
|
||||||
# /etc/shorewall/hosts. If not specified or specified as empty
|
|
||||||
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
|
|
||||||
|
|
||||||
TCP_FLAGS_DISPOSITION=DROP
|
|
||||||
|
|
||||||
#LAST LINE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 2.0 -- /etc/shorewall/start
|
|
||||||
#
|
|
||||||
# Add commands below that you want to be executed after shorewall has
|
|
||||||
# been started or restarted.
|
|
||||||
#
|
|
||||||
for file in /etc/shorewall/start.d/* ; do
|
|
||||||
run_user_exit $file
|
|
||||||
done
|
|
||||||
|
|
@ -1,10 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 2.0 -- /etc/shorewall/stop
|
|
||||||
#
|
|
||||||
# Add commands below that you want to be executed at the beginning of a
|
|
||||||
# "shorewall stop" command.
|
|
||||||
#
|
|
||||||
for file in /etc/shorewall/stop.d/* ; do
|
|
||||||
run_user_exit $file
|
|
||||||
done
|
|
||||||
|
|
@ -1,6 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 2.0 -- /etc/shorewall/stopped
|
|
||||||
#
|
|
||||||
# Add commands below that you want to be executed at the completion of a
|
|
||||||
# "shorewall stop" command.
|
|
||||||
#
|
|
@ -1,83 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall version 2.0 - Traffic Control Rules File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/tcrules
|
|
||||||
#
|
|
||||||
# Entries in this file cause packets to be marked as a means of
|
|
||||||
# classifying them for traffic control or policy routing.
|
|
||||||
#
|
|
||||||
# I M P O R T A N T ! ! ! !
|
|
||||||
#
|
|
||||||
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
|
|
||||||
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
|
|
||||||
#
|
|
||||||
# Unlike rules in the /etc/shorewall/rules file, evaluation
|
|
||||||
# of rules in this file will continue after a match. So the
|
|
||||||
# final mark for each packet will be the one assigned by the
|
|
||||||
# LAST tcrule that matches.
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# MARK The mark value which is an
|
|
||||||
# integer in the range 1-255
|
|
||||||
#
|
|
||||||
# May optionally be followed by ":P" or ":F"
|
|
||||||
# where ":P" indicates that marking should occur in
|
|
||||||
# the PREROUTING chain and ":F" indicates that marking
|
|
||||||
# should occur in the FORWARD chain. If neither
|
|
||||||
# ":P" nor ":F" follow the mark value then the chain is
|
|
||||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
|
||||||
# /etc/shorewall/shorewall.conf.
|
|
||||||
#
|
|
||||||
# SOURCE Source of the packet. A comma-separated list of
|
|
||||||
# interface names, IP addresses, MAC addresses
|
|
||||||
# and/or subnets. Use $FW if the packet originates on
|
|
||||||
# the firewall in which case the MARK column may NOT
|
|
||||||
# specify either ":P" or ":F" (marking always occurs
|
|
||||||
# in the OUTPUT chain).
|
|
||||||
#
|
|
||||||
# MAC addresses must be prefixed with "~" and use
|
|
||||||
# "-" as a separator.
|
|
||||||
#
|
|
||||||
# Example: ~00-A0-C9-15-39-78
|
|
||||||
#
|
|
||||||
# DEST Destination of the packet. Comma separated list of
|
|
||||||
# IP addresses and/or subnets.
|
|
||||||
#
|
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
|
||||||
# or "all".
|
|
||||||
#
|
|
||||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
|
||||||
# names (from /etc/services), port numbers or port
|
|
||||||
# ranges; if the protocol is "icmp", this column is
|
|
||||||
# interpreted as the destination icmp-type(s).
|
|
||||||
#
|
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
|
||||||
# entered if any of the following field is supplied.
|
|
||||||
# In that case, it is suggested that this field contain
|
|
||||||
# "-"
|
|
||||||
#
|
|
||||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
|
||||||
# any source port is acceptable. Specified as a comma-
|
|
||||||
# separated list of port names, port numbers or port
|
|
||||||
# ranges.
|
|
||||||
#
|
|
||||||
# USER This column may only be non-empty if the SOURCE is
|
|
||||||
# the firewall itself.
|
|
||||||
#
|
|
||||||
# When this column is non-empty, the rule applies only
|
|
||||||
# if the program generating the output is running under
|
|
||||||
# the effective user and/or group.
|
|
||||||
#
|
|
||||||
# It may contain :
|
|
||||||
#
|
|
||||||
# [<user name or number>]:[<group name or number>]
|
|
||||||
#
|
|
||||||
# The colon is optionnal when specifying only a user.
|
|
||||||
# Examples : john: / john / :users / john:users
|
|
||||||
#
|
|
||||||
##############################################################################
|
|
||||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
|
||||||
# PORT(S)
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,52 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 -- /etc/shorewall/tos
|
|
||||||
#
|
|
||||||
# This file defines rules for setting Type Of Service (TOS)
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# SOURCE Name of a zone declared in /etc/shorewall/zones, "all"
|
|
||||||
# or $FW.
|
|
||||||
#
|
|
||||||
# If not "all" or $FW, may optionally be followed by
|
|
||||||
# ":" and an IP address, a MAC address, a subnet
|
|
||||||
# specification or the name of an interface.
|
|
||||||
#
|
|
||||||
# Example: loc:192.168.2.3
|
|
||||||
#
|
|
||||||
# MAC addresses must be prefixed with "~" and use
|
|
||||||
# "-" as a separator.
|
|
||||||
#
|
|
||||||
# Example: ~00-A0-C9-15-39-78
|
|
||||||
#
|
|
||||||
# DEST Name of a zone declared in /etc/shorewall/zones, "all"
|
|
||||||
# or $FW.
|
|
||||||
#
|
|
||||||
# If not "all" or $FW, may optionally be followed by
|
|
||||||
# ":" and an IP address or a subnet specification
|
|
||||||
#
|
|
||||||
# Example: loc:192.168.2.3
|
|
||||||
#
|
|
||||||
# PROTOCOL Protocol.
|
|
||||||
#
|
|
||||||
# SOURCE PORTS Source port or port range. If all ports, use "-".
|
|
||||||
#
|
|
||||||
# DEST PORTS Destination port or port range. If all ports, use "-"
|
|
||||||
#
|
|
||||||
# TOS Type of service. Must be one of the following:
|
|
||||||
#
|
|
||||||
# Minimize-Delay (16)
|
|
||||||
# Maximize-Throughput (8)
|
|
||||||
# Maximize-Reliability (4)
|
|
||||||
# Minimize-Cost (2)
|
|
||||||
# Normal-Service (0)
|
|
||||||
#
|
|
||||||
##############################################################################
|
|
||||||
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
|
|
||||||
all all tcp - 22 16
|
|
||||||
all all tcp 22 - 16
|
|
||||||
all all tcp - 21 16
|
|
||||||
all all tcp 21 - 16
|
|
||||||
all all tcp 20 - 8
|
|
||||||
all all tcp - 20 8
|
|
||||||
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
|
@ -1,110 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 - /etc/shorewall/tunnels
|
|
||||||
#
|
|
||||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
|
||||||
#
|
|
||||||
# IPIP, GRE and OPENVPN tunnels must be configured on the
|
|
||||||
# firewall/gateway itself. IPSEC endpoints may be defined
|
|
||||||
# on the firewall/gateway or on an internal system.
|
|
||||||
#
|
|
||||||
# The columns are:
|
|
||||||
#
|
|
||||||
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
|
|
||||||
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
|
|
||||||
# "generic"
|
|
||||||
#
|
|
||||||
# If the type is "ipsec" or "ipsecnat", it may be followed
|
|
||||||
# by ":noah" to indicate that the Authentication Header
|
|
||||||
# protocol (51) is not used by the tunnel.
|
|
||||||
#
|
|
||||||
# If type is "openvpn", it may optionally be followed
|
|
||||||
# by ":" and the port number used by the tunnel. if no
|
|
||||||
# ":" and port number are included, then the default port
|
|
||||||
# of 5000 will be used
|
|
||||||
#
|
|
||||||
# If type is "generic", it must be followed by ":" and
|
|
||||||
# a protocol name (from /etc/protocols) or a protocol
|
|
||||||
# number. If the protocol is "tcp" or "udp" (6 or 17),
|
|
||||||
# then it may optionally be followed by ":" and a
|
|
||||||
# port number.
|
|
||||||
#
|
|
||||||
# ZONE -- The zone of the physical interface through which
|
|
||||||
# tunnel traffic passes. This is normally your internet
|
|
||||||
# zone.
|
|
||||||
#
|
|
||||||
# GATEWAY -- The IP address of the remote tunnel gateway. If the
|
|
||||||
# remote getway has no fixed address (Road Warrior)
|
|
||||||
# then specify the gateway as 0.0.0.0/0.
|
|
||||||
#
|
|
||||||
# GATEWAY
|
|
||||||
# ZONES -- Optional. If the gateway system specified in the third
|
|
||||||
# column is a standalone host then this column should
|
|
||||||
# contain a comma-separated list of the names of the
|
|
||||||
# zones that the host might be in. This column only
|
|
||||||
# applies to IPSEC and generic tunnels.
|
|
||||||
#
|
|
||||||
# Example 1:
|
|
||||||
#
|
|
||||||
# IPSec tunnel. The remote gateway is 4.33.99.124 and
|
|
||||||
# the remote subnet is 192.168.9.0/24. The tunnel does
|
|
||||||
# not use the AH protocol
|
|
||||||
#
|
|
||||||
# ipsec:noah net 4.33.99.124
|
|
||||||
#
|
|
||||||
# Example 2:
|
|
||||||
#
|
|
||||||
# Road Warrior (LapTop that may connect from anywhere)
|
|
||||||
# where the "gw" zone is used to represent the remote
|
|
||||||
# LapTop.
|
|
||||||
#
|
|
||||||
# ipsec net 0.0.0.0/0 gw
|
|
||||||
#
|
|
||||||
# Example 3:
|
|
||||||
#
|
|
||||||
# Host 4.33.99.124 is a standalone system connected
|
|
||||||
# via an ipsec tunnel to the firewall system. The host
|
|
||||||
# is in zone gw.
|
|
||||||
#
|
|
||||||
# ipsec net 4.33.99.124 gw
|
|
||||||
#
|
|
||||||
# Example 4:
|
|
||||||
#
|
|
||||||
# Road Warriors that may belong to zones vpn1, vpn2 or
|
|
||||||
# vpn3. The FreeS/Wan _updown script will add the
|
|
||||||
# host to the appropriate zone using the "shorewall add"
|
|
||||||
# command on connect and will remove the host from the
|
|
||||||
# zone at disconnect time.
|
|
||||||
#
|
|
||||||
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
|
|
||||||
#
|
|
||||||
# Example 5:
|
|
||||||
#
|
|
||||||
# You run the Linux PPTP client on your firewall and
|
|
||||||
# connect to server 192.0.2.221.
|
|
||||||
#
|
|
||||||
# pptpclient net 192.0.2.221
|
|
||||||
#
|
|
||||||
# Example 6:
|
|
||||||
#
|
|
||||||
# You run a PPTP server on your firewall.
|
|
||||||
#
|
|
||||||
# pptpserver net
|
|
||||||
#
|
|
||||||
# Example 7:
|
|
||||||
#
|
|
||||||
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
|
|
||||||
# openvpn uses port 7777.
|
|
||||||
#
|
|
||||||
# openvpn:7777 net 4.33.99.124
|
|
||||||
#
|
|
||||||
# Example 8:
|
|
||||||
#
|
|
||||||
# You have a tunnel that is not one of the supported types.
|
|
||||||
# Your tunnel uses UDP port 4444. The other end of the
|
|
||||||
# tunnel is 4.3.99.124.
|
|
||||||
#
|
|
||||||
# generic:udp:4444 net 4.3.99.124
|
|
||||||
#
|
|
||||||
# TYPE ZONE GATEWAY GATEWAY
|
|
||||||
# ZONE
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,19 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/zones
|
|
||||||
#
|
|
||||||
# This file determines your network zones. Columns are:
|
|
||||||
#
|
|
||||||
# ZONE Short name of the zone (5 Characters or less in length).
|
|
||||||
# DISPLAY Display name of the zone
|
|
||||||
# COMMENTS Comments about the zone
|
|
||||||
#
|
|
||||||
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
|
|
||||||
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
|
|
||||||
#
|
|
||||||
# See http://www.shorewall.net/Documentation.htm#Nested
|
|
||||||
#
|
|
||||||
#ZONE DISPLAY COMMENTS
|
|
||||||
net Net Internet
|
|
||||||
loc Local Local networks
|
|
||||||
#dmz DMZ Demilitarized zone
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
1196
Lrp/sbin/shorewall
1196
Lrp/sbin/shorewall
File diff suppressed because it is too large
Load Diff
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowAuth
|
|
||||||
#
|
|
||||||
# This action accepts Auth (identd) traffic.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 113
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,11 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowDNS
|
|
||||||
#
|
|
||||||
# This action accepts DNS traffic.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - udp 53
|
|
||||||
ACCEPT - - tcp 53
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,11 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowFTP
|
|
||||||
#
|
|
||||||
# This action accepts FTP traffic. See
|
|
||||||
# http://www.shorewall.net/FTP.html for additional considerations.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 21
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,11 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
|
|
||||||
#
|
|
||||||
# This action accepts IMAP traffic (secure and insecure):
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 143 #Unsecure IMAP
|
|
||||||
ACCEPT - - tcp 993 #Secure IMAP
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,11 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /usr/share/shorewall/action.AllowNNTP
|
|
||||||
#
|
|
||||||
# This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 119
|
|
||||||
ACCEPT - - tcp 563
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowNTP
|
|
||||||
#
|
|
||||||
# This action accepts NTP traffic (ntpd).
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
||||||
# PORT PORT(S) DEST LIMIT
|
|
||||||
ACCEPT - - udp 123
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,11 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowPCA
|
|
||||||
#
|
|
||||||
# This action accepts PCAnywere (tm)
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - udp 5632
|
|
||||||
ACCEPT - - tcp 5631
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,11 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
|
|
||||||
#
|
|
||||||
# This action accepts POP3 traffic (secure and insecure):
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
||||||
# PORT PORT(S) DEST LIMIT
|
|
||||||
ACCEPT - - tcp 110 #Unsecure POP3
|
|
||||||
ACCEPT - - tcp 995 #Secure POP3
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowPing
|
|
||||||
#
|
|
||||||
# This action accepts 'ping' requests.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - icmp 8
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowRdate
|
|
||||||
#
|
|
||||||
# This action accepts remote time retrieval (rdate).
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 37
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,14 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMB
|
|
||||||
#
|
|
||||||
# Allow Microsoft SMB traffic. You need to invoke this action in
|
|
||||||
# both directions.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - udp 135,445
|
|
||||||
ACCEPT - - udp 137:139
|
|
||||||
ACCEPT - - udp 1024: 137
|
|
||||||
ACCEPT - - tcp 135,139,445
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,15 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
|
|
||||||
#
|
|
||||||
# This action accepts SMTP (email) traffic.
|
|
||||||
#
|
|
||||||
# Note: This action allows traffic between an MUA (Email client)
|
|
||||||
# and an MTA (mail server) or between MTAs. It does not enable
|
|
||||||
# reading of email via POP3 or IMAP. For those you need to use
|
|
||||||
# the AllowPOP3 or AllowIMAP actions.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 25
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,11 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
|
|
||||||
#
|
|
||||||
# This action accepts SNMP traffic (including traps):
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - udp 161:162
|
|
||||||
ACCEPT - - tcp 161
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowSSH
|
|
||||||
#
|
|
||||||
# This action accepts secure shell (SSH) traffic.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 22
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,11 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
|
|
||||||
#
|
|
||||||
# This action accepts Telnet traffic. For traffic over the
|
|
||||||
# internet, telnet is inappropriate; use SSH instead
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 23
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,11 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
|
|
||||||
#
|
|
||||||
# This action accepts Traceroute (for up to 30 hops):
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - udp 33434:33524 #UDP Traceroute
|
|
||||||
ACCEPT - - icmp 8 #ICMP Traceroute
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
|
||||||
#
|
|
||||||
# This action accepts VNC traffic for VNC display's 0 - 9.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 5900:5909
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowVNC
|
|
||||||
#
|
|
||||||
# This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 5500
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,11 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.AllowWeb
|
|
||||||
#
|
|
||||||
# This action accepts WWW traffic (secure and insecure):
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 80
|
|
||||||
ACCEPT - - TCP 443
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,16 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.Drop
|
|
||||||
#
|
|
||||||
# The default DROP common rules
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
RejectAuth
|
|
||||||
dropBcast
|
|
||||||
dropInvalid
|
|
||||||
DropSMB
|
|
||||||
DropUPnP
|
|
||||||
dropNotSyn
|
|
||||||
DropDNSrep
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
|
|
||||||
#
|
|
||||||
# This action silently drops DNS UDP replies
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
DROP - - udp - 53
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.DropPing
|
|
||||||
#
|
|
||||||
# This action silently drops 'ping' requests.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
DROP - - icmp 8
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,15 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.DropSMB
|
|
||||||
#
|
|
||||||
# This action silently drops Microsoft SMB traffic
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
DROP - - udp 135
|
|
||||||
DROP - - udp 137:139
|
|
||||||
DROP - - udp 445
|
|
||||||
DROP - - tcp 135
|
|
||||||
DROP - - tcp 139
|
|
||||||
DROP - - tcp 445
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.DropUPnP
|
|
||||||
#
|
|
||||||
# This action silently drops UPnP probes on UDP port 1900
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
DROP - - udp 1900
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,16 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.Reject
|
|
||||||
#
|
|
||||||
# The default REJECT action common rules
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
RejectAuth
|
|
||||||
dropBcast
|
|
||||||
dropInvalid
|
|
||||||
RejectSMB
|
|
||||||
DropUPnP
|
|
||||||
dropNotSyn
|
|
||||||
DropDNSrep
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.RejectAuth
|
|
||||||
#
|
|
||||||
# This action silently rejects Auth (tcp 113) traffic
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
REJECT - - tcp 113
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,15 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.RejectSMB
|
|
||||||
#
|
|
||||||
# This action silently rejects Microsoft SMB traffic
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
REJECT - - udp 135
|
|
||||||
REJECT - - udp 137:139
|
|
||||||
REJECT - - udp 445
|
|
||||||
REJECT - - tcp 135
|
|
||||||
REJECT - - tcp 139
|
|
||||||
REJECT - - tcp 445
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,160 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /etc/shorewall/action.template
|
|
||||||
#
|
|
||||||
# This file is a template for files with names of the form
|
|
||||||
# /etc/shorewall/action.<action-name> where <action> is an
|
|
||||||
# ACTION defined in /etc/shorewall/actions.
|
|
||||||
#
|
|
||||||
# To define a new action:
|
|
||||||
#
|
|
||||||
# 1. Add the <action name> to /etc/shorewall/actions
|
|
||||||
# 2. Copy this file to /etc/shorewall/action.<action name>
|
|
||||||
# 3. Add the desired rules to that file.
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
|
|
||||||
# previously-defined <action>
|
|
||||||
#
|
|
||||||
# ACCEPT -- allow the connection request
|
|
||||||
# DROP -- ignore the request
|
|
||||||
# REJECT -- disallow the request and return an
|
|
||||||
# icmp-unreachable or an RST packet.
|
|
||||||
# LOG -- Simply log the packet and continue.
|
|
||||||
# QUEUE -- Queue the packet to a user-space
|
|
||||||
# application such as p2pwall.
|
|
||||||
# CONTINUE -- Discontinue processing this action
|
|
||||||
# and return to the point where the
|
|
||||||
# action was invoked.
|
|
||||||
# <action> -- An <action> defined in
|
|
||||||
# /etc/shorewall/actions. The <action>
|
|
||||||
# must appear in that file BEFORE the
|
|
||||||
# one being defined in this file.
|
|
||||||
#
|
|
||||||
# The TARGET may optionally be followed
|
|
||||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
|
||||||
# ACCEPT:debugging). This causes the packet to be
|
|
||||||
# logged at the specified level.
|
|
||||||
#
|
|
||||||
# You may also specify ULOG (must be in upper case) as a
|
|
||||||
# log level.This will log to the ULOG target for routing
|
|
||||||
# to a separate log through use of ulogd
|
|
||||||
# (http://www.gnumonks.org/projects/ulogd).
|
|
||||||
#
|
|
||||||
# Actions specifying logging may be followed by a
|
|
||||||
# log tag (a string of alphanumeric characters)
|
|
||||||
# are appended to the string generated by the
|
|
||||||
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
|
||||||
#
|
|
||||||
# Example: ACCEPT:info:ftp would include 'ftp '
|
|
||||||
# at the end of the log prefix generated by the
|
|
||||||
# LOGPREFIX setting.
|
|
||||||
#
|
|
||||||
# SOURCE Source hosts to which the rule applies.
|
|
||||||
# A comma-separated list of subnets
|
|
||||||
# and/or hosts. Hosts may be specified by IP or MAC
|
|
||||||
# address; mac addresses must begin with "~" and must use
|
|
||||||
# "-" as a separator.
|
|
||||||
#
|
|
||||||
# 192.168.2.2 Host 192.168.2.2
|
|
||||||
#
|
|
||||||
# 155.186.235.0/24 Subnet 155.186.235.0/24
|
|
||||||
#
|
|
||||||
# 192.168.1.1,192.168.1.2
|
|
||||||
# Hosts 192.168.1.1 and
|
|
||||||
# 192.168.1.2.
|
|
||||||
# ~00-A0-C9-15-39-78 Host with
|
|
||||||
# MAC address 00:A0:C9:15:39:78.
|
|
||||||
#
|
|
||||||
# Alternatively, clients may be specified by interface
|
|
||||||
# name. For example, eth1 specifies a
|
|
||||||
# client that communicates with the firewall system
|
|
||||||
# through eth1. This may be optionally followed by
|
|
||||||
# another colon (":") and an IP/MAC/subnet address
|
|
||||||
# as described above (e.g., eth1:192.168.1.5).
|
|
||||||
#
|
|
||||||
# DEST Location of Server. Same as above with the exception that
|
|
||||||
# MAC addresses are not allowed.
|
|
||||||
#
|
|
||||||
# Unlike in the SOURCE column, you may specify a range of
|
|
||||||
# up to 256 IP addresses using the syntax
|
|
||||||
# <first ip>-<last ip>.
|
|
||||||
#
|
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
|
||||||
# "all".
|
|
||||||
#
|
|
||||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
|
||||||
# names (from /etc/services), port numbers or port
|
|
||||||
# ranges; if the protocol is "icmp", this column is
|
|
||||||
# interpreted as the destination icmp-type(s).
|
|
||||||
#
|
|
||||||
# A port range is expressed as <low port>:<high port>.
|
|
||||||
#
|
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
|
||||||
# entered if any of the following fields are supplied.
|
|
||||||
# In that case, it is suggested that this field contain
|
|
||||||
# "-"
|
|
||||||
#
|
|
||||||
# If your kernel contains multi-port match support, then
|
|
||||||
# only a single Netfilter rule will be generated if in
|
|
||||||
# this list and the CLIENT PORT(S) list below:
|
|
||||||
# 1. There are 15 or less ports listed.
|
|
||||||
# 2. No port ranges are included.
|
|
||||||
# Otherwise, a separate rule will be generated for each
|
|
||||||
# port.
|
|
||||||
#
|
|
||||||
# SOURCE PORT(S) (Optional) Port(s) used by the client. If omitted,
|
|
||||||
# any source port is acceptable. Specified as a comma-
|
|
||||||
# separated list of port names, port numbers or port
|
|
||||||
# ranges.
|
|
||||||
#
|
|
||||||
# If you don't want to restrict client ports but need to
|
|
||||||
# specify an ADDRESS in the next column, then place "-"
|
|
||||||
# in this column.
|
|
||||||
#
|
|
||||||
# If your kernel contains multi-port match support, then
|
|
||||||
# only a single Netfilter rule will be generated if in
|
|
||||||
# this list and the DEST PORT(S) list above:
|
|
||||||
# 1. There are 15 or less ports listed.
|
|
||||||
# 2. No port ranges are included.
|
|
||||||
# Otherwise, a separate rule will be generated for each
|
|
||||||
# port.
|
|
||||||
#
|
|
||||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
|
||||||
# this column:
|
|
||||||
#
|
|
||||||
# <rate>/<interval>[:<burst>]
|
|
||||||
#
|
|
||||||
# where <rate> is the number of connections per
|
|
||||||
# <interval> ("sec" or "min") and <burst> is the
|
|
||||||
# largest burst permitted. If no <burst> is given,
|
|
||||||
# a value of 5 is assumed. There may be no
|
|
||||||
# no whitespace embedded in the specification.
|
|
||||||
#
|
|
||||||
# Example: 10/sec:20
|
|
||||||
#
|
|
||||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
|
||||||
# the firewall itself.
|
|
||||||
#
|
|
||||||
# The column may contain:
|
|
||||||
#
|
|
||||||
# [!][<user name or number>][:<group name or number>]
|
|
||||||
#
|
|
||||||
# When this column is non-empty, the rule applies only
|
|
||||||
# if the program generating the output is running under
|
|
||||||
# the effective <user> and/or <group> specified (or is
|
|
||||||
# NOT running under that id if "!" is given).
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#
|
|
||||||
# joe #program must be run by joe
|
|
||||||
# :kids #program must be run by a member of
|
|
||||||
# #the 'kids' group
|
|
||||||
# !:kids #program must not be run by a member
|
|
||||||
# #of the 'kids' group
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
|
|
||||||
# PORT PORT(S) LIMIT
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,53 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0 /usr/share/shorewall/actions.std
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# Builtin Actions are:
|
|
||||||
#
|
|
||||||
# dropBcast #Silently Drop Broadcast/multicast
|
|
||||||
# dropNonSyn #Silently Drop Non-syn TCP packets
|
|
||||||
# rejNonSyn #Silently Reject Non-syn TCP packets
|
|
||||||
# logNonSyn #Log Non-syn TCP packets with disposition LOG
|
|
||||||
# dLogNonSyn #Log Non-syn TCP packets with disposition DROP
|
|
||||||
# rLogNonSyn #Log Non-syn TCP packets with disposition REJECT
|
|
||||||
# dropInvalid #Silently Drop packets that are in the INVALID
|
|
||||||
# #conntrack state.
|
|
||||||
# allowInvalid #Accept packets that are in the INVALID conntrack
|
|
||||||
# #state
|
|
||||||
#
|
|
||||||
# The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
|
|
||||||
# shorewall.conf. If that option isn't specified then 'info' is used.
|
|
||||||
#
|
|
||||||
#ACTION
|
|
||||||
|
|
||||||
DropSMB #Silently Drops Microsoft SMB Traffic
|
|
||||||
RejectSMB #Silently Reject Microsoft SMB Traffic
|
|
||||||
DropUPnP #Silently Drop UPnP Probes
|
|
||||||
RejectAuth #Silently Reject Auth
|
|
||||||
DropPing #Silently Drop Ping
|
|
||||||
DropDNSrep #Silently Drop DNS Replies
|
|
||||||
|
|
||||||
AllowPing #Accept Ping
|
|
||||||
AllowFTP #Accept FTP
|
|
||||||
AllowDNS #Accept DNS
|
|
||||||
AllowSSH #Accept SSH
|
|
||||||
AllowWeb #Allow Web Browsing
|
|
||||||
AllowSMB #Allow MS Networking
|
|
||||||
AllowAuth #Allow Auth (identd)
|
|
||||||
AllowSMTP #Allow SMTP (Email)
|
|
||||||
AllowPOP3 #Allow reading mail via POP3
|
|
||||||
AllowIMAP #Allow reading mail via IMAP
|
|
||||||
AllowTelnet #Allow Telnet Access (not recommended for use over the
|
|
||||||
#Internet)
|
|
||||||
AllowVNC #Allow VNC viewer->server, Displays 0-9
|
|
||||||
AllowVNCL #Allow VNC server->viewer in listening mode
|
|
||||||
AllowNTP #Allow Network Time Protocol (ntpd)
|
|
||||||
AllowRdate #Allow remote time (rdate).
|
|
||||||
AllowNNTP #Allow network news (Usenet).
|
|
||||||
AllowTrcrt #Allows Traceroute (20 hops)
|
|
||||||
AllowSNMP #Allows SNMP (including traps)
|
|
||||||
AllowPCA #Allows PCAnywhere (tm)
|
|
||||||
|
|
||||||
Drop:DROP #Common Action for DROP policy
|
|
||||||
Reject:REJECT #Common Action for REJECT policy
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
@ -1,70 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0-- Bogons File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/bogons
|
|
||||||
#
|
|
||||||
# Lists the subnetworks that are blocked by the 'nobogons' interface option.
|
|
||||||
#
|
|
||||||
# The default list includes those those ip ADDRESSES listed
|
|
||||||
# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
|
|
||||||
# reserved for use in documentation and examples.
|
|
||||||
#
|
|
||||||
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
|
|
||||||
# TO /etc/shorewall AND MODIFY THE COPY.
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# SUBNET The subnet (host addresses also allowed)
|
|
||||||
# TARGET Where to send packets to/from this subnet
|
|
||||||
# RETURN - let the packet be processed normally
|
|
||||||
# DROP - silently drop the packet
|
|
||||||
# logdrop - log then drop
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
#SUBNET TARGET
|
|
||||||
0.0.0.0 RETURN # Stop the DHCP whining
|
|
||||||
255.255.255.255 RETURN # We need to allow limited broadcast
|
|
||||||
169.254.0.0/16 DROP # DHCP autoconfig
|
|
||||||
192.0.2.0/24 logdrop # Example addresses (RFC 3330)
|
|
||||||
#
|
|
||||||
# The following are generated with the help of the Python program found at:
|
|
||||||
#
|
|
||||||
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
|
|
||||||
#
|
|
||||||
# The program was contributed by Andy Wiggin
|
|
||||||
#
|
|
||||||
0.0.0.0/7 logdrop # Reserved
|
|
||||||
2.0.0.0/8 logdrop # Reserved
|
|
||||||
5.0.0.0/8 logdrop # Reserved
|
|
||||||
7.0.0.0/8 logdrop # Reserved
|
|
||||||
23.0.0.0/8 logdrop # Reserved
|
|
||||||
27.0.0.0/8 logdrop # Reserved
|
|
||||||
31.0.0.0/8 logdrop # Reserved
|
|
||||||
36.0.0.0/7 logdrop # Reserved
|
|
||||||
39.0.0.0/8 logdrop # Reserved
|
|
||||||
41.0.0.0/8 logdrop # Reserved
|
|
||||||
42.0.0.0/8 logdrop # Reserved
|
|
||||||
49.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
|
||||||
50.0.0.0/8 logdrop # JTC - Returned to IANA Mar 98
|
|
||||||
73.0.0.0/8 logdrop # Reserved
|
|
||||||
74.0.0.0/7 logdrop # Reserved
|
|
||||||
76.0.0.0/6 logdrop # Reserved
|
|
||||||
89.0.0.0/8 logdrop # Reserved
|
|
||||||
90.0.0.0/7 logdrop # Reserved
|
|
||||||
92.0.0.0/6 logdrop # Reserved
|
|
||||||
96.0.0.0/3 logdrop # Reserved
|
|
||||||
127.0.0.0/8 logdrop # Loopback
|
|
||||||
173.0.0.0/8 logdrop # Reserved
|
|
||||||
174.0.0.0/7 logdrop # Reserved
|
|
||||||
176.0.0.0/5 logdrop # Reserved
|
|
||||||
184.0.0.0/6 logdrop # Reserved
|
|
||||||
189.0.0.0/8 logdrop # Reserved
|
|
||||||
190.0.0.0/8 logdrop # Reserved
|
|
||||||
197.0.0.0/8 logdrop # Reserved
|
|
||||||
198.18.0.0/15 logdrop # Reserved
|
|
||||||
223.0.0.0/8 logdrop # Reserved - Returned by APNIC in 2003
|
|
||||||
240.0.0.0/4 logdrop # Reserved
|
|
||||||
#
|
|
||||||
# End of generated entries
|
|
||||||
#
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,7 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall version 2.0 - Default Config Path
|
|
||||||
#
|
|
||||||
# /usr/share/shorewall/configpath
|
|
||||||
#
|
|
||||||
|
|
||||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
|
File diff suppressed because it is too large
Load Diff
@ -1,769 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Shorewall 2.0 -- /usr/share/shorewall/functions
|
|
||||||
|
|
||||||
#
|
|
||||||
# Search a list looking for a match -- returns zero if a match found
|
|
||||||
# 1 otherwise
|
|
||||||
#
|
|
||||||
list_search() # $1 = element to search for , $2-$n = list
|
|
||||||
{
|
|
||||||
local e=$1
|
|
||||||
|
|
||||||
while [ $# -gt 1 ]; do
|
|
||||||
shift
|
|
||||||
[ "x$e" = "x$1" ] && return 0
|
|
||||||
done
|
|
||||||
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Functions to count list elements
|
|
||||||
# - - - - - - - - - - - - - - - -
|
|
||||||
# Whitespace-separated list
|
|
||||||
#
|
|
||||||
list_count1() {
|
|
||||||
echo $#
|
|
||||||
}
|
|
||||||
#
|
|
||||||
# Comma-separated list
|
|
||||||
#
|
|
||||||
list_count() {
|
|
||||||
list_count1 $(separate_list $1)
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Conditionally produce message
|
|
||||||
#
|
|
||||||
progress_message() # $* = Message
|
|
||||||
{
|
|
||||||
[ -n "$QUIET" ] || echo "$@"
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Suppress all output for a command
|
|
||||||
#
|
|
||||||
qt()
|
|
||||||
{
|
|
||||||
"$@" >/dev/null 2>&1
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Perform variable substitution on the passed argument and echo the result
|
|
||||||
#
|
|
||||||
expand() # $@ = contents of variable which may be the name of another variable
|
|
||||||
{
|
|
||||||
eval echo \"$@\"
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Perform variable substitition on the values of the passed list of variables
|
|
||||||
#
|
|
||||||
expandv() # $* = list of variable names
|
|
||||||
{
|
|
||||||
local varval
|
|
||||||
|
|
||||||
while [ $# -gt 0 ]; do
|
|
||||||
eval varval=\$${1}
|
|
||||||
eval $1=\"$varval\"
|
|
||||||
shift
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Replace all leading "!" with "! " in the passed argument list
|
|
||||||
#
|
|
||||||
|
|
||||||
fix_bang() {
|
|
||||||
local i;
|
|
||||||
|
|
||||||
for i in $@; do
|
|
||||||
case $i in
|
|
||||||
!*)
|
|
||||||
echo "! ${i#!}"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo $i
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Set default config path
|
|
||||||
#
|
|
||||||
ensure_config_path() {
|
|
||||||
local F=/usr/share/shorewall/configpath
|
|
||||||
if [ -z "$CONFIG_PATH" ]; then
|
|
||||||
[ -f $F ] || { echo " ERROR: $F does not exist"; exit 2; }
|
|
||||||
. $F
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
|
|
||||||
#
|
|
||||||
find_file()
|
|
||||||
{
|
|
||||||
local saveifs= directory
|
|
||||||
|
|
||||||
case $1 in
|
|
||||||
/*)
|
|
||||||
echo $1
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
|
|
||||||
echo $SHOREWALL_DIR/$1
|
|
||||||
else
|
|
||||||
saveifs=$IFS
|
|
||||||
IFS=:
|
|
||||||
for directory in $CONFIG_PATH; do
|
|
||||||
if [ -f $directory/$1 ]; then
|
|
||||||
echo $directory/$1
|
|
||||||
IFS=$saveifs
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
IFS=$saveifs
|
|
||||||
|
|
||||||
echo /etc/shorewall/$1
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Replace commas with spaces and echo the result
|
|
||||||
#
|
|
||||||
separate_list() {
|
|
||||||
local list
|
|
||||||
local part
|
|
||||||
local newlist
|
|
||||||
#
|
|
||||||
# There's been whining about us not catching embedded white space in
|
|
||||||
# comma-separated lists. This is an attempt to snag some of the cases.
|
|
||||||
#
|
|
||||||
# The 'terminator' function will be set by the 'firewall' script to
|
|
||||||
# either 'startup_error' or 'fatal_error' depending on the command and
|
|
||||||
# command phase
|
|
||||||
#
|
|
||||||
case "$@" in
|
|
||||||
*,|,*|*,,*|*[[:space:]]*)
|
|
||||||
[ -n "$terminator" ] && \
|
|
||||||
$terminator "Invalid comma-separated list \"$@\""
|
|
||||||
echo "Warning -- invalid comma-separated list \"$@\"" >&2
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
list="$@"
|
|
||||||
part="${list%%,*}"
|
|
||||||
newlist="$part"
|
|
||||||
|
|
||||||
while [ "x$part" != "x$list" ]; do
|
|
||||||
list="${list#*,}";
|
|
||||||
part="${list%%,*}";
|
|
||||||
newlist="$newlist $part";
|
|
||||||
done
|
|
||||||
|
|
||||||
echo "$newlist"
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Load a Kernel Module
|
|
||||||
#
|
|
||||||
loadmodule() # $1 = module name, $2 - * arguments
|
|
||||||
{
|
|
||||||
local modulename=$1
|
|
||||||
local modulefile
|
|
||||||
local suffix
|
|
||||||
moduleloader=modprobe
|
|
||||||
|
|
||||||
if ! qt which modprobe; then
|
|
||||||
moduleloader=insmod
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$(lsmod | grep $modulename)" ]; then
|
|
||||||
shift
|
|
||||||
|
|
||||||
for suffix in $MODULE_SUFFIX ; do
|
|
||||||
modulefile=$MODULESDIR/${modulename}.${suffix}
|
|
||||||
|
|
||||||
if [ -f $modulefile ]; then
|
|
||||||
case $moduleloader in
|
|
||||||
insmod)
|
|
||||||
insmod $modulefile $*
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
modprobe $modulename $*
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Reload the Modules
|
|
||||||
#
|
|
||||||
reload_kernel_modules() {
|
|
||||||
|
|
||||||
[ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
|
||||||
|
|
||||||
while read command; do
|
|
||||||
eval $command
|
|
||||||
done
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Find the zones
|
|
||||||
#
|
|
||||||
find_zones() # $1 = name of the zone file
|
|
||||||
{
|
|
||||||
while read zone display comments; do
|
|
||||||
[ -n "$zone" ] && case "$zone" in
|
|
||||||
\#*)
|
|
||||||
;;
|
|
||||||
$FW)
|
|
||||||
echo "Reserved zone name \"$zone\" in zones file ignored" >&2
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo $zone
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done < $1
|
|
||||||
}
|
|
||||||
|
|
||||||
find_display() # $1 = zone, $2 = name of the zone file
|
|
||||||
{
|
|
||||||
grep ^$1 $2 | while read z display comments; do
|
|
||||||
[ "x$1" = "x$z" ] && echo $display
|
|
||||||
done
|
|
||||||
}
|
|
||||||
#
|
|
||||||
# This function assumes that the TMP_DIR variable is set and that
|
|
||||||
# its value named an existing directory.
|
|
||||||
#
|
|
||||||
determine_zones()
|
|
||||||
{
|
|
||||||
local zonefile=$(find_file zones)
|
|
||||||
|
|
||||||
multi_display=Multi-zone
|
|
||||||
strip_file zones $zonefile
|
|
||||||
zones=$(find_zones $TMP_DIR/zones)
|
|
||||||
zones=$(echo $zones) # Remove extra trash
|
|
||||||
|
|
||||||
for zone in $zones; do
|
|
||||||
dsply=$(find_display $zone $TMP_DIR/zones)
|
|
||||||
eval ${zone}_display=\$dsply
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# The following functions may be used by apps that wish to ensure that
|
|
||||||
# the state of Shorewall isn't changing
|
|
||||||
#
|
|
||||||
# This function loads the STATEDIR variable (directory where Shorewall is to
|
|
||||||
# store state files). If your application supports alternate Shorewall
|
|
||||||
# configurations then the name of the alternate configuration directory should
|
|
||||||
# be in $SHOREWALL_DIR at the time of the call.
|
|
||||||
#
|
|
||||||
# If the shorewall.conf file does not exist, this function does not return
|
|
||||||
#
|
|
||||||
get_statedir()
|
|
||||||
{
|
|
||||||
MUTEX_TIMEOUT=
|
|
||||||
|
|
||||||
local config=$(find_file shorewall.conf)
|
|
||||||
|
|
||||||
if [ -f $config ]; then
|
|
||||||
. $config
|
|
||||||
else
|
|
||||||
echo "/etc/shorewall/shorewall.conf does not exist!" >&2
|
|
||||||
exit 2
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Call this function to assert MUTEX with Shorewall. If you invoke the
|
|
||||||
# /sbin/shorewall program while holding MUTEX, you should pass "nolock" as
|
|
||||||
# the first argument. Example "shorewall nolock refresh"
|
|
||||||
#
|
|
||||||
# This function uses the lockfile utility from procmail if it exists.
|
|
||||||
# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
|
|
||||||
# behavior of lockfile.
|
|
||||||
#
|
|
||||||
mutex_on()
|
|
||||||
{
|
|
||||||
local try=0
|
|
||||||
local lockf=$STATEDIR/lock
|
|
||||||
|
|
||||||
MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
|
|
||||||
|
|
||||||
if [ $MUTEX_TIMEOUT -gt 0 ]; then
|
|
||||||
|
|
||||||
[ -d $STATEDIR ] || mkdir -p $STATEDIR
|
|
||||||
|
|
||||||
if qt which lockfile; then
|
|
||||||
lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
|
|
||||||
else
|
|
||||||
while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
|
|
||||||
sleep 1
|
|
||||||
try=$((${try} + 1))
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
|
|
||||||
# Create the lockfile
|
|
||||||
echo $$ > ${lockf}
|
|
||||||
else
|
|
||||||
echo "Giving up on lock file ${lockf}" >&2
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Call this function to release MUTEX
|
|
||||||
#
|
|
||||||
mutex_off()
|
|
||||||
{
|
|
||||||
rm -f $STATEDIR/lock
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
|
|
||||||
#
|
|
||||||
# None - No mktemp
|
|
||||||
# BSD - BSD mktemp (Mandrake)
|
|
||||||
# STD - mktemp.org mktemp
|
|
||||||
#
|
|
||||||
find_mktemp() {
|
|
||||||
local mktemp=`which mktemp 2> /dev/null`
|
|
||||||
|
|
||||||
if [ -n "$mktemp" ]; then
|
|
||||||
if qt mktemp -V ; then
|
|
||||||
MKTEMP=STD
|
|
||||||
else
|
|
||||||
MKTEMP=BSD
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
MKTEMP=None
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# create a temporary file. If a directory name is passed, the file will be created in
|
|
||||||
# that directory. Otherwise, it will be created in a temporary directory.
|
|
||||||
#
|
|
||||||
mktempfile() {
|
|
||||||
|
|
||||||
[ -z "$MKTEMP" ] && find_mktemp
|
|
||||||
|
|
||||||
if [ $# -gt 0 ]; then
|
|
||||||
case "$MKTEMP" in
|
|
||||||
BSD)
|
|
||||||
mktemp $1/shorewall.XXXXXX
|
|
||||||
;;
|
|
||||||
STD)
|
|
||||||
mktemp -p $1 shorewall.XXXXXX
|
|
||||||
;;
|
|
||||||
None)
|
|
||||||
> $1/shorewall-$$ && echo $1/shorewall-$$
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo " ERROR:Internal error in mktempfile"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
else
|
|
||||||
case "$MKTEMP" in
|
|
||||||
BSD)
|
|
||||||
mktemp /tmp/shorewall.XXXXXX
|
|
||||||
;;
|
|
||||||
STD)
|
|
||||||
mktemp -t shorewall.XXXXXX
|
|
||||||
;;
|
|
||||||
None)
|
|
||||||
rm -f /tmp/shorewall-$$
|
|
||||||
> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo " ERROR:Internal error in mktempfile"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# create a temporary directory
|
|
||||||
#
|
|
||||||
mktempdir() {
|
|
||||||
|
|
||||||
[ -z "$MKTEMP" ] && find_mktemp
|
|
||||||
|
|
||||||
case "$MKTEMP" in
|
|
||||||
STD)
|
|
||||||
mktemp -td shorewall.XXXXXX
|
|
||||||
;;
|
|
||||||
None|BSD)
|
|
||||||
#
|
|
||||||
# Not all versions of the BSD mktemp support the -d option under Linux
|
|
||||||
#
|
|
||||||
mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo " ERROR:Internal error in mktempdir"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Read a file and handle "INCLUDE" directives
|
|
||||||
#
|
|
||||||
|
|
||||||
read_file() # $1 = file name, $2 = nest count
|
|
||||||
{
|
|
||||||
local first rest
|
|
||||||
|
|
||||||
if [ -f $1 ]; then
|
|
||||||
while read first rest; do
|
|
||||||
if [ "x$first" = "xINCLUDE" ]; then
|
|
||||||
if [ $2 -lt 4 ]; then
|
|
||||||
read_file $(find_file $(expand ${rest%#*})) $(($2 + 1))
|
|
||||||
else
|
|
||||||
echo " WARNING: INCLUDE in $1 ignored (nested too deeply)" >&2
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "$first $rest"
|
|
||||||
fi
|
|
||||||
done < $1
|
|
||||||
else
|
|
||||||
[ -n "$terminator" ] && $terminator "No such file: $1"
|
|
||||||
echo "Warning -- No such file: $1"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Function for including one file into another
|
|
||||||
#
|
|
||||||
INCLUDE() {
|
|
||||||
. $(find_file $(expand $@))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Strip comments and blank lines from a file and place the result in the
|
|
||||||
# temporary directory
|
|
||||||
#
|
|
||||||
strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
|
|
||||||
{
|
|
||||||
local fname
|
|
||||||
|
|
||||||
[ $# = 1 ] && fname=$(find_file $1) || fname=$2
|
|
||||||
|
|
||||||
if [ -f $fname ]; then
|
|
||||||
read_file $fname 0 | cut -d'#' -f1 | grep -v '^[[:space:]]*$' > $TMP_DIR/$1
|
|
||||||
else
|
|
||||||
> $TMP_DIR/$1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Note: The following set of IP address manipulation functions have anomalous
|
|
||||||
# behavior when the shell only supports 32-bit signed arithmatic and
|
|
||||||
# the IP address is 128.0.0.0 or 128.0.0.1.
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# So that emacs doesn't get lost, we use $LEFTSHIFT rather than <<
|
|
||||||
#
|
|
||||||
LEFTSHIFT='<<'
|
|
||||||
|
|
||||||
#
|
|
||||||
# Convert an IP address in dot quad format to an integer
|
|
||||||
#
|
|
||||||
decodeaddr() {
|
|
||||||
local x
|
|
||||||
local temp=0
|
|
||||||
local ifs=$IFS
|
|
||||||
|
|
||||||
IFS=.
|
|
||||||
|
|
||||||
for x in $1; do
|
|
||||||
temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
|
|
||||||
done
|
|
||||||
|
|
||||||
echo $temp
|
|
||||||
|
|
||||||
IFS=$ifs
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# convert an integer to dot quad format
|
|
||||||
#
|
|
||||||
encodeaddr() {
|
|
||||||
addr=$1
|
|
||||||
local x
|
|
||||||
local y=$(($addr & 255))
|
|
||||||
|
|
||||||
for x in 1 2 3 ; do
|
|
||||||
addr=$(($addr >> 8))
|
|
||||||
y=$(($addr & 255)).$y
|
|
||||||
done
|
|
||||||
|
|
||||||
echo $y
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Enumerate the members of an IP range -- When using a shell supporting only
|
|
||||||
# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
|
|
||||||
#
|
|
||||||
# Comes in two flavors:
|
|
||||||
#
|
|
||||||
# ip_range() - produces a mimimal list of network/host addresses that spans
|
|
||||||
# the range.
|
|
||||||
#
|
|
||||||
# ip_range_explicit() - explicitly enumerates the range.
|
|
||||||
#
|
|
||||||
ip_range() {
|
|
||||||
local first last l x y z vlsm
|
|
||||||
|
|
||||||
case $1 in
|
|
||||||
[0-9]*.*.*.*-*.*.*.*)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo $1
|
|
||||||
return
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
first=$(decodeaddr ${1%-*})
|
|
||||||
last=$(decodeaddr ${1#*-})
|
|
||||||
|
|
||||||
if [ $first -gt $last ]; then
|
|
||||||
fatal_error "Invalid IP address range: $1"
|
|
||||||
fi
|
|
||||||
|
|
||||||
l=$(( $last + 1 ))
|
|
||||||
|
|
||||||
while [ $first -le $last ]; do
|
|
||||||
vlsm=
|
|
||||||
x=31
|
|
||||||
y=2
|
|
||||||
z=1
|
|
||||||
|
|
||||||
while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
|
|
||||||
vlsm=/$x
|
|
||||||
x=$(( $x - 1 ))
|
|
||||||
z=$y
|
|
||||||
y=$(( $y * 2 ))
|
|
||||||
done
|
|
||||||
|
|
||||||
echo $(encodeaddr $first)$vlsm
|
|
||||||
first=$(($first + $z))
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
ip_range_explicit() {
|
|
||||||
local first last
|
|
||||||
|
|
||||||
case $1 in
|
|
||||||
[0-9]*.*.*.*-*.*.*.*)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo $1
|
|
||||||
return
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
first=$(decodeaddr ${1%-*})
|
|
||||||
last=$(decodeaddr ${1#*-})
|
|
||||||
|
|
||||||
if [ $first -gt $last ]; then
|
|
||||||
fatal_error "Invalid IP address range: $1"
|
|
||||||
fi
|
|
||||||
|
|
||||||
while [ $first -le $last ]; do
|
|
||||||
echo $(encodeaddr $first)
|
|
||||||
first=$(($first + 1))
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Netmask from CIDR
|
|
||||||
#
|
|
||||||
ip_netmask() {
|
|
||||||
local vlsm=${1#*/}
|
|
||||||
|
|
||||||
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Network address from CIDR
|
|
||||||
#
|
|
||||||
ip_network() {
|
|
||||||
local decodedaddr=$(decodeaddr ${1%/*})
|
|
||||||
local netmask=$(ip_netmask $1)
|
|
||||||
|
|
||||||
echo $(encodeaddr $(($decodedaddr & $netmask)))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# The following hack is supplied to compensate for the fact that many of
|
|
||||||
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
|
|
||||||
#
|
|
||||||
|
|
||||||
ip_broadcast() {
|
|
||||||
local x=$(( 32 - ${1#*/} ))
|
|
||||||
|
|
||||||
[ $x -eq 0 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Calculate broadcast address from CIDR
|
|
||||||
#
|
|
||||||
broadcastaddress() {
|
|
||||||
local decodedaddr=$(decodeaddr ${1%/*})
|
|
||||||
local netmask=$(ip_netmask $1)
|
|
||||||
local broadcast=$(ip_broadcast $1)
|
|
||||||
|
|
||||||
echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Test for network membership
|
|
||||||
#
|
|
||||||
in_network() # $1 = IP address, $2 = CIDR network
|
|
||||||
{
|
|
||||||
local netmask=$(ip_netmask $2)
|
|
||||||
|
|
||||||
test $(( $(decodeaddr $1) & $netmask)) -eq $(( $(decodeaddr ${2%/*}) & $netmask ))
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Netmask to VLSM
|
|
||||||
#
|
|
||||||
ip_vlsm() {
|
|
||||||
local mask=$(decodeaddr $1)
|
|
||||||
local vlsm=0
|
|
||||||
local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000
|
|
||||||
|
|
||||||
while [ $(( $x & $mask )) -ne 0 ]; do
|
|
||||||
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
|
|
||||||
vlsm=$(($vlsm + 1))
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
|
|
||||||
echo "Invalid net mask: $1" >&2
|
|
||||||
else
|
|
||||||
echo $vlsm
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# Chain name base for an interface -- replace all periods with underscores in the passed name.
|
|
||||||
# The result is echoed (less trailing "+").
|
|
||||||
#
|
|
||||||
chain_base() #$1 = interface
|
|
||||||
{
|
|
||||||
local c=${1%%+}
|
|
||||||
|
|
||||||
while true; do
|
|
||||||
case $c in
|
|
||||||
*.*)
|
|
||||||
c="${c%.*}_${c##*.}"
|
|
||||||
;;
|
|
||||||
*-*)
|
|
||||||
c="${c%-*}_${c##*-}"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo ${c:=common}
|
|
||||||
return
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Loosly Match the name of an interface
|
|
||||||
#
|
|
||||||
|
|
||||||
if_match() # $1 = Name in interfaces file - may end in "+"
|
|
||||||
# $2 = Full interface name - may also end in "+"
|
|
||||||
{
|
|
||||||
local pattern=${1%+}
|
|
||||||
|
|
||||||
case $1 in
|
|
||||||
*+)
|
|
||||||
#
|
|
||||||
# Can't use ${2:0:${#pattern}} because ash and dash don't support that flavor of
|
|
||||||
# variable expansion :-(
|
|
||||||
#
|
|
||||||
test "x$(echo $2 | cut -b -${#pattern} )" = "x${pattern}"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
test "x$1" = "x$2"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Find the value 'dev' in the passed arguments then echo the next value
|
|
||||||
#
|
|
||||||
|
|
||||||
find_device() {
|
|
||||||
while [ $# -gt 1 ]; do
|
|
||||||
[ "x$1" = xdev ] && echo $2 && return
|
|
||||||
shift
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Find the interfaces that have a route to the passed address - the default
|
|
||||||
# route is not used.
|
|
||||||
#
|
|
||||||
|
|
||||||
find_rt_interface() {
|
|
||||||
ip route ls | while read addr rest; do
|
|
||||||
case $addr in
|
|
||||||
*/*)
|
|
||||||
in_network ${1%/*} $addr && echo $(find_device $rest)
|
|
||||||
;;
|
|
||||||
default)
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
|
|
||||||
echo $(find_device $rest)
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Find the default route's interface
|
|
||||||
#
|
|
||||||
find_default_interface() {
|
|
||||||
ip route ls | while read first rest; do
|
|
||||||
[ "$first" = default ] && echo $(find_device $rest) && return
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Echo the name of the interface(s) that will be used to send to the
|
|
||||||
# passed address
|
|
||||||
#
|
|
||||||
|
|
||||||
find_interface_by_address() {
|
|
||||||
local dev="$(find_rt_interface $1)"
|
|
||||||
local first rest
|
|
||||||
|
|
||||||
[ -z "$dev" ] && dev=$(find_default_interface)
|
|
||||||
|
|
||||||
[ -n "$dev" ] && echo $dev
|
|
||||||
}
|
|
||||||
|
|
@ -1,310 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Shorewall help subsystem - V2.0 - 2/14/2004
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
||||||
#
|
|
||||||
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
# Steve Herber (herber@thing.com)
|
|
||||||
#
|
|
||||||
# This file should be placed in /usr/share/shorewall/help
|
|
||||||
#
|
|
||||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
|
||||||
##################################################################################
|
|
||||||
|
|
||||||
case $1 in
|
|
||||||
|
|
||||||
add)
|
|
||||||
echo "add: add <interface>[:<bridge-port>][:<host>] <zone>
|
|
||||||
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
|
||||||
|
|
||||||
shorewall add interface[:port][:host] zone - Adds the specified interface
|
|
||||||
(and bridge port/host if included) to the specified zone.
|
|
||||||
|
|
||||||
Example:
|
|
||||||
|
|
||||||
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
|
|
||||||
from interface ipsec0 to the zone vpn1.
|
|
||||||
|
|
||||||
See also \"help host\""
|
|
||||||
;;
|
|
||||||
|
|
||||||
address|host)
|
|
||||||
echo "<$1>:
|
|
||||||
May be either a host IP address such as 192.168.1.4 or a network address in
|
|
||||||
CIDR format like 192.168.1.0/24"
|
|
||||||
;;
|
|
||||||
|
|
||||||
allow)
|
|
||||||
echo "allow: allow <address> ...
|
|
||||||
Re-enables receipt of packets from hosts previously blacklisted
|
|
||||||
by a drop or reject command.
|
|
||||||
|
|
||||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
||||||
|
|
||||||
See also \"help address\""
|
|
||||||
;;
|
|
||||||
|
|
||||||
check)
|
|
||||||
echo "check: check [ -c <configuration-directory> ]
|
|
||||||
Performs a cursory validation of the zones, interfaces, hosts,
|
|
||||||
rules and policy files. Use this if you are unsure of any edits
|
|
||||||
you have made to the shorewall configuration. See the try command
|
|
||||||
examples for a recommended way to make changes."
|
|
||||||
;;
|
|
||||||
|
|
||||||
clear)
|
|
||||||
echo "clear: clear
|
|
||||||
Clear will remove all rules and chains installed by Shoreline.
|
|
||||||
The firewall is then wide open and unprotected. Existing
|
|
||||||
connections are untouched. Clear is often used to see if the
|
|
||||||
firewall is causing connection problems."
|
|
||||||
;;
|
|
||||||
|
|
||||||
debug)
|
|
||||||
echo "debug: debug
|
|
||||||
If you include the keyword debug as the first argument to any
|
|
||||||
of these commands:
|
|
||||||
|
|
||||||
start|stop|restart|reset|clear|refresh|check|add|delete
|
|
||||||
|
|
||||||
then a shell trace of the command is produced. For example:
|
|
||||||
|
|
||||||
shorewall debug start 2> /tmp/trace
|
|
||||||
|
|
||||||
The above command would trace the 'start' command and
|
|
||||||
place the trace information in the file /tmp/trace.
|
|
||||||
|
|
||||||
The word 'trace' is a synonym for 'debug'."
|
|
||||||
;;
|
|
||||||
|
|
||||||
delete)
|
|
||||||
echo "delete: delete <interface>[:<bridge-port>][:<host>] <zone>
|
|
||||||
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
|
||||||
|
|
||||||
shorewall delete interface[:port][:host] zone - Deletes the specified
|
|
||||||
interface (and bridge port/host if included) from the specified zone.
|
|
||||||
|
|
||||||
Example:
|
|
||||||
|
|
||||||
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
|
|
||||||
192.0.2.24 from interface ipsec0 from zone vpn1
|
|
||||||
|
|
||||||
See also \"help host\""
|
|
||||||
;;
|
|
||||||
|
|
||||||
drop)
|
|
||||||
echo "$1: $1 <address> ...
|
|
||||||
Causes packets from the specified <address> to be ignored
|
|
||||||
|
|
||||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
||||||
|
|
||||||
See also \"help address\""
|
|
||||||
;;
|
|
||||||
|
|
||||||
forget)
|
|
||||||
echo "forget: forget [ <file name> ]
|
|
||||||
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
|
|
||||||
the file specified by RESTOREFILE in shorewall.conf is removed.
|
|
||||||
|
|
||||||
See also \"help save\""
|
|
||||||
;;
|
|
||||||
|
|
||||||
help)
|
|
||||||
echo "help: help [<command> | host | address ]
|
|
||||||
Display helpful information about the shorewall commands."
|
|
||||||
;;
|
|
||||||
|
|
||||||
hits)
|
|
||||||
echo "hits: hits
|
|
||||||
Produces several reports about the Shorewall packet log messages
|
|
||||||
in the current /var/log/messages file."
|
|
||||||
;;
|
|
||||||
|
|
||||||
ipcalc)
|
|
||||||
echo "ipcalc: ipcalc [ address mask | address/vlsm ]
|
|
||||||
Ipcalc displays the network address, broadcast address,
|
|
||||||
network in CIDR notation and netmask corresponding to the input[s]."
|
|
||||||
;;
|
|
||||||
|
|
||||||
iprange)
|
|
||||||
echo "iprange: iprange address1-address2
|
|
||||||
Iprange decomposes the specified range of IP addresses into the
|
|
||||||
equivalent list of network/host addresses."
|
|
||||||
;;
|
|
||||||
|
|
||||||
logwatch)
|
|
||||||
echo "logwatch: logwatch [<refresh interval>]
|
|
||||||
Monitors the LOGFILE, $LOGFILE,
|
|
||||||
and produces an audible alarm when new Shorewall messages are logged."
|
|
||||||
;;
|
|
||||||
|
|
||||||
monitor)
|
|
||||||
echo "monitor: monitor [<refresh_interval>]
|
|
||||||
|
|
||||||
shorewall [-x] monitor [<refresh_interval>]
|
|
||||||
|
|
||||||
Continuously display the firewall status, last 20 log entries and nat.
|
|
||||||
When the log entry display changes, an audible alarm is sounded.
|
|
||||||
|
|
||||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
|
||||||
;;
|
|
||||||
|
|
||||||
refresh)
|
|
||||||
echo "refresh: [ -q ] refresh
|
|
||||||
The rules involving the broadcast addresses of firewall interfaces,
|
|
||||||
the black list, traffic control rules and ECN control rules are recreated
|
|
||||||
to reflect any changes made. Existing connections are untouched
|
|
||||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
|
||||||
;;
|
|
||||||
|
|
||||||
reject)
|
|
||||||
echo "$1: $1 <address> ...
|
|
||||||
Causes packets from the specified <address> to be rejected
|
|
||||||
|
|
||||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
||||||
|
|
||||||
See also \"help address\""
|
|
||||||
;;
|
|
||||||
|
|
||||||
reset)
|
|
||||||
echo "reset: reset
|
|
||||||
All the packet and byte counters in the firewall are reset."
|
|
||||||
;;
|
|
||||||
|
|
||||||
restart)
|
|
||||||
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
|
|
||||||
Restart is the same as a shorewall stop && shorewall start.
|
|
||||||
Existing connections are maintained.
|
|
||||||
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
|
||||||
;;
|
|
||||||
|
|
||||||
restore)
|
|
||||||
echo "restore: restore [ <file name> ]
|
|
||||||
Restore Shorewall to a state saved using the 'save' command
|
|
||||||
Existing connections are maintained. The <file name> names a restore file in
|
|
||||||
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
|
|
||||||
then Shorewall will be restored from the file specified by the RESTOREFILE
|
|
||||||
option in shorewall.conf.
|
|
||||||
|
|
||||||
See also \"help save\" and \"help forget\""
|
|
||||||
;;
|
|
||||||
|
|
||||||
save)
|
|
||||||
echo "save: save [ <file name> ]
|
|
||||||
The dynamic data is stored in /var/lib/shorewall/save. The state of the
|
|
||||||
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
|
|
||||||
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
|
|
||||||
in the file specified by the RESTOREFILE option in shorewall.conf.
|
|
||||||
|
|
||||||
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
||||||
|
|
||||||
See also \"help restore\" and \"help forget\""
|
|
||||||
;;
|
|
||||||
|
|
||||||
show)
|
|
||||||
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
|
||||||
|
|
||||||
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
|
||||||
(iptables -L chain -n -v)
|
|
||||||
|
|
||||||
shorewall [-x] show nat - produce a verbose report about the nat table.
|
|
||||||
(iptables -t nat -L -n -v)
|
|
||||||
|
|
||||||
shorewall [-x] show tos - produce a verbose report about the mangle table.
|
|
||||||
(iptables -t mangle -L -n -v)
|
|
||||||
|
|
||||||
shorewall show log - display the last 20 packet log entries.
|
|
||||||
|
|
||||||
shorewall show connections - displays the IP connections currently
|
|
||||||
being tracked by the firewall.
|
|
||||||
|
|
||||||
shorewall show tc - displays information about the traffic
|
|
||||||
control/shaping configuration.
|
|
||||||
|
|
||||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
|
||||||
;;
|
|
||||||
|
|
||||||
start)
|
|
||||||
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
|
|
||||||
Start shorewall. Existing connections through shorewall managed
|
|
||||||
interfaces are untouched. New connections will be allowed only
|
|
||||||
if they are allowed by the firewall rules or policies.
|
|
||||||
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
|
||||||
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
|
||||||
in shorewall.conf will be restored if that saved configuration exists"
|
|
||||||
;;
|
|
||||||
|
|
||||||
stop)
|
|
||||||
echo "stop: stop
|
|
||||||
Stops the firewall. All existing connections, except those
|
|
||||||
listed in /etc/shorewall/routestopped, are taken down.
|
|
||||||
The only new traffic permitted through the firewall
|
|
||||||
is from systems listed in /etc/shorewall/routestopped."
|
|
||||||
;;
|
|
||||||
|
|
||||||
status)
|
|
||||||
echo "status: status
|
|
||||||
|
|
||||||
shorewall [-x] status
|
|
||||||
|
|
||||||
Produce a verbose report about the firewall.
|
|
||||||
|
|
||||||
(iptables -L -n -)
|
|
||||||
|
|
||||||
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
|
||||||
;;
|
|
||||||
|
|
||||||
trace)
|
|
||||||
echo "trace: trace
|
|
||||||
If you include the keyword trace as the first argument to any
|
|
||||||
of these commands:
|
|
||||||
|
|
||||||
start|stop|restart|reset|clear|refresh|check|add|delete
|
|
||||||
|
|
||||||
then a shell trace of the command is produced. For example:
|
|
||||||
|
|
||||||
shorewall trace start 2> /tmp/trace
|
|
||||||
|
|
||||||
The above command would trace the 'start' command and
|
|
||||||
place the trace information in the file /tmp/trace.
|
|
||||||
|
|
||||||
The word 'debug' is a synonym for 'trace'."
|
|
||||||
;;
|
|
||||||
|
|
||||||
try)
|
|
||||||
echo "try: try <configuration-directory> [ <timeout> ]
|
|
||||||
Restart shorewall using the specified configuration. If an error
|
|
||||||
occurs during the restart, then another shorewall restart is performed
|
|
||||||
using the default configuration. If a timeout is specified then
|
|
||||||
the restart is always performed after the timeout occurs and uses
|
|
||||||
the default configuration."
|
|
||||||
;;
|
|
||||||
|
|
||||||
version)
|
|
||||||
echo "version: version
|
|
||||||
Show the current shorewall version which is: $version"
|
|
||||||
;;
|
|
||||||
|
|
||||||
*)
|
|
||||||
echo "$1: $1 is not recognized by the help command"
|
|
||||||
;;
|
|
||||||
|
|
||||||
esac
|
|
||||||
|
|
||||||
exit 0 # always ok
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.0-- RFC1918 File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/rfc1918
|
|
||||||
#
|
|
||||||
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
|
|
||||||
#
|
|
||||||
# The default list includes those IP addresses listed in RFC 1918.
|
|
||||||
#
|
|
||||||
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
|
|
||||||
# TO /etc/shorewall AND MODIFY THE COPY.
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# SUBNET The subnet (host addresses also allowed)
|
|
||||||
# TARGET Where to send packets to/from this subnet
|
|
||||||
# RETURN - let the packet be processed normally
|
|
||||||
# DROP - silently drop the packet
|
|
||||||
# logdrop - log then drop
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
#SUBNET TARGET
|
|
||||||
172.16.0.0/12 logdrop # RFC 1918
|
|
||||||
192.168.0.0/16 logdrop # RFC 1918
|
|
||||||
10.0.0.0/8 logdrop # RFC 1918
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1 +0,0 @@
|
|||||||
2.0.17
|
|
@ -1,24 +0,0 @@
|
|||||||
/etc/shorewall/params Params Assign parameter values
|
|
||||||
/etc/shorewall/zones Zones Partition the network into Zones
|
|
||||||
/etc/shorewall/interfaces Ifaces Shorewall Networking Interfaces
|
|
||||||
/etc/shorewall/hosts Hosts Define specific zones
|
|
||||||
/etc/shorewall/policy Policy Firewall high-level policy
|
|
||||||
/etc/shorewall/rules Rules Exceptions to policy
|
|
||||||
/etc/shorewall/maclist Maclist MAC Verification
|
|
||||||
/etc/shorewall/masq Masq Internal MASQ Server Configuration
|
|
||||||
/etc/shorewall/proxyarp ProxyArp Proxy ARP Configuration
|
|
||||||
/etc/shorewall/routestopped Stopped Hosts admitted after 'shorewall stop'
|
|
||||||
/etc/shorewall/nat Nat Static NAT Configuration
|
|
||||||
/etc/shorewall/tunnels Tunnels Tunnel Definition (ipsec)
|
|
||||||
/etc/shorewall/tcrules TCRules FWMark Rules
|
|
||||||
/etc/shorewall/shorewall.conf Config Shorewall Global Parameters
|
|
||||||
/etc/shorewall/modules Modules Netfilter modules to load
|
|
||||||
/etc/shorewall/tos TOS Type of Service policy
|
|
||||||
/etc/shorewall/blacklist Blacklist Blacklisted hosts
|
|
||||||
/etc/shorewall/ecn ECN Disable ECN to hosts and networks
|
|
||||||
/etc/shorewall/init Init Commands executed before [re]start
|
|
||||||
/etc/shorewall/start Start Commands executed after [re]start
|
|
||||||
/etc/shorewall/stop Stop Commands executed before stop
|
|
||||||
/etc/shorewall/stopped Stopped Commands executed after stop
|
|
||||||
/etc/shorewall/accounting Account Traffic Accounting Rules
|
|
||||||
/etc/shorewall/actions Actions Define user actions
|
|
@ -1 +0,0 @@
|
|||||||
var/lib/shorewall/*
|
|
@ -1,3 +0,0 @@
|
|||||||
Shoreline Firewall (Shorewall)
|
|
||||||
Homepage: http://www.shorewall.net
|
|
||||||
Requires: iptables.lrp
|
|
@ -1,6 +0,0 @@
|
|||||||
etc/init.d/shorewall
|
|
||||||
etc/shorewall
|
|
||||||
sbin/shorewall
|
|
||||||
usr/share/shorewall
|
|
||||||
var/lib/shorewall
|
|
||||||
var/lib/lrpkg/shorwall.*
|
|
@ -1 +0,0 @@
|
|||||||
2.0.17
|
|
@ -1,74 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
RCDLINKS="2,S41 3,S41 6,K41"
|
|
||||||
#
|
|
||||||
# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.0 3/14/2003
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
||||||
#
|
|
||||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
#
|
|
||||||
# On most distributions, this file should be called /etc/init.d/shorewall.
|
|
||||||
#
|
|
||||||
# Complete documentation is available at http://shorewall.net
|
|
||||||
#
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of Version 2 of the GNU General Public License
|
|
||||||
# as published by the Free Software Foundation.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program; if not, write to the Free Software
|
|
||||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
|
||||||
#
|
|
||||||
# If an error occurs while starting or restarting the firewall, the
|
|
||||||
# firewall is automatically stopped.
|
|
||||||
#
|
|
||||||
# Commands are:
|
|
||||||
#
|
|
||||||
# shorewall start Starts the firewall
|
|
||||||
# shorewall restart Restarts the firewall
|
|
||||||
# shorewall stop Stops the firewall
|
|
||||||
# shorewall status Displays firewall status
|
|
||||||
#
|
|
||||||
#### BEGIN INIT INFO
|
|
||||||
# Provides: shorewall
|
|
||||||
# Required-Start: $network
|
|
||||||
# Required-Stop:
|
|
||||||
# Default-Start: 2 3 5
|
|
||||||
# Default-Stop: 0 1 6
|
|
||||||
# Description: starts and stops the shorewall firewall
|
|
||||||
### END INIT INFO
|
|
||||||
|
|
||||||
# chkconfig: 2345 25 90
|
|
||||||
# description: Packet filtering firewall
|
|
||||||
#
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# Give Usage Information #
|
|
||||||
################################################################################
|
|
||||||
usage() {
|
|
||||||
echo "Usage: $0 start|stop|restart|status"
|
|
||||||
exit 1
|
|
||||||
}
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# E X E C U T I O N B E G I N S H E R E #
|
|
||||||
################################################################################
|
|
||||||
command="$1"
|
|
||||||
|
|
||||||
case "$command" in
|
|
||||||
|
|
||||||
stop|start|restart|status)
|
|
||||||
|
|
||||||
exec /sbin/shorewall $@
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
|
|
||||||
usage
|
|
||||||
;;
|
|
||||||
|
|
||||||
esac
|
|
@ -1,96 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall version 2.2 - Accounting File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/accounting
|
|
||||||
#
|
|
||||||
# Accounting rules exist simply to count packets and bytes in categories
|
|
||||||
# that you define in this file. You may display these rules and their
|
|
||||||
# packet and byte counters using the "shorewall show accounting" command.
|
|
||||||
#
|
|
||||||
# Please see http://shorewall.net/Accounting.html for examples and
|
|
||||||
# additional information about how to use this file.
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# ACTION - What to do when a match is found.
|
|
||||||
#
|
|
||||||
# COUNT - Simply count the match and continue
|
|
||||||
# with the next rule
|
|
||||||
# DONE - Count the match and don't attempt
|
|
||||||
# to match any other accounting rules
|
|
||||||
# in the chain specified in the CHAIN
|
|
||||||
# column.
|
|
||||||
# <chain>[:COUNT]
|
|
||||||
# - Where <chain> is the name of
|
|
||||||
# a chain. Shorewall will create
|
|
||||||
# the chain automatically if it
|
|
||||||
# doesn't already exist. Causes
|
|
||||||
# a jump to that chain. If :COUNT
|
|
||||||
# is including, a counting rule
|
|
||||||
# matching this record will be
|
|
||||||
# added to <chain>
|
|
||||||
#
|
|
||||||
# CHAIN - The name of a chain. If specified as "-" the
|
|
||||||
# 'accounting' chain is assumed. This is the chain
|
|
||||||
# where the accounting rule is added. The chain will
|
|
||||||
# be created if it doesn't already exist.
|
|
||||||
#
|
|
||||||
# SOURCE - Packet Source
|
|
||||||
#
|
|
||||||
# The name of an interface, an address (host or net) or
|
|
||||||
# an interface name followed by ":"
|
|
||||||
# and a host or net address.
|
|
||||||
#
|
|
||||||
# DESTINATION - Packet Destination
|
|
||||||
#
|
|
||||||
# Format the same as the SOURCE column.
|
|
||||||
#
|
|
||||||
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
|
||||||
# number, or "ipp2p"
|
|
||||||
#
|
|
||||||
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
|
|
||||||
# this column must contain an ipp2p option ("iptables -m
|
|
||||||
# ipp2p --help") without the leading "--". If no option
|
|
||||||
# is given in this column, "ipp2p" is assumed.
|
|
||||||
#
|
|
||||||
# Service name from /etc/services or port number. May
|
|
||||||
# only be specified if the protocol is TCP or UDP (6
|
|
||||||
# or 17).
|
|
||||||
#
|
|
||||||
# SOURCE PORT Source Port number
|
|
||||||
#
|
|
||||||
# Service name from /etc/services or port number. May
|
|
||||||
# only be specified if the protocol is TCP or UDP (6
|
|
||||||
# or 17).
|
|
||||||
#
|
|
||||||
# USER/GROUP This column may only be non-empty if the CHAIN is
|
|
||||||
# OUTPUT.
|
|
||||||
#
|
|
||||||
# The column may contain:
|
|
||||||
#
|
|
||||||
# [!][<user name or number>][:<group name or number>]
|
|
||||||
#
|
|
||||||
# When this column is non-empty, the rule applies only
|
|
||||||
# if the program generating the output is running under
|
|
||||||
# the effective <user> and/or <group> specified (or is
|
|
||||||
# NOT running under that id if "!" is given).
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#
|
|
||||||
# joe #program must be run by joe
|
|
||||||
# :kids #program must be run by a member of
|
|
||||||
# #the 'kids' group
|
|
||||||
# !:kids #program must not be run by a member
|
|
||||||
# #of the 'kids' group
|
|
||||||
#
|
|
||||||
# In all of the above columns except ACTION and CHAIN, the values "-",
|
|
||||||
# "any" and "all" may be used as wildcards
|
|
||||||
#
|
|
||||||
# Please see http://shorewall.net/Accounting.html for examples and
|
|
||||||
# additional information about how to use this file.
|
|
||||||
#
|
|
||||||
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
|
|
||||||
# PORT PORT GROUP
|
|
||||||
#
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,32 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 /etc/shorewall/actions
|
|
||||||
#
|
|
||||||
# This file allows you to define new ACTIONS for use in rules
|
|
||||||
# (/etc/shorewall/rules). You define the iptables rules to
|
|
||||||
# be performed in an ACTION in
|
|
||||||
# /etc/shorewall/action.<action-name>.
|
|
||||||
#
|
|
||||||
# ACTION names should begin with an upper-case letter to
|
|
||||||
# distinguish them from Shorewall-generated chain names and
|
|
||||||
# they must meet the requirements of a Netfilter chain. If
|
|
||||||
# you intend to log from the action then the name must be
|
|
||||||
# no longer than 11 character in length. Names must also
|
|
||||||
# meet the requirements for a Bourne Shell identifier (must
|
|
||||||
# begin with a letter and be composed of letters, digits and
|
|
||||||
# underscore characters).
|
|
||||||
#
|
|
||||||
# If you follow the action name with ":DROP", ":REJECT" or
|
|
||||||
# :ACCEPT then the action will be taken before a DROP, REJECT or
|
|
||||||
# ACCEPT policy respectively is enforced. If you specify ":DROP",
|
|
||||||
# ":REJECT" or ":ACCEPT" on more than one action then only the
|
|
||||||
# last such action will be taken.
|
|
||||||
#
|
|
||||||
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
|
|
||||||
# itself, the associated policy will have no common action.
|
|
||||||
#
|
|
||||||
# Please see http://shorewall.net/Actions.html for additional
|
|
||||||
# information.
|
|
||||||
#
|
|
||||||
#ACTION
|
|
||||||
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
@ -1,48 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 -- Blacklist File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/blacklist
|
|
||||||
#
|
|
||||||
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# ADDRESS/SUBNET - Host address, subnetwork, MAC address or IP address
|
|
||||||
# range (if your kernel and iptables contain iprange
|
|
||||||
# match support).
|
|
||||||
#
|
|
||||||
# MAC addresses must be prefixed with "~" and use "-"
|
|
||||||
# as a separator.
|
|
||||||
#
|
|
||||||
# Example: ~00-A0-C9-15-39-78
|
|
||||||
#
|
|
||||||
# PROTOCOL - Optional. If specified, must be a protocol number
|
|
||||||
# or a protocol name from /etc/protocols.
|
|
||||||
#
|
|
||||||
# PORTS - Optional. May only be specified if the protocol
|
|
||||||
# is TCP (6) or UDP (17). A comma-separated list
|
|
||||||
# of port numbers or service names from /etc/services.
|
|
||||||
#
|
|
||||||
# When a packet arrives on an interface that has the 'blacklist' option
|
|
||||||
# specified in /etc/shorewall/interfaces, its source IP address is checked
|
|
||||||
# against this file and disposed of according to the BLACKLIST_DISPOSITION and
|
|
||||||
# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
|
|
||||||
#
|
|
||||||
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
|
|
||||||
# the protocol (and one of the ports if PORTS supplied) are blocked.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# To block DNS queries from address 192.0.2.126:
|
|
||||||
#
|
|
||||||
# ADDRESS/SUBNET PROTOCOL PORT
|
|
||||||
# 192.0.2.126 udp 53
|
|
||||||
#
|
|
||||||
# Please see http://shorewall.net/blacklisting_support.htm for additional
|
|
||||||
# information.
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
#ADDRESS/SUBNET PROTOCOL PORT
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
||||||
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 2.2 -- /etc/shorewall/continue
|
|
||||||
#
|
|
||||||
# Add commands below that you want to be executed after shorewall has
|
|
||||||
# cleared any existing Netfilter rules and has enabled existing connections.
|
|
||||||
#
|
|
||||||
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
|
|
||||||
#
|
|
@ -1,22 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 - /etc/shorewall/ecn
|
|
||||||
#
|
|
||||||
# Use this file to list the destinations for which you want to
|
|
||||||
# disable ECN.
|
|
||||||
#
|
|
||||||
# This feature requires kernel 2.4.20 or later. If you run 2.4.20,
|
|
||||||
# you also need the patch found at http://www.shorewall.net/ecn/patch.
|
|
||||||
# That patch is included in kernels 2.4.21 and later.
|
|
||||||
#
|
|
||||||
# INTERFACE - Interface through which host(s) communicate with
|
|
||||||
# the firewall
|
|
||||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
|
||||||
# If left empty or supplied as "-",
|
|
||||||
# 0.0.0.0/0 is assumed. If your kernel and iptables
|
|
||||||
# include iprange match support then IP address ranges
|
|
||||||
# are also permitted.
|
|
||||||
#
|
|
||||||
# For additional information, see http://shorewall.net/Documentation.htm#ECN
|
|
||||||
##############################################################################
|
|
||||||
#INTERFACE HOST(S)
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,141 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 - /etc/shorewall/hosts
|
|
||||||
#
|
|
||||||
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
|
|
||||||
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
|
|
||||||
#
|
|
||||||
# IF YOU DON'T HAVE THAT SITUATION THEN DON'T TOUCH THIS FILE.
|
|
||||||
#------------------------------------------------------------------------------
|
|
||||||
# IF YOU HAVE AN ENTRY FOR A ZONE AND INTERFACE IN
|
|
||||||
# /etc/shorewall/interfaces THEN DO NOT ADD ANY ENTRIES FOR THAT
|
|
||||||
# ZONE AND INTERFACE IN THIS FILE.
|
|
||||||
#------------------------------------------------------------------------------
|
|
||||||
# This file is used to define zones in terms of subnets and/or
|
|
||||||
# individual IP addresses. Most simple setups don't need to
|
|
||||||
# (should not) place anything in this file.
|
|
||||||
#
|
|
||||||
# The order of entries in this file is not significant in
|
|
||||||
# determining zone composition. Rather, the order that the zones
|
|
||||||
# are defined in /etc/shorewall/zones determines the order in
|
|
||||||
# which the records in this file are interpreted.
|
|
||||||
#
|
|
||||||
# ZONE - The name of a zone defined in /etc/shorewall/zones
|
|
||||||
#
|
|
||||||
# HOST(S) - The name of an interface defined in the
|
|
||||||
# /etc/shorewall/interfaces file followed by a colon (":") and
|
|
||||||
# a comma-separated list whose elements are either:
|
|
||||||
#
|
|
||||||
# a) The IP address of a host
|
|
||||||
# b) A subnetwork in the form
|
|
||||||
# <subnet-address>/<mask width>
|
|
||||||
# c) An IP address range of the form <low address>-<high
|
|
||||||
# address>. Your kernel and iptables must have iprange
|
|
||||||
# match support.
|
|
||||||
# d) A physical port name; only allowed when the
|
|
||||||
# interface names a bridge created by the
|
|
||||||
# brctl addbr command. This port must not
|
|
||||||
# be defined in /etc/shorewall/interfaces and may
|
|
||||||
# optionally followed by a colon (":") and a
|
|
||||||
# host or network IP or a range.
|
|
||||||
# See http://www.shorewall.net/Bridge.html for details.
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#
|
|
||||||
# eth1:192.168.1.3
|
|
||||||
# eth2:192.168.2.0/24
|
|
||||||
# eth3:192.168.2.0/24,192.168.3.1
|
|
||||||
# br0:eth4
|
|
||||||
# br0:eth0:192.168.1.16/28
|
|
||||||
# eth4:192.168.1.44-192.168.1.49
|
|
||||||
#
|
|
||||||
# OPTIONS - A comma-separated list of options. Currently-defined
|
|
||||||
# options are:
|
|
||||||
#
|
|
||||||
# maclist - Connection requests from these hosts
|
|
||||||
# are compared against the contents of
|
|
||||||
# /etc/shorewall/maclist. If this option
|
|
||||||
# is specified, the interface must be
|
|
||||||
# an ethernet NIC and must be up before
|
|
||||||
# Shorewall is started.
|
|
||||||
#
|
|
||||||
# routeback - Shorewall should set up the infrastructure
|
|
||||||
# to pass packets from this/these
|
|
||||||
# address(es) back to themselves. This is
|
|
||||||
# necessary if hosts in this group use the
|
|
||||||
# services of a transparent proxy that is
|
|
||||||
# a member of the group or if DNAT is used
|
|
||||||
# to send requests originating from this
|
|
||||||
# group to a server in the group.
|
|
||||||
#
|
|
||||||
# norfc1918 - This option only makes sense for ports
|
|
||||||
# on a bridge.
|
|
||||||
#
|
|
||||||
# The port should not accept
|
|
||||||
# any packets whose source is in one
|
|
||||||
# of the ranges reserved by RFC 1918
|
|
||||||
# (i.e., private or "non-routable"
|
|
||||||
# addresses. If packet mangling or
|
|
||||||
# connection-tracking match is enabled in
|
|
||||||
# your kernel, packets whose destination
|
|
||||||
# addresses are reserved by RFC 1918 are
|
|
||||||
# also rejected.
|
|
||||||
#
|
|
||||||
# nobogons - This option only makes sense for ports
|
|
||||||
# on a bridge.
|
|
||||||
#
|
|
||||||
# This port should not accept
|
|
||||||
# any packets whose source is in one
|
|
||||||
# of the ranges reserved by IANA (this
|
|
||||||
# option does not cover those ranges
|
|
||||||
# reserved by RFC 1918 -- see
|
|
||||||
# 'norfc1918' above).
|
|
||||||
#
|
|
||||||
# blacklist - This option only makes sense for ports
|
|
||||||
# on a bridge.
|
|
||||||
#
|
|
||||||
# Check packets arriving on this port
|
|
||||||
# against the /etc/shorewall/blacklist
|
|
||||||
# file.
|
|
||||||
#
|
|
||||||
# tcpflags - Packets arriving from these hosts are
|
|
||||||
# checked for certain illegal combinations
|
|
||||||
# of TCP flags. Packets found to have
|
|
||||||
# such a combination of flags are handled
|
|
||||||
# according to the setting of
|
|
||||||
# TCP_FLAGS_DISPOSITION after having been
|
|
||||||
# logged according to the setting of
|
|
||||||
# TCP_FLAGS_LOG_LEVEL.
|
|
||||||
#
|
|
||||||
# nosmurfs - This option only makes sense for ports
|
|
||||||
# on a bridge.
|
|
||||||
#
|
|
||||||
# Filter packets for smurfs
|
|
||||||
# (packets with a broadcast
|
|
||||||
# address as the source).
|
|
||||||
#
|
|
||||||
# Smurfs will be optionally logged based
|
|
||||||
# on the setting of SMURF_LOG_LEVEL in
|
|
||||||
# shorewall.conf. After logging, the
|
|
||||||
# packets are dropped.
|
|
||||||
#
|
|
||||||
# newnotsyn - TCP packets that don't have the SYN
|
|
||||||
# flag set and which are not part of an
|
|
||||||
# established connection will be accepted
|
|
||||||
# from these hosts, even if
|
|
||||||
# NEWNOTSYN=No has been specified in
|
|
||||||
# /etc/shorewall/shorewall.conf.
|
|
||||||
#
|
|
||||||
# This option has no effect if
|
|
||||||
# NEWNOTSYN=Yes.
|
|
||||||
#
|
|
||||||
# ipsec - The zone is accessed via a
|
|
||||||
# kernel 2.6 ipsec SA. Note that if the
|
|
||||||
# zone named in the ZONE column is
|
|
||||||
# specified as an IPSEC zone in the
|
|
||||||
# /etc/shorewall/ipsec file then you do NOT
|
|
||||||
# need to specify the 'ipsec' option here.
|
|
||||||
#
|
|
||||||
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
|
|
||||||
#
|
|
||||||
#ZONE HOST(S) OPTIONS
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
|
@ -1,8 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 2.2 -- /etc/shorewall/init
|
|
||||||
#
|
|
||||||
# Add commands below that you want to be executed at the beginning of
|
|
||||||
# a "shorewall start" or "shorewall restart" command.
|
|
||||||
#
|
|
||||||
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
|
|
||||||
#
|
|
@ -1,9 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 2.2 -- /etc/shorewall/initdone
|
|
||||||
#
|
|
||||||
# Add commands below that you want to be executed during
|
|
||||||
# "shorewall start" or "shorewall restart" commands at the point where
|
|
||||||
# Shorewall has not yet added any perminent rules to the builtin chains.
|
|
||||||
#
|
|
||||||
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
|
|
||||||
#
|
|
@ -1,212 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 -- Interfaces File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/interfaces
|
|
||||||
#
|
|
||||||
# You must add an entry in this file for each network interface on your
|
|
||||||
# firewall system.
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# ZONE Zone for this interface. Must match the short name
|
|
||||||
# of a zone defined in /etc/shorewall/zones.
|
|
||||||
#
|
|
||||||
# If the interface serves multiple zones that will be
|
|
||||||
# defined in the /etc/shorewall/hosts file, you should
|
|
||||||
# place "-" in this column.
|
|
||||||
#
|
|
||||||
# INTERFACE Name of interface. Each interface may be listed only
|
|
||||||
# once in this file. You may NOT specify the name of
|
|
||||||
# an alias (e.g., eth0:0) here; see
|
|
||||||
# http://www.shorewall.net/FAQ.htm#faq18
|
|
||||||
#
|
|
||||||
# You may specify wildcards here. For example, if you
|
|
||||||
# want to make an entry that applies to all PPP
|
|
||||||
# interfaces, use 'ppp+'.
|
|
||||||
#
|
|
||||||
# There is no need to define the loopback interface (lo)
|
|
||||||
# in this file.
|
|
||||||
#
|
|
||||||
# BROADCAST The broadcast address for the subnetwork to which the
|
|
||||||
# interface belongs. For P-T-P interfaces, this
|
|
||||||
# column is left blank.If the interface has multiple
|
|
||||||
# addresses on multiple subnets then list the broadcast
|
|
||||||
# addresses as a comma-separated list.
|
|
||||||
#
|
|
||||||
# If you use the special value "detect", the firewall
|
|
||||||
# will detect the broadcast address for you. If you
|
|
||||||
# select this option, the interface must be up before
|
|
||||||
# the firewall is started, you must have iproute
|
|
||||||
# installed.
|
|
||||||
#
|
|
||||||
# If you don't want to give a value for this column but
|
|
||||||
# you want to enter a value in the OPTIONS column, enter
|
|
||||||
# "-" in this column.
|
|
||||||
#
|
|
||||||
# OPTIONS A comma-separated list of options including the
|
|
||||||
# following:
|
|
||||||
#
|
|
||||||
# dhcp - Specify this option when any of
|
|
||||||
# the following are true:
|
|
||||||
# 1. the interface gets its IP address
|
|
||||||
# via DHCP
|
|
||||||
# 2. the interface is used by
|
|
||||||
# a DHCP server running on the firewall
|
|
||||||
# 3. you have a static IP but are on a LAN
|
|
||||||
# segment with lots of Laptop DHCP
|
|
||||||
# clients.
|
|
||||||
# 4. the interface is a bridge with
|
|
||||||
# a DHCP server on one port and DHCP
|
|
||||||
# clients on another port.
|
|
||||||
#
|
|
||||||
# norfc1918 - This interface should not receive
|
|
||||||
# any packets whose source is in one
|
|
||||||
# of the ranges reserved by RFC 1918
|
|
||||||
# (i.e., private or "non-routable"
|
|
||||||
# addresses. If packet mangling or
|
|
||||||
# connection-tracking match is enabled in
|
|
||||||
# your kernel, packets whose destination
|
|
||||||
# addresses are reserved by RFC 1918 are
|
|
||||||
# also rejected.
|
|
||||||
#
|
|
||||||
# nobogons - This interface should not receive
|
|
||||||
# any packets whose source is in one
|
|
||||||
# of the ranges reserved by IANA (this
|
|
||||||
# option does not cover those ranges
|
|
||||||
# reserved by RFC 1918 -- see above).
|
|
||||||
#
|
|
||||||
# I PERSONALLY RECOMMEND AGAINST USING
|
|
||||||
# THE 'nobogons' OPTION.
|
|
||||||
#
|
|
||||||
# routefilter - turn on kernel route filtering for this
|
|
||||||
# interface (anti-spoofing measure). This
|
|
||||||
# option can also be enabled globally in
|
|
||||||
# the /etc/shorewall/shorewall.conf file.
|
|
||||||
#
|
|
||||||
# logmartians - turn on kernel martian logging (logging
|
|
||||||
# of packets with impossible source
|
|
||||||
# addresses. It is suggested that if you
|
|
||||||
# set routefilter on an interface that
|
|
||||||
# you also set logmartians. This option
|
|
||||||
# may also be enabled globally in the
|
|
||||||
# /etc/shorewall/shorewall.conf file.
|
|
||||||
#
|
|
||||||
# blacklist - Check packets arriving on this interface
|
|
||||||
# against the /etc/shorewall/blacklist
|
|
||||||
# file.
|
|
||||||
#
|
|
||||||
# maclist - Connection requests from this interface
|
|
||||||
# are compared against the contents of
|
|
||||||
# /etc/shorewall/maclist. If this option
|
|
||||||
# is specified, the interface must be
|
|
||||||
# an ethernet NIC and must be up before
|
|
||||||
# Shorewall is started.
|
|
||||||
#
|
|
||||||
# tcpflags - Packets arriving on this interface are
|
|
||||||
# checked for certain illegal combinations
|
|
||||||
# of TCP flags. Packets found to have
|
|
||||||
# such a combination of flags are handled
|
|
||||||
# according to the setting of
|
|
||||||
# TCP_FLAGS_DISPOSITION after having been
|
|
||||||
# logged according to the setting of
|
|
||||||
# TCP_FLAGS_LOG_LEVEL.
|
|
||||||
#
|
|
||||||
# proxyarp -
|
|
||||||
# Sets
|
|
||||||
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
|
|
||||||
# Do NOT use this option if you are
|
|
||||||
# employing Proxy ARP through entries in
|
|
||||||
# /etc/shorewall/proxyarp. This option is
|
|
||||||
# intended soley for use with Proxy ARP
|
|
||||||
# sub-networking as described at:
|
|
||||||
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
|
|
||||||
#
|
|
||||||
# newnotsyn - TCP packets that don't have the SYN
|
|
||||||
# flag set and which are not part of an
|
|
||||||
# established connection will be accepted
|
|
||||||
# from this interface, even if
|
|
||||||
# NEWNOTSYN=No has been specified in
|
|
||||||
# /etc/shorewall/shorewall.conf. In other
|
|
||||||
# words, packets coming in on this interface
|
|
||||||
# are processed as if NEWNOTSYN=Yes had been
|
|
||||||
# specified in /etc/shorewall/shorewall.conf.
|
|
||||||
#
|
|
||||||
# This option has no effect if
|
|
||||||
# NEWNOTSYN=Yes.
|
|
||||||
#
|
|
||||||
# It is the opinion of the author that
|
|
||||||
# NEWNOTSYN=No creates more problems than
|
|
||||||
# it solves and I recommend against using
|
|
||||||
# that setting in shorewall.conf (hence
|
|
||||||
# making the use of the 'newnotsyn'
|
|
||||||
# interface option unnecessary).
|
|
||||||
#
|
|
||||||
# routeback - If specified, indicates that Shorewall
|
|
||||||
# should include rules that allow filtering
|
|
||||||
# traffic arriving on this interface back
|
|
||||||
# out that same interface.
|
|
||||||
#
|
|
||||||
# arp_filter - If specified, this interface will only
|
|
||||||
# respond to ARP who-has requests for IP
|
|
||||||
# addresses configured on the interface.
|
|
||||||
# If not specified, the interface can
|
|
||||||
# respond to ARP who-has requests for
|
|
||||||
# IP addresses on any of the firewall's
|
|
||||||
# interface. The interface must be up
|
|
||||||
# when Shorewall is started.
|
|
||||||
#
|
|
||||||
# nosmurfs - Filter packets for smurfs
|
|
||||||
# (packets with a broadcast
|
|
||||||
# address as the source).
|
|
||||||
#
|
|
||||||
# Smurfs will be optionally logged based
|
|
||||||
# on the setting of SMURF_LOG_LEVEL in
|
|
||||||
# shorewall.conf. After logging, the
|
|
||||||
# packets are dropped.
|
|
||||||
#
|
|
||||||
# detectnets - Automatically taylors the zone named
|
|
||||||
# in the ZONE column to include only those
|
|
||||||
# hosts routed through the interface.
|
|
||||||
# upnp - Incoming requests from this interface may
|
|
||||||
# be remapped via UPNP (upnpd).
|
|
||||||
#
|
|
||||||
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
|
|
||||||
# INTERNET INTERFACE.
|
|
||||||
#
|
|
||||||
# The order in which you list the options is not
|
|
||||||
# significant but the list should have no embedded white
|
|
||||||
# space.
|
|
||||||
#
|
|
||||||
# Example 1: Suppose you have eth0 connected to a DSL modem and
|
|
||||||
# eth1 connected to your local network and that your
|
|
||||||
# local subnet is 192.168.1.0/24. The interface gets
|
|
||||||
# it's IP address via DHCP from subnet
|
|
||||||
# 206.191.149.192/27. You have a DMZ with subnet
|
|
||||||
# 192.168.2.0/24 using eth2.
|
|
||||||
#
|
|
||||||
# Your entries for this setup would look like:
|
|
||||||
#
|
|
||||||
# net eth0 206.191.149.223 dhcp
|
|
||||||
# local eth1 192.168.1.255
|
|
||||||
# dmz eth2 192.168.2.255
|
|
||||||
#
|
|
||||||
# Example 2: The same configuration without specifying broadcast
|
|
||||||
# addresses is:
|
|
||||||
#
|
|
||||||
# net eth0 detect dhcp
|
|
||||||
# loc eth1 detect
|
|
||||||
# dmz eth2 detect
|
|
||||||
#
|
|
||||||
# Example 3: You have a simple dial-in system with no ethernet
|
|
||||||
# connections.
|
|
||||||
#
|
|
||||||
# net ppp0 -
|
|
||||||
#
|
|
||||||
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
|
|
||||||
#
|
|
||||||
##############################################################################
|
|
||||||
#ZONE INTERFACE BROADCAST OPTIONS
|
|
||||||
#
|
|
||||||
net eth0 detect dhcp,routefilter,norfc1918
|
|
||||||
loc eth1 detect dhcp
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,58 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 - /etc/shorewall/ipsec
|
|
||||||
#
|
|
||||||
# This file defines the attributes of zones with respect to
|
|
||||||
# IPSEC. To use this file, you must be running a 2.6 kernel and
|
|
||||||
# both your kernel and iptables must include Policy Match Support.
|
|
||||||
#
|
|
||||||
# The columns are:
|
|
||||||
#
|
|
||||||
# ZONE The name of a zone defined in /etc/shorewall/zones. The
|
|
||||||
# $FW zone may not be listed.
|
|
||||||
#
|
|
||||||
# IPSEC Yes -- Communication with all zone hosts is encrypted
|
|
||||||
# ONLY No -- Communication with some zone hosts is encrypted.
|
|
||||||
# Encrypted hosts are designated using the 'ipsec'
|
|
||||||
# option in /etc/shorewall/hosts.
|
|
||||||
#
|
|
||||||
# OPTIONS, A comma-separated list of options as follows:
|
|
||||||
# IN OPTIONS,
|
|
||||||
# OUT OPTIONS reqid=<number> where <number> is specified
|
|
||||||
# using setkey(8) using the 'unique:<number>
|
|
||||||
# option for the SPD level.
|
|
||||||
#
|
|
||||||
# spi=<number> where <number> is the SPI of
|
|
||||||
# the SA used to encrypt/decrypt packets.
|
|
||||||
#
|
|
||||||
# proto=ah|esp|ipcomp
|
|
||||||
#
|
|
||||||
# mss=<number> (sets the MSS field in TCP packets)
|
|
||||||
#
|
|
||||||
# mode=transport|tunnel
|
|
||||||
#
|
|
||||||
# tunnel-src=<address>[/<mask>] (only
|
|
||||||
# available with mode=tunnel)
|
|
||||||
#
|
|
||||||
# tunnel-dst=<address>[/<mask>] (only
|
|
||||||
# available with mode=tunnel)
|
|
||||||
#
|
|
||||||
# strict Means that packets must match all rules.
|
|
||||||
#
|
|
||||||
# next Separates rules; can only be used with
|
|
||||||
# strict..
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
# mode=transport,reqid=44
|
|
||||||
#
|
|
||||||
# The options in the OPTIONS column are applied to both incoming
|
|
||||||
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
|
||||||
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
|
||||||
# applied to outgoing traffic.
|
|
||||||
#
|
|
||||||
# If you wish to leave a column empty but need to make an entry
|
|
||||||
# in a following column, use "-".
|
|
||||||
###################################################################################
|
|
||||||
#ZONE IPSEC OPTIONS IN OUT
|
|
||||||
# ONLY OPTIONS OPTIONS
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 - MAC list file
|
|
||||||
#
|
|
||||||
# This file is used to define the MAC addresses and optionally their
|
|
||||||
# associated IP addresses to be allowed to use the specified interface.
|
|
||||||
# The feature is enabled by using the maclist option in the interfaces
|
|
||||||
# or hosts configuration file.
|
|
||||||
#
|
|
||||||
# /etc/shorewall/maclist
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# INTERFACE Network interface to a host. If the interface
|
|
||||||
# names a bridge, it may be optionally followed by
|
|
||||||
# a colon (":") and a physical port name (e.g.,
|
|
||||||
# br0:eth4).
|
|
||||||
#
|
|
||||||
# MAC MAC address of the host -- you do not need to use
|
|
||||||
# the Shorewall format for MAC addresses here
|
|
||||||
#
|
|
||||||
# IP ADDRESSES Optional -- if specified, both the MAC and IP address
|
|
||||||
# must match. This column can contain a comma-separated
|
|
||||||
# list of host and/or subnet addresses. If your kernel
|
|
||||||
# and iptables have iprange match support then IP
|
|
||||||
# address ranges are also allowed.
|
|
||||||
#
|
|
||||||
# For additional information, see http://shorewall.net/MAC_Validation.html
|
|
||||||
#
|
|
||||||
##############################################################################
|
|
||||||
#INTERFACE MAC IP ADDRESSES (Optional)
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
@ -1,217 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 - Masquerade file
|
|
||||||
#
|
|
||||||
# /etc/shorewall/masq
|
|
||||||
#
|
|
||||||
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
|
|
||||||
# (SNAT).
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# INTERFACE -- Outgoing interface. This is usually your internet
|
|
||||||
# interface. If ADD_SNAT_ALIASES=Yes in
|
|
||||||
# /etc/shorewall/shorewall.conf, you may add ":" and
|
|
||||||
# a digit to indicate that you want the alias added with
|
|
||||||
# that name (e.g., eth0:0). This will allow the alias to
|
|
||||||
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
|
||||||
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
|
||||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
|
||||||
#
|
|
||||||
# This may be qualified by adding the character
|
|
||||||
# ":" followed by a destination host or subnet.
|
|
||||||
#
|
|
||||||
# If you wish to inhibit the action of ADD_SNAT_ALIASES
|
|
||||||
# for this entry then include the ":" but omit the digit:
|
|
||||||
#
|
|
||||||
# eth0:
|
|
||||||
# eth2::192.0.2.32/27
|
|
||||||
#
|
|
||||||
# Normally Masq/SNAT rules are evaluated after those for
|
|
||||||
# one-to-one NAT (/etc/shorewall/nat file). If you want
|
|
||||||
# the rule to be applied before one-to-one NAT rules,
|
|
||||||
# prefix the interface name with "+":
|
|
||||||
#
|
|
||||||
# +eth0
|
|
||||||
# +eth0:192.0.2.32/27
|
|
||||||
# +eth0:2
|
|
||||||
#
|
|
||||||
# This feature should only be required if you need to
|
|
||||||
# insert rules in this file that preempt entries in
|
|
||||||
# /etc/shorewall/nat.
|
|
||||||
#
|
|
||||||
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
|
|
||||||
# a subnet or as an interface. If you give the name of an
|
|
||||||
# interface, you must have iproute installed and the interface
|
|
||||||
# must be up before you start the firewall.
|
|
||||||
#
|
|
||||||
# In order to exclude a subset of the specified SUBNET, you
|
|
||||||
# may append "!" and a comma-separated list of IP addresses
|
|
||||||
# and/or subnets that you wish to exclude.
|
|
||||||
#
|
|
||||||
# Example: eth1!192.168.1.4,192.168.32.0/27
|
|
||||||
#
|
|
||||||
# In that example traffic from eth1 would be masqueraded unless
|
|
||||||
# it came from 192.168.1.4 or 196.168.32.0/27
|
|
||||||
#
|
|
||||||
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
|
|
||||||
# used and this will be the source address. If
|
|
||||||
# ADD_SNAT_ALIASES is set to Yes or yes in
|
|
||||||
# /etc/shorewall/shorewall.conf then Shorewall
|
|
||||||
# will automatically add this address to the
|
|
||||||
# INTERFACE named in the first column.
|
|
||||||
#
|
|
||||||
# You may also specify a range of up to 256
|
|
||||||
# IP addresses if you want the SNAT address to
|
|
||||||
# be assigned from that range in a round-robin
|
|
||||||
# range by connection. The range is specified by
|
|
||||||
# <first ip in range>-<last ip in range>.
|
|
||||||
#
|
|
||||||
# Example: 206.124.146.177-206.124.146.180
|
|
||||||
#
|
|
||||||
# Finally, you may also specify a comma-separated
|
|
||||||
# list of ranges and/or addresses in this column.
|
|
||||||
#
|
|
||||||
# This column may not contain DNS Names.
|
|
||||||
#
|
|
||||||
# Normally, Netfilter will attempt to retain
|
|
||||||
# the source port number. You may cause
|
|
||||||
# netfilter to remap the source port by following
|
|
||||||
# an address or range (if any) by ":" and
|
|
||||||
# a port range with the format <low port>-
|
|
||||||
# <high port>. If this is done, you must
|
|
||||||
# specify "tcp" or "udp" in the PROTO column.
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#
|
|
||||||
# 192.0.2.4:5000-6000
|
|
||||||
# :4000-5000
|
|
||||||
#
|
|
||||||
# You can invoke the SAME target using the
|
|
||||||
# following in this column:
|
|
||||||
#
|
|
||||||
# SAME:[nodst:]<address-range>[,<address-range>...]
|
|
||||||
#
|
|
||||||
# The <address-ranges> may be single addresses.
|
|
||||||
#
|
|
||||||
# SAME works like SNAT with the exception that the
|
|
||||||
# same local IP address is assigned to each connection
|
|
||||||
# from a local address to a given remote address. If
|
|
||||||
# the 'nodst:' option is included, then the same source
|
|
||||||
# address is used for a given internal system regardless
|
|
||||||
# of which remote system is involved.
|
|
||||||
#
|
|
||||||
# If you want to leave this column empty
|
|
||||||
# but you need to specify the next column then
|
|
||||||
# place a hyphen ("-") here.
|
|
||||||
#
|
|
||||||
# PROTO -- (Optional) If you wish to restrict this entry to a
|
|
||||||
# particular protocol then enter the protocol
|
|
||||||
# name (from /etc/protocols) or number here.
|
|
||||||
#
|
|
||||||
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
|
|
||||||
# or UDP (protocol 17) then you may list one
|
|
||||||
# or more port numbers (or names from
|
|
||||||
# /etc/services) separated by commas or you
|
|
||||||
# may list a single port range
|
|
||||||
# (<low port>:<high port>).
|
|
||||||
#
|
|
||||||
# Where a comma-separated list is given, your
|
|
||||||
# kernel and iptables must have multiport match
|
|
||||||
# support and a maximum of 15 ports may be
|
|
||||||
# listed.
|
|
||||||
#
|
|
||||||
# IPSEC -- (Optional) If you specify a value other than "-" in this
|
|
||||||
# column, you must be running kernel 2.6 and
|
|
||||||
# your kernel and iptables must include policy
|
|
||||||
# match support.
|
|
||||||
#
|
|
||||||
# Comma-separated list of options from the following.
|
|
||||||
# Only packets that will be encrypted via an SA that
|
|
||||||
# matches these options will have their source address
|
|
||||||
# changed.
|
|
||||||
#
|
|
||||||
# Yes or yes -- must be the only option listed
|
|
||||||
# and matches all outbound traffic that will be
|
|
||||||
# encrypted.
|
|
||||||
#
|
|
||||||
# reqid=<number> where <number> is specified
|
|
||||||
# using setkey(8) using the 'unique:<number>
|
|
||||||
# option for the SPD level.
|
|
||||||
#
|
|
||||||
# spi=<number> where <number> is the SPI of
|
|
||||||
# the SA.
|
|
||||||
#
|
|
||||||
# proto=ah|esp|ipcomp
|
|
||||||
#
|
|
||||||
# mode=transport|tunnel
|
|
||||||
#
|
|
||||||
# tunnel-src=<address>[/<mask>] (only
|
|
||||||
# available with mode=tunnel)
|
|
||||||
#
|
|
||||||
# tunnel-dst=<address>[/<mask>] (only
|
|
||||||
# available with mode=tunnel)
|
|
||||||
#
|
|
||||||
# strict Means that packets must match all
|
|
||||||
# rules.
|
|
||||||
#
|
|
||||||
# next Separates rules; can only be used
|
|
||||||
# with strict..
|
|
||||||
#
|
|
||||||
# Example 1:
|
|
||||||
#
|
|
||||||
# You have a simple masquerading setup where eth0 connects to
|
|
||||||
# a DSL or cable modem and eth1 connects to your local network
|
|
||||||
# with subnet 192.168.0.0/24.
|
|
||||||
#
|
|
||||||
# Your entry in the file can be either:
|
|
||||||
#
|
|
||||||
# eth0 eth1
|
|
||||||
#
|
|
||||||
# or
|
|
||||||
#
|
|
||||||
# eth0 192.168.0.0/24
|
|
||||||
#
|
|
||||||
# Example 2:
|
|
||||||
#
|
|
||||||
# You add a router to your local network to connect subnet
|
|
||||||
# 192.168.1.0/24 which you also want to masquerade. You then
|
|
||||||
# add a second entry for eth0 to this file:
|
|
||||||
#
|
|
||||||
# eth0 192.168.1.0/24
|
|
||||||
#
|
|
||||||
# Example 3:
|
|
||||||
#
|
|
||||||
# You have an IPSEC tunnel through ipsec0 and you want to
|
|
||||||
# masquerade packets coming from 192.168.1.0/24 but only if
|
|
||||||
# these packets are destined for hosts in 10.1.1.0/24:
|
|
||||||
#
|
|
||||||
# ipsec0:10.1.1.0/24 196.168.1.0/24
|
|
||||||
#
|
|
||||||
# Example 4:
|
|
||||||
#
|
|
||||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
|
||||||
# eth0 to use source address 206.124.146.176 which is NOT the
|
|
||||||
# primary address of eth0. You want 206.124.146.176 added to
|
|
||||||
# be added to eth0 with name eth0:0.
|
|
||||||
#
|
|
||||||
# eth0:0 192.168.1.0/24 206.124.146.176
|
|
||||||
#
|
|
||||||
# Example 5:
|
|
||||||
#
|
|
||||||
# You want all outgoing SMTP traffic entering the firewall
|
|
||||||
# on eth1 to be sent from eth0 with source IP address
|
|
||||||
# 206.124.146.177. You want all other outgoing traffic
|
|
||||||
# from eth1 to be sent from eth0 with source IP address
|
|
||||||
# 206.124.146.176.
|
|
||||||
#
|
|
||||||
# eth0 eth1 206.124.146.177 tcp smtp
|
|
||||||
# eth0 eth1 206.124.146.176
|
|
||||||
#
|
|
||||||
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
|
|
||||||
#
|
|
||||||
# For additional information, see http://shorewall.net/Documentation.htm#Masq
|
|
||||||
#
|
|
||||||
###############################################################################
|
|
||||||
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
|
||||||
eth0 eth1
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
@ -1,22 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
# Shorewall 2.2 /etc/shorewall/modules
|
|
||||||
#
|
|
||||||
# This file loads the modules needed by the firewall.
|
|
||||||
#
|
|
||||||
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
|
|
||||||
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
|
|
||||||
# you load M2.
|
|
||||||
#
|
|
||||||
# For additional information, see http://shorewall.net/Documentation.htm#modules
|
|
||||||
|
|
||||||
loadmodule ip_tables
|
|
||||||
loadmodule iptable_filter
|
|
||||||
loadmodule ip_conntrack
|
|
||||||
loadmodule ip_conntrack_ftp
|
|
||||||
loadmodule ip_conntrack_tftp
|
|
||||||
loadmodule ip_conntrack_irc
|
|
||||||
loadmodule iptable_nat
|
|
||||||
loadmodule ip_nat_ftp
|
|
||||||
loadmodule ip_nat_tftp
|
|
||||||
loadmodule ip_nat_irc
|
|
||||||
|
|
@ -1,47 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# Shorewall 2.2 -- Network Address Translation Table
|
|
||||||
#
|
|
||||||
# /etc/shorewall/nat
|
|
||||||
#
|
|
||||||
# This file is used to define one-to-one Network Address Translation
|
|
||||||
# (NAT).
|
|
||||||
#
|
|
||||||
# WARNING: If all you want to do is simple port forwarding, do NOT use this
|
|
||||||
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
|
|
||||||
# cases, Proxy ARP is a better solution that one-to-one NAT.
|
|
||||||
#
|
|
||||||
# Columns must be separated by white space and are:
|
|
||||||
#
|
|
||||||
# EXTERNAL External IP Address - this should NOT be the primary
|
|
||||||
# IP address of the interface named in the next
|
|
||||||
# column and must not be a DNS Name.
|
|
||||||
#
|
|
||||||
# INTERFACE Interface that you want to EXTERNAL address to appear
|
|
||||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
|
||||||
# follow the interface name with ":" and a digit to
|
|
||||||
# indicate that you want Shorewall to add the alias
|
|
||||||
# with this name (e.g., "eth0:0"). That allows you to
|
|
||||||
# see the alias with ifconfig. THAT IS THE ONLY THING
|
|
||||||
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
|
||||||
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
|
||||||
#
|
|
||||||
# If you want to override ADD_IP_ALIASES=Yes for a
|
|
||||||
# particular entry, follow the interface name with
|
|
||||||
# ":" and no digit (e.g., "eth0:").
|
|
||||||
# INTERNAL Internal Address (must not be a DNS Name).
|
|
||||||
#
|
|
||||||
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
|
|
||||||
# If No or no (or left empty) then NAT will be effective
|
|
||||||
# only through the interface named in the INTERFACE
|
|
||||||
# column
|
|
||||||
#
|
|
||||||
# LOCAL If Yes or yes, NAT will be effective from the firewall
|
|
||||||
# system
|
|
||||||
#
|
|
||||||
# For additional information, see http://shorewall.net/NAT.htm
|
|
||||||
##############################################################################
|
|
||||||
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
|
||||||
# INTERFACES
|
|
||||||
#
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
@ -1,38 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# Shorewall 2.2 -- Network Mapping Table
|
|
||||||
#
|
|
||||||
# /etc/shorewall/netmap
|
|
||||||
#
|
|
||||||
# This file is used to map addresses in one network to corresponding
|
|
||||||
# addresses in a second network.
|
|
||||||
#
|
|
||||||
# WARNING: To use this file, your kernel and iptables must have
|
|
||||||
# NETMAP support included.
|
|
||||||
#
|
|
||||||
# Columns must be separated by white space and are:
|
|
||||||
#
|
|
||||||
# TYPE Must be DNAT or SNAT.
|
|
||||||
#
|
|
||||||
# If DNAT, traffic entering INTERFACE and addressed to
|
|
||||||
# NET1 has it's destination address rewritten to the
|
|
||||||
# corresponding address in NET2.
|
|
||||||
#
|
|
||||||
# If SNAT, traffic leaving INTERFACE with a source
|
|
||||||
# address in NET1 has it's source address rewritten to
|
|
||||||
# the corresponding address in NET2.
|
|
||||||
#
|
|
||||||
# NET1 Network in CIDR format (e.g., 192.168.1.0/24)
|
|
||||||
#
|
|
||||||
# INTERFACE The name of a network interface. The interface must
|
|
||||||
# be defined in /etc/shorewall/interfaces.
|
|
||||||
#
|
|
||||||
# NET2 Network in CIDR format
|
|
||||||
#
|
|
||||||
# See http://shorewall.net/netmap.html for an example and usage
|
|
||||||
# information.
|
|
||||||
#
|
|
||||||
##############################################################################
|
|
||||||
#TYPE NET1 INTERFACE NET2
|
|
||||||
#
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
|
@ -1,25 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 /etc/shorewall/params
|
|
||||||
#
|
|
||||||
# Assign any variables that you need here.
|
|
||||||
#
|
|
||||||
# It is suggested that variable names begin with an upper case letter
|
|
||||||
# to distinguish them from variables used internally within the
|
|
||||||
# Shorewall programs
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# NET_IF=eth0
|
|
||||||
# NET_BCAST=130.252.100.255
|
|
||||||
# NET_OPTIONS=routefilter,norfc1918
|
|
||||||
#
|
|
||||||
# Example (/etc/shorewall/interfaces record):
|
|
||||||
#
|
|
||||||
# net $NET_IF $NET_BCAST $NET_OPTIONS
|
|
||||||
#
|
|
||||||
# The result will be the same as if the record had been written
|
|
||||||
#
|
|
||||||
# net eth0 130.252.100.255 routefilter,norfc1918
|
|
||||||
#
|
|
||||||
##############################################################################
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
@ -1,93 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 -- Policy File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/policy
|
|
||||||
#
|
|
||||||
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
|
|
||||||
#
|
|
||||||
# This file determines what to do with a new connection request if we
|
|
||||||
# don't get a match from the /etc/shorewall/rules file . For each
|
|
||||||
# source/destination pair, the file is processed in order until a
|
|
||||||
# match is found ("all" will match any client or server).
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# SOURCE Source zone. Must be the name of a zone defined
|
|
||||||
# in /etc/shorewall/zones, $FW or "all".
|
|
||||||
#
|
|
||||||
# DEST Destination zone. Must be the name of a zone defined
|
|
||||||
# in /etc/shorewall/zones, $FW or "all"
|
|
||||||
#
|
|
||||||
# POLICY Policy if no match from the rules file is found. Must
|
|
||||||
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
|
||||||
#
|
|
||||||
# ACCEPT - Accept the connection
|
|
||||||
# DROP - Ignore the connection request
|
|
||||||
# REJECT - For TCP, send RST. For all other, send
|
|
||||||
# "port unreachable" ICMP.
|
|
||||||
# QUEUE - Send the request to a user-space
|
|
||||||
# application using the QUEUE target.
|
|
||||||
# CONTINUE - Pass the connection request past
|
|
||||||
# any other rules that it might also
|
|
||||||
# match (where the source or destination
|
|
||||||
# zone in those rules is a superset of
|
|
||||||
# the SOURCE or DEST in this policy).
|
|
||||||
# NONE - Assume that there will never be any
|
|
||||||
# packets from this SOURCE
|
|
||||||
# to this DEST. Shorewall will not set up
|
|
||||||
# any infrastructure to handle such
|
|
||||||
# packets and you may not have any rules
|
|
||||||
# with this SOURCE and DEST in the
|
|
||||||
# /etc/shorewall/rules file. If such a
|
|
||||||
# packet _is_ received, the result is
|
|
||||||
# undefined. NONE may not be used if the
|
|
||||||
# SOURCE or DEST columns contain the
|
|
||||||
# firewall zone ($FW) or "all".
|
|
||||||
#
|
|
||||||
# If this column contains ACCEPT, DROP or REJECT and a
|
|
||||||
# corresponding common action is defined in
|
|
||||||
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
|
|
||||||
# then that action will be invoked before the policy named in
|
|
||||||
# this column is inforced.
|
|
||||||
#
|
|
||||||
# LOG LEVEL If supplied, each connection handled under the default
|
|
||||||
# POLICY is logged at that level. If not supplied, no
|
|
||||||
# log message is generated. See syslog.conf(5) for a
|
|
||||||
# description of log levels.
|
|
||||||
#
|
|
||||||
# Beginning with Shorewall version 1.3.12, you may
|
|
||||||
# also specify ULOG (must be in upper case). This will
|
|
||||||
# log to the ULOG target and sent to a separate log
|
|
||||||
# through use of ulogd
|
|
||||||
# (http://www.gnumonks.org/projects/ulogd).
|
|
||||||
#
|
|
||||||
# If you don't want to log but need to specify the
|
|
||||||
# following column, place "-" here.
|
|
||||||
#
|
|
||||||
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
|
||||||
# and the size of an acceptable burst. If not specified,
|
|
||||||
# TCP connections are not limited.
|
|
||||||
#
|
|
||||||
# As shipped, the default policies are:
|
|
||||||
#
|
|
||||||
# a) All connections from the local network to the internet are allowed
|
|
||||||
# b) All connections from the internet are ignored but logged at syslog
|
|
||||||
# level KERNEL.INFO.
|
|
||||||
# d) All other connection requests are rejected and logged at level
|
|
||||||
# KERNEL.INFO.
|
|
||||||
#
|
|
||||||
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
|
||||||
###############################################################################
|
|
||||||
#SOURCE DEST POLICY LOG LIMIT:BURST
|
|
||||||
# LEVEL
|
|
||||||
loc net ACCEPT
|
|
||||||
net all DROP ULOG
|
|
||||||
# If you want open access to the Internet from your Firewall
|
|
||||||
# remove the comment from the following line.
|
|
||||||
#fw net ACCEPT
|
|
||||||
|
|
||||||
#
|
|
||||||
# THE FOLLOWING POLICY MUST BE LAST
|
|
||||||
#
|
|
||||||
all all REJECT ULOG
|
|
||||||
#LAST LINE -- DO NOT REMOVE
|
|
@ -1,46 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# Shorewall 2.2 -- Proxy ARP
|
|
||||||
#
|
|
||||||
# /etc/shorewall/proxyarp
|
|
||||||
#
|
|
||||||
# This file is used to define Proxy ARP.
|
|
||||||
#
|
|
||||||
# Columns must be separated by white space and are:
|
|
||||||
#
|
|
||||||
# ADDRESS IP Address
|
|
||||||
#
|
|
||||||
# INTERFACE Local interface where system is connected. If the
|
|
||||||
# local interface is obvious from the subnetting,
|
|
||||||
# you may enter "-" in this column.
|
|
||||||
#
|
|
||||||
# EXTERNAL External Interface to be used to access this system
|
|
||||||
#
|
|
||||||
# HAVEROUTE If there is already a route from the firewall to
|
|
||||||
# the host whose address is given, enter "Yes" or "yes"
|
|
||||||
# in this column. Otherwise, entry "no", "No" or leave
|
|
||||||
# the column empty and Shorewall will add the route for
|
|
||||||
# you. If Shorewall adds the route,the route will be
|
|
||||||
# persistent if the PERSISTENT column contains Yes;
|
|
||||||
# otherwise, "shorewall stop" or "shorewall clear" will
|
|
||||||
# delete the route.
|
|
||||||
#
|
|
||||||
# PERSISTENT If HAVEROUTE is No or "no", then the value of this
|
|
||||||
# column determines if the route added by Shorewall
|
|
||||||
# persists after a "shorewall stop" or a "shorewall
|
|
||||||
# clear". If this column contains "Yes" or "yes" then
|
|
||||||
# the route persists; If the column is empty or contains
|
|
||||||
# "No"or "no" then the route is deleted at "shorewall
|
|
||||||
# stop" or "shorewall clear".
|
|
||||||
#
|
|
||||||
# Example: Host with IP 155.186.235.6 is connected to
|
|
||||||
# interface eth1 and we want hosts attached via eth0
|
|
||||||
# to be able to access it using that address.
|
|
||||||
#
|
|
||||||
# #ADDRESS INTERFACE EXTERNAL
|
|
||||||
# 155.186.235.6 eth1 eth0
|
|
||||||
#
|
|
||||||
# See http://shorewall.net/ProxyARP.htm for additional information.
|
|
||||||
##############################################################################
|
|
||||||
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,40 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
|
|
||||||
#
|
|
||||||
# /etc/shorewall/routestopped
|
|
||||||
#
|
|
||||||
# This file is used to define the hosts that are accessible when the
|
|
||||||
# firewall is stopped or when it is in the process of being
|
|
||||||
# [re]started.
|
|
||||||
#
|
|
||||||
# Columns must be separated by white space and are:
|
|
||||||
#
|
|
||||||
# INTERFACE - Interface through which host(s) communicate with
|
|
||||||
# the firewall
|
|
||||||
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
|
||||||
# addresses. If your kernel and iptables include
|
|
||||||
# iprange match support, IP address ranges are also
|
|
||||||
# allowed.
|
|
||||||
#
|
|
||||||
# If left empty or supplied as "-",
|
|
||||||
# 0.0.0.0/0 is assumed.
|
|
||||||
# OPTIONS - (Optional) A comma-separated list of
|
|
||||||
# options. The currently-supported options are:
|
|
||||||
#
|
|
||||||
# routeback - Set up a rule to ACCEPT traffic from
|
|
||||||
# these hosts back to themselves.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# INTERFACE HOST(S) OPTIONS
|
|
||||||
# eth2 192.168.1.0/24
|
|
||||||
# eth0 192.0.2.44
|
|
||||||
# br0 - routeback
|
|
||||||
#
|
|
||||||
# See http://shorewall.net/Documentation.htm#Routestopped and
|
|
||||||
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
|
||||||
# information.
|
|
||||||
##############################################################################
|
|
||||||
#INTERFACE HOST(S) OPTIONS
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,371 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall version 2.2 - Rules File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/rules
|
|
||||||
#
|
|
||||||
# Rules in this file govern connection establishment. Requests and
|
|
||||||
# responses are automatically allowed using connection tracking. For any
|
|
||||||
# particular (source,dest) pair of zones, the rules are evaluated in the
|
|
||||||
# order in which they appear in this file and the first match is the one
|
|
||||||
# that determines the disposition of the request.
|
|
||||||
#
|
|
||||||
# In most places where an IP address or subnet is allowed, you
|
|
||||||
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
|
|
||||||
# indicate that the rule matches all addresses except the address/subnet
|
|
||||||
# given. Notice that no white space is permitted between "!" and the
|
|
||||||
# address/subnet.
|
|
||||||
#------------------------------------------------------------------------------
|
|
||||||
# WARNING: If you masquerade or use SNAT from a local system to the internet,
|
|
||||||
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
|
||||||
# that system. You *must* use a DNAT rule instead.
|
|
||||||
#-------------------------------------------------------------------------------#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
|
||||||
# LOG, QUEUE or an <action>.
|
|
||||||
#
|
|
||||||
# ACCEPT -- allow the connection request
|
|
||||||
# ACCEPT+ -- like ACCEPT but also excludes the
|
|
||||||
# connection from any subsequent
|
|
||||||
# DNAT[-] or REDIRECT[-] rules
|
|
||||||
# NONAT -- Excludes the connection from any
|
|
||||||
# subsequent DNAT[-] or REDIRECT[-]
|
|
||||||
# rules but doesn't generate a rule
|
|
||||||
# to accept the traffic.
|
|
||||||
# DROP -- ignore the request
|
|
||||||
# REJECT -- disallow the request and return an
|
|
||||||
# icmp-unreachable or an RST packet.
|
|
||||||
# DNAT -- Forward the request to another
|
|
||||||
# system (and optionally another
|
|
||||||
# port).
|
|
||||||
# DNAT- -- Advanced users only.
|
|
||||||
# Like DNAT but only generates the
|
|
||||||
# DNAT iptables rule and not
|
|
||||||
# the companion ACCEPT rule.
|
|
||||||
# SAME -- Similar to DNAT except that the
|
|
||||||
# port may not be remapped and when
|
|
||||||
# multiple server addresses are
|
|
||||||
# listed, all requests from a given
|
|
||||||
# remote system go to the same
|
|
||||||
# server.
|
|
||||||
# SAME- -- Advanced users only.
|
|
||||||
# Like SAME but only generates the
|
|
||||||
# NAT iptables rule and not
|
|
||||||
# the companion ACCEPT rule.
|
|
||||||
# REDIRECT -- Redirect the request to a local
|
|
||||||
# port on the firewall.
|
|
||||||
# REDIRECT-
|
|
||||||
# -- Advanced users only.
|
|
||||||
# Like REDIRET but only generates the
|
|
||||||
# REDIRECT iptables rule and not
|
|
||||||
# the companion ACCEPT rule.
|
|
||||||
#
|
|
||||||
# CONTINUE -- (For experts only). Do not process
|
|
||||||
# any of the following rules for this
|
|
||||||
# (source zone,destination zone). If
|
|
||||||
# The source and/or destination IP
|
|
||||||
# address falls into a zone defined
|
|
||||||
# later in /etc/shorewall/zones, this
|
|
||||||
# connection request will be passed
|
|
||||||
# to the rules defined for that
|
|
||||||
# (those) zone(s).
|
|
||||||
# LOG -- Simply log the packet and continue.
|
|
||||||
# QUEUE -- Queue the packet to a user-space
|
|
||||||
# application such as ftwall
|
|
||||||
# (http://p2pwall.sf.net).
|
|
||||||
# <action> -- The name of an action defined in
|
|
||||||
# /etc/shorewall/actions or in
|
|
||||||
# /usr/share/shorewall/actions.std.
|
|
||||||
#
|
|
||||||
# The ACTION may optionally be followed
|
|
||||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
|
||||||
# DNAT:debug). This causes the packet to be
|
|
||||||
# logged at the specified level.
|
|
||||||
#
|
|
||||||
# If the ACTION names an action defined in
|
|
||||||
# /etc/shorewall/actions or in
|
|
||||||
# /usr/share/shorewall/actions.std then:
|
|
||||||
#
|
|
||||||
# - If the log level is followed by "!' then all rules
|
|
||||||
# in the action are logged at the log level.
|
|
||||||
#
|
|
||||||
# - If the log level is not followed by "!" then only
|
|
||||||
# those rules in the action that do not specify
|
|
||||||
# logging are logged at the specified level.
|
|
||||||
#
|
|
||||||
# - The special log level 'none!' suppresses logging
|
|
||||||
# by the action.
|
|
||||||
#
|
|
||||||
# You may also specify ULOG (must be in upper case) as a
|
|
||||||
# log level.This will log to the ULOG target for routing
|
|
||||||
# to a separate log through use of ulogd
|
|
||||||
# (http://www.gnumonks.org/projects/ulogd).
|
|
||||||
#
|
|
||||||
# Actions specifying logging may be followed by a
|
|
||||||
# log tag (a string of alphanumeric characters)
|
|
||||||
# are appended to the string generated by the
|
|
||||||
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
|
|
||||||
#
|
|
||||||
# Example: ACCEPT:info:ftp would include 'ftp '
|
|
||||||
# at the end of the log prefix generated by the
|
|
||||||
# LOGPREFIX setting.
|
|
||||||
#
|
|
||||||
# SOURCE Source hosts to which the rule applies. May be a zone
|
|
||||||
# defined in /etc/shorewall/zones, $FW to indicate the
|
|
||||||
# firewall itself, "all" or "none" If the ACTION is DNAT or
|
|
||||||
# REDIRECT, sub-zones of the specified zone may be
|
|
||||||
# excluded from the rule by following the zone name with
|
|
||||||
# "!' and a comma-separated list of sub-zone names.
|
|
||||||
#
|
|
||||||
# When "none" is used either in the SOURCE or DEST column,
|
|
||||||
# the rule is ignored.
|
|
||||||
#
|
|
||||||
# When "all" is used either in the SOURCE or DEST column
|
|
||||||
# intra-zone traffic is not affected. You must add
|
|
||||||
# separate rules to handle that traffic.
|
|
||||||
#
|
|
||||||
# Except when "all" is specified, clients may be further
|
|
||||||
# restricted to a list of subnets and/or hosts by
|
|
||||||
# appending ":" and a comma-separated list of subnets
|
|
||||||
# and/or hosts. Hosts may be specified by IP or MAC
|
|
||||||
# address; mac addresses must begin with "~" and must use
|
|
||||||
# "-" as a separator.
|
|
||||||
#
|
|
||||||
# Hosts may be specified as an IP address range using the
|
|
||||||
# syntax <low address>-<high address>. This requires that
|
|
||||||
# your kernel and iptables contain iprange match support.
|
|
||||||
#
|
|
||||||
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
|
|
||||||
#
|
|
||||||
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
|
|
||||||
# Internet
|
|
||||||
#
|
|
||||||
# loc:192.168.1.1,192.168.1.2
|
|
||||||
# Hosts 192.168.1.1 and
|
|
||||||
# 192.168.1.2 in the local zone.
|
|
||||||
# loc:~00-A0-C9-15-39-78 Host in the local zone with
|
|
||||||
# MAC address 00:A0:C9:15:39:78.
|
|
||||||
#
|
|
||||||
# net:192.0.2.11-192.0.2.17
|
|
||||||
# Hosts 192.0.2.11-192.0.2.17 in
|
|
||||||
# the net zone.
|
|
||||||
#
|
|
||||||
# Alternatively, clients may be specified by interface
|
|
||||||
# by appending ":" to the zone name followed by the
|
|
||||||
# interface name. For example, loc:eth1 specifies a
|
|
||||||
# client that communicates with the firewall system
|
|
||||||
# through eth1. This may be optionally followed by
|
|
||||||
# another colon (":") and an IP/MAC/subnet address
|
|
||||||
# as described above (e.g., loc:eth1:192.168.1.5).
|
|
||||||
#
|
|
||||||
# DEST Location of Server. May be a zone defined in
|
|
||||||
# /etc/shorewall/zones, $FW to indicate the firewall
|
|
||||||
# itself, "all" or "none".
|
|
||||||
#
|
|
||||||
# When "none" is used either in the SOURCE or DEST column,
|
|
||||||
# the rule is ignored.
|
|
||||||
#
|
|
||||||
# When "all" is used either in the SOURCE or DEST column
|
|
||||||
# intra-zone traffic is not affected. You must add
|
|
||||||
# separate rules to handle that traffic.
|
|
||||||
#
|
|
||||||
# Except when "all" is specified, the server may be
|
|
||||||
# further restricted to a particular subnet, host or
|
|
||||||
# interface by appending ":" and the subnet, host or
|
|
||||||
# interface. See above.
|
|
||||||
#
|
|
||||||
# Restrictions:
|
|
||||||
#
|
|
||||||
# 1. MAC addresses are not allowed.
|
|
||||||
# 2. In DNAT rules, only IP addresses are
|
|
||||||
# allowed; no FQDNs or subnet addresses
|
|
||||||
# are permitted.
|
|
||||||
# 3. You may not specify both an interface and
|
|
||||||
# an address.
|
|
||||||
#
|
|
||||||
# Like in the SOURCE column, you may specify a range of
|
|
||||||
# up to 256 IP addresses using the syntax
|
|
||||||
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
|
|
||||||
# the connections will be assigned to addresses in the
|
|
||||||
# range in a round-robin fashion.
|
|
||||||
#
|
|
||||||
# The port that the server is listening on may be
|
|
||||||
# included and separated from the server's IP address by
|
|
||||||
# ":". If omitted, the firewall will not modifiy the
|
|
||||||
# destination port. A destination port may only be
|
|
||||||
# included if the ACTION is DNAT or REDIRECT.
|
|
||||||
#
|
|
||||||
# Example: loc:192.168.1.3:3128 specifies a local
|
|
||||||
# server at IP address 192.168.1.3 and listening on port
|
|
||||||
# 3128. The port number MUST be specified as an integer
|
|
||||||
# and not as a name from /etc/services.
|
|
||||||
#
|
|
||||||
# if the ACTION is REDIRECT, this column needs only to
|
|
||||||
# contain the port number on the firewall that the
|
|
||||||
# request should be redirected to.
|
|
||||||
#
|
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
|
||||||
# a number, or "all". "ipp2p" requires ipp2p match
|
|
||||||
# support in your kernel and iptables.
|
|
||||||
#
|
|
||||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
|
||||||
# names (from /etc/services), port numbers or port
|
|
||||||
# ranges; if the protocol is "icmp", this column is
|
|
||||||
# interpreted as the destination icmp-type(s).
|
|
||||||
#
|
|
||||||
# If the protocol is ipp2p, this column is interpreted
|
|
||||||
# as an ipp2p option without the leading "--" (example "bit"
|
|
||||||
# for bit-torrent). If no port is given, "ipp2p" is
|
|
||||||
# assumed.
|
|
||||||
#
|
|
||||||
# A port range is expressed as <low port>:<high port>.
|
|
||||||
#
|
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
|
||||||
# entered if any of the following ields are supplied.
|
|
||||||
# In that case, it is suggested that this field contain
|
|
||||||
# "-"
|
|
||||||
#
|
|
||||||
# If your kernel contains multi-port match support, then
|
|
||||||
# only a single Netfilter rule will be generated if in
|
|
||||||
# this list and the CLIENT PORT(S) list below:
|
|
||||||
# 1. There are 15 or less ports listed.
|
|
||||||
# 2. No port ranges are included.
|
|
||||||
# Otherwise, a separate rule will be generated for each
|
|
||||||
# port.
|
|
||||||
#
|
|
||||||
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
|
|
||||||
# any source port is acceptable. Specified as a comma-
|
|
||||||
# separated list of port names, port numbers or port
|
|
||||||
# ranges.
|
|
||||||
#
|
|
||||||
# If you don't want to restrict client ports but need to
|
|
||||||
# specify an ORIGINAL DEST in the next column, then place
|
|
||||||
# "-" in this column.
|
|
||||||
#
|
|
||||||
# If your kernel contains multi-port match support, then
|
|
||||||
# only a single Netfilter rule will be generated if in
|
|
||||||
# this list and the DEST PORT(S) list above:
|
|
||||||
# 1. There are 15 or less ports listed.
|
|
||||||
# 2. No port ranges are included.
|
|
||||||
# Otherwise, a separate rule will be generated for each
|
|
||||||
# port.
|
|
||||||
#
|
|
||||||
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
|
|
||||||
# REDIRECT[-]) If included and different from the IP
|
|
||||||
# address given in the SERVER column, this is an address
|
|
||||||
# on some interface on the firewall and connections to
|
|
||||||
# that address will be forwarded to the IP and port
|
|
||||||
# specified in the DEST column.
|
|
||||||
#
|
|
||||||
# A comma-separated list of addresses may also be used.
|
|
||||||
# This is usually most useful with the REDIRECT target
|
|
||||||
# where you want to redirect traffic destined for
|
|
||||||
# particular set of hosts.
|
|
||||||
#
|
|
||||||
# Finally, if the list of addresses begins with "!" then
|
|
||||||
# the rule will be followed only if the original
|
|
||||||
# destination address in the connection request does not
|
|
||||||
# match any of the addresses listed.
|
|
||||||
#
|
|
||||||
# RATE LIMIT You may rate-limit the rule by placing a value in
|
|
||||||
# this colume:
|
|
||||||
#
|
|
||||||
# <rate>/<interval>[:<burst>]
|
|
||||||
#
|
|
||||||
# where <rate> is the number of connections per
|
|
||||||
# <interval> ("sec" or "min") and <burst> is the
|
|
||||||
# largest burst permitted. If no <burst> is given,
|
|
||||||
# a value of 5 is assumed. There may be no
|
|
||||||
# no whitespace embedded in the specification.
|
|
||||||
#
|
|
||||||
# Example: 10/sec:20
|
|
||||||
#
|
|
||||||
# USER/GROUP This column may only be non-empty if the SOURCE is
|
|
||||||
# the firewall itself.
|
|
||||||
#
|
|
||||||
# The column may contain:
|
|
||||||
#
|
|
||||||
# [!][<user name or number>][:<group name or number>]
|
|
||||||
#
|
|
||||||
# When this column is non-empty, the rule applies only
|
|
||||||
# if the program generating the output is running under
|
|
||||||
# the effective <user> and/or <group> specified (or is
|
|
||||||
# NOT running under that id if "!" is given).
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#
|
|
||||||
# joe #program must be run by joe
|
|
||||||
# :kids #program must be run by a member of
|
|
||||||
# #the 'kids' group
|
|
||||||
# !:kids #program must not be run by a member
|
|
||||||
# #of the 'kids' group
|
|
||||||
#
|
|
||||||
# Example: Accept SMTP requests from the DMZ to the internet
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# ACCEPT dmz net tcp smtp
|
|
||||||
#
|
|
||||||
# Example: Forward all ssh and http connection requests from the internet
|
|
||||||
# to local system 192.168.1.3
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# DNAT net loc:192.168.1.3 tcp ssh,http
|
|
||||||
#
|
|
||||||
# Example: Forward all http connection requests from the internet
|
|
||||||
# to local system 192.168.1.3 with a limit of 3 per second and
|
|
||||||
# a maximum burst of 10
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
|
||||||
# # PORT PORT(S) DEST LIMIT
|
|
||||||
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
|
|
||||||
#
|
|
||||||
# Example: Redirect all locally-originating www connection requests to
|
|
||||||
# port 3128 on the firewall (Squid running on the firewall
|
|
||||||
# system) except when the destination address is 192.168.2.2
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# REDIRECT loc 3128 tcp www - !192.168.2.2
|
|
||||||
#
|
|
||||||
# Example: All http requests from the internet to address
|
|
||||||
# 130.252.100.69 are to be forwarded to 192.168.1.3
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
|
|
||||||
#
|
|
||||||
# Example: You want to accept SSH connections to your firewall only
|
|
||||||
# from internet IP addresses 130.252.100.69 and 130.252.100.70
|
|
||||||
#
|
|
||||||
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
|
|
||||||
# # PORT PORT(S) DEST
|
|
||||||
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
|
|
||||||
# tcp 22
|
|
||||||
####################################################################################################
|
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
|
||||||
# Accept DNS connections from the firewall to the network
|
|
||||||
#
|
|
||||||
ACCEPT fw net tcp 53
|
|
||||||
ACCEPT fw net udp 53
|
|
||||||
# Accept SSH connections from the local network for administration
|
|
||||||
#
|
|
||||||
ACCEPT loc fw tcp 22
|
|
||||||
# Allow Ping To Firewall
|
|
||||||
#
|
|
||||||
ACCEPT loc fw icmp 8
|
|
||||||
ACCEPT net fw icmp 8
|
|
||||||
#
|
|
||||||
# Allow all ICMP types (including ping) From Firewall
|
|
||||||
#
|
|
||||||
ACCEPT fw loc icmp
|
|
||||||
ACCEPT fw net icmp
|
|
||||||
#
|
|
||||||
# Bering specific rules:
|
|
||||||
# allow loc to fw udp/53 for local/caching DNS servers to work
|
|
||||||
# allow loc to fw tcp/80 for weblet to work
|
|
||||||
ACCEPT loc fw udp 53
|
|
||||||
ACCEPT loc fw tcp 80
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,829 +0,0 @@
|
|||||||
##############################################################################
|
|
||||||
# /etc/shorewall/shorewall.conf V2.2 - Change the following variables to
|
|
||||||
# match your setup
|
|
||||||
#
|
|
||||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
||||||
#
|
|
||||||
# This file should be placed in /etc/shorewall
|
|
||||||
#
|
|
||||||
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
|
|
||||||
##############################################################################
|
|
||||||
# S T A R T U P E N A B L E D
|
|
||||||
##############################################################################
|
|
||||||
# Once you have configured Shorewall, you may change the setting of
|
|
||||||
# this variable to 'Yes'
|
|
||||||
|
|
||||||
STARTUP_ENABLED=No
|
|
||||||
|
|
||||||
##############################################################################
|
|
||||||
# L O G G I N G
|
|
||||||
##############################################################################
|
|
||||||
#
|
|
||||||
# General note about log levels. Log levels are a method of describing
|
|
||||||
# to syslog (8) the importance of a message and a number of parameters
|
|
||||||
# in this file have log levels as their value.
|
|
||||||
#
|
|
||||||
# These levels are defined by syslog and are used to determine the destination
|
|
||||||
# of the messages through entries in /etc/syslog.conf (5). The syslog
|
|
||||||
# documentation refers to these as "priorities"; Netfilter calls them "levels"
|
|
||||||
# and Shorewall also uses that term.
|
|
||||||
#
|
|
||||||
# Valid levels are:
|
|
||||||
#
|
|
||||||
# 7 debug
|
|
||||||
# 6 info
|
|
||||||
# 5 notice
|
|
||||||
# 4 warning
|
|
||||||
# 3 err
|
|
||||||
# 2 crit
|
|
||||||
# 1 alert
|
|
||||||
# 0 emerg
|
|
||||||
#
|
|
||||||
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
|
||||||
# log messages are generated by NetFilter and are logged using facility
|
|
||||||
# 'kern' and the level that you specifify. If you are unsure of the level
|
|
||||||
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
|
||||||
# number.
|
|
||||||
#
|
|
||||||
# If you have built your kernel with ULOG target support, you may also
|
|
||||||
# specify a log level of ULOG (must be all caps). Rather than log its
|
|
||||||
# messages to syslogd, Shorewall will direct netfilter to log the messages
|
|
||||||
# via the ULOG target which will send them to a process called 'ulogd'.
|
|
||||||
# ulogd is available with most Linux distributions (although it probably isn't
|
|
||||||
# installed by default). Ulogd is also available from
|
|
||||||
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
|
|
||||||
# Shorewall message to their own log file
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# LOG FILE LOCATION
|
|
||||||
#
|
|
||||||
# This variable tells the /sbin/shorewall program where to look for Shorewall
|
|
||||||
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
|
|
||||||
# /var/log/messages is assumed.
|
|
||||||
#
|
|
||||||
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
|
|
||||||
# look for Shorewall messages.It does NOT control the destination for
|
|
||||||
# these messages. For information about how to do that, see
|
|
||||||
#
|
|
||||||
# http://www.shorewall.net/shorewall_logging.html
|
|
||||||
|
|
||||||
LOGFILE=/var/log/shorewall.log
|
|
||||||
|
|
||||||
#
|
|
||||||
# LOG FORMAT
|
|
||||||
#
|
|
||||||
# Shell 'printf' Formatting template for the --log-prefix value in log messages
|
|
||||||
# generated by Shorewall to identify Shorewall log messages. The supplied
|
|
||||||
# template is expected to accept either two or three arguments; the first is
|
|
||||||
# the chain name, the second (optional) is the logging rule number within that
|
|
||||||
# chain and the third is the ACTION specifying the disposition of the packet
|
|
||||||
# being logged. You must use the %d formatting type for the rule number; if your
|
|
||||||
# template does not contain %d then the rule number will not be included.
|
|
||||||
#
|
|
||||||
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
|
|
||||||
#
|
|
||||||
# LOGFORMAT="fp=%s:%d a=%s "
|
|
||||||
#
|
|
||||||
# If not specified or specified as empty (LOGFORMAT="") then the value
|
|
||||||
# "Shorewall:%s:%s:" is assumed.
|
|
||||||
#
|
|
||||||
# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up
|
|
||||||
# to but not including the first '%') to find log messages in the 'show log',
|
|
||||||
# 'status' and 'hits' commands. This part should not be omitted (the
|
|
||||||
# LOGFORMAT should not begin with "%") and the leading part should be
|
|
||||||
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
|
|
||||||
|
|
||||||
LOGFORMAT="Shorewall:%s:%s:"
|
|
||||||
|
|
||||||
#
|
|
||||||
# LOG FORMAT Continued
|
|
||||||
#
|
|
||||||
# Using the default LOGFORMAT, chain names may not exceed 11 characters or
|
|
||||||
# truncation of the log prefix may occur. Longer chain names may be used with
|
|
||||||
# log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is
|
|
||||||
# specified then the tag is included in the log prefix in place of the chain
|
|
||||||
# name.
|
|
||||||
#
|
|
||||||
|
|
||||||
LOGTAGONLY=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# LOG RATE LIMITING
|
|
||||||
#
|
|
||||||
# The next two variables can be used to control the amount of log output
|
|
||||||
# generated. LOGRATE is expressed as a number followed by an optional
|
|
||||||
# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum
|
|
||||||
# rate at which a particular message will occur. LOGBURST determines the
|
|
||||||
# maximum initial burst size that will be logged. If set empty, the default
|
|
||||||
# value of 5 will be used.
|
|
||||||
#
|
|
||||||
# If BOTH variables are set empty then logging will not be rate-limited.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# LOGRATE=10/minute
|
|
||||||
# LOGBURST=5
|
|
||||||
#
|
|
||||||
# For each logging rule, the first time the rule is reached, the packet
|
|
||||||
# will be logged; in fact, since the burst is 5, the first five packets
|
|
||||||
# will be logged. After this, it will be 6 seconds (1 minute divided by
|
|
||||||
# the rate of 10) before a message will be logged from the rule, regardless
|
|
||||||
# of how many packets reach it. Also, every 6 seconds which passes without
|
|
||||||
# matching a packet, one of the bursts will be regained; if no packets hit
|
|
||||||
# the rule for 30 seconds, the burst will be fully recharged; back where
|
|
||||||
# we started.
|
|
||||||
#
|
|
||||||
|
|
||||||
LOGRATE=
|
|
||||||
LOGBURST=
|
|
||||||
|
|
||||||
#
|
|
||||||
# LOG ALL NEW
|
|
||||||
#
|
|
||||||
# This option should only be used when you are trying to analyze a problem.
|
|
||||||
# It causes all packets in the Netfilter NEW state to be logged as the
|
|
||||||
# first rule in each builtin chain. To use this option, set LOGALLNEW to
|
|
||||||
# the log level that you want these packets logged at (e.g.,
|
|
||||||
# LOGALLNEW=debug).
|
|
||||||
#
|
|
||||||
|
|
||||||
LOGALLNEW=
|
|
||||||
|
|
||||||
#
|
|
||||||
# BLACKLIST LOG LEVEL
|
|
||||||
#
|
|
||||||
# Set this variable to the syslogd level that you want blacklist packets logged
|
|
||||||
# (beware of DOS attacks resulting from such logging). If not set, no logging
|
|
||||||
# of blacklist packets occurs.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
BLACKLIST_LOGLEVEL=
|
|
||||||
|
|
||||||
#
|
|
||||||
# LOGGING 'New not SYN' rejects
|
|
||||||
#
|
|
||||||
# This variable only has an effect when NEWNOTSYN=No (see below).
|
|
||||||
#
|
|
||||||
# When a TCP packet that does not have the SYN flag set and the ACK and RST
|
|
||||||
# flags clear then unless the packet is part of an established connection,
|
|
||||||
# it will be rejected by the firewall. If you want these rejects logged,
|
|
||||||
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
# Example: LOGNEWNOTSYN=debug
|
|
||||||
|
|
||||||
|
|
||||||
LOGNEWNOTSYN=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# MAC List Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for connection requests that fail MAC
|
|
||||||
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
|
|
||||||
# such connection requests will not be logged.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
MACLIST_LOG_LEVEL=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# TCP FLAGS Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for packets that fail TCP Flags
|
|
||||||
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
|
|
||||||
# such packets will not be logged.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
TCP_FLAGS_LOG_LEVEL=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# RFC1918 Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for packets that fail RFC 1918
|
|
||||||
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
|
|
||||||
# RFC1918_LOG_LEVEL=info is assumed.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
RFC1918_LOG_LEVEL=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# SMURF Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for smurf packets dropped by the
|
|
||||||
#'nosmurfs' interface option in /etc/shorewall/interfaces and in
|
|
||||||
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
|
|
||||||
# ) then dropped smurfs are not logged.
|
|
||||||
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
SMURF_LOG_LEVEL=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# BOGON Log Level
|
|
||||||
#
|
|
||||||
# Specifies the logging level for bogon packets dropped by the
|
|
||||||
#'nobogons' interface option in /etc/shorewall/interfaces and in
|
|
||||||
# /etc/shorewall/hosts. If set to the empty value
|
|
||||||
# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop'
|
|
||||||
# in /usr/share/shorewall/bogons are logged at the 'info' level.
|
|
||||||
#
|
|
||||||
# See the comment at the top of this section for a description of log levels
|
|
||||||
#
|
|
||||||
|
|
||||||
BOGON_LOG_LEVEL=ULOG
|
|
||||||
|
|
||||||
#
|
|
||||||
# MARTIAN LOGGING
|
|
||||||
#
|
|
||||||
# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets
|
|
||||||
# that have impossible source IP addresses. This logging may be enabled
|
|
||||||
# on individual interfaces by using the 'logmartians' option in
|
|
||||||
# /etc/shorewall/interfaces.
|
|
||||||
#
|
|
||||||
|
|
||||||
LOG_MARTIANS=No
|
|
||||||
################################################################################
|
|
||||||
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# IPTABLES
|
|
||||||
#
|
|
||||||
# Full path to iptables executable Shorewall uses to build the firewall. If
|
|
||||||
# not specified or if specified with an empty value (e.g., IPTABLES="") then
|
|
||||||
# the iptables executable located via the PATH setting below is used.
|
|
||||||
#
|
|
||||||
IPTABLES=
|
|
||||||
|
|
||||||
#
|
|
||||||
# PATH - Change this if you want to change the order in which Shorewall
|
|
||||||
# searches directories for executable files.
|
|
||||||
#
|
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
|
||||||
|
|
||||||
#
|
|
||||||
# SHELL
|
|
||||||
#
|
|
||||||
# The firewall script is normally interpreted by /bin/sh. If you wish to change
|
|
||||||
# the shell used to interpret that script, specify the shell here.
|
|
||||||
|
|
||||||
SHOREWALL_SHELL=/bin/sh
|
|
||||||
|
|
||||||
# SUBSYSTEM LOCK FILE
|
|
||||||
#
|
|
||||||
# Set this to the name of the lock file expected by your init scripts. For
|
|
||||||
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
|
|
||||||
# use lock files, set this to "".
|
|
||||||
#
|
|
||||||
|
|
||||||
SUBSYSLOCK=/var/run/shorewall
|
|
||||||
|
|
||||||
#
|
|
||||||
# SHOREWALL TEMPORARY STATE DIRECTORY
|
|
||||||
#
|
|
||||||
# This is the directory where the firewall maintains state information while
|
|
||||||
# it is running
|
|
||||||
#
|
|
||||||
|
|
||||||
STATEDIR=/var/state/shorewall
|
|
||||||
|
|
||||||
#
|
|
||||||
# KERNEL MODULE DIRECTORY
|
|
||||||
#
|
|
||||||
# If your netfilter kernel modules are in a directory other than
|
|
||||||
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
|
|
||||||
# directory in this variable. Example: MODULESDIR=/etc/modules.
|
|
||||||
|
|
||||||
MODULESDIR=
|
|
||||||
|
|
||||||
#
|
|
||||||
# CONFIGURATION SEARCH PATH
|
|
||||||
#
|
|
||||||
# This option holds a list of directory names separated by colons
|
|
||||||
# (":"). Shorewall will search each directory in turn when looking for a
|
|
||||||
# configuration file. When processing a 'try' command or a command
|
|
||||||
# containing the "-c" option, Shorewall will automatically add the
|
|
||||||
# directory specified in the command to the front of this list.
|
|
||||||
#
|
|
||||||
# If not specified or specified as null ("CONFIG_PATH=""),
|
|
||||||
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
|
|
||||||
|
|
||||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
|
||||||
|
|
||||||
#
|
|
||||||
# RESTORE SCRIPT
|
|
||||||
#
|
|
||||||
# This option determines the script to be run in the following cases:
|
|
||||||
#
|
|
||||||
# shorewall -f start
|
|
||||||
# shorewall restore
|
|
||||||
# shorewall save
|
|
||||||
# shorewall forget
|
|
||||||
# Failure of shorewall start or shorewall restart
|
|
||||||
#
|
|
||||||
# The value of the option must be the name of an executable file in the
|
|
||||||
# directory /var/lib/shorewall. If this option is not set or if it is
|
|
||||||
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
|
|
||||||
# assumed.
|
|
||||||
|
|
||||||
RESTOREFILE=
|
|
||||||
################################################################################
|
|
||||||
# F I R E W A L L O P T I O N S
|
|
||||||
################################################################################
|
|
||||||
|
|
||||||
# NAME OF THE FIREWALL ZONE
|
|
||||||
#
|
|
||||||
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
|
|
||||||
# is assumed.
|
|
||||||
#
|
|
||||||
FW=fw
|
|
||||||
|
|
||||||
#
|
|
||||||
# ENABLE IP FORWARDING
|
|
||||||
#
|
|
||||||
# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
|
|
||||||
# say "Off" or "off", packet forwarding will be disabled. You would only want
|
|
||||||
# to disable packet forwarding if you are installing Shorewall on a
|
|
||||||
# standalone system or if you want all traffic through the Shorewall system
|
|
||||||
# to be handled by proxies.
|
|
||||||
#
|
|
||||||
# If you set this variable to "Keep" or "keep", Shorewall will neither
|
|
||||||
# enable nor disable packet forwarding.
|
|
||||||
#
|
|
||||||
IP_FORWARDING=On
|
|
||||||
|
|
||||||
#
|
|
||||||
# AUTOMATICALLY ADD NAT IP ADDRESSES
|
|
||||||
#
|
|
||||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
|
||||||
# for each NAT external address that you give in /etc/shorewall/nat. If you say
|
|
||||||
# "No" or "no", you must add these aliases youself.
|
|
||||||
#
|
|
||||||
ADD_IP_ALIASES=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# AUTOMATICALLY ADD SNAT IP ADDRESSES
|
|
||||||
#
|
|
||||||
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
|
|
||||||
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
|
|
||||||
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
|
|
||||||
# you are sure that you need it -- most people don't!!!
|
|
||||||
#
|
|
||||||
ADD_SNAT_ALIASES=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# RETAIN EXISTING ALIASES/IP ADDRESSES
|
|
||||||
#
|
|
||||||
# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall
|
|
||||||
# will first delete the address then re-add it. This is to ensure that the
|
|
||||||
# address is added with the specified label. Unfortunately, this can cause
|
|
||||||
# problems if it results in the deletion of the last IP address on an
|
|
||||||
# interface because then all routes through the interface are automatically
|
|
||||||
# removed.
|
|
||||||
#
|
|
||||||
# You can cause Shorewall to retain existing addresses by setting
|
|
||||||
# RETAIN_ALIASES=Yes.
|
|
||||||
#
|
|
||||||
RETAIN_ALIASES=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# ENABLE TRAFFIC SHAPING
|
|
||||||
#
|
|
||||||
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
|
|
||||||
# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
|
|
||||||
# shaping you must have iproute[2] installed (the "ip" and "tc" utilities).
|
|
||||||
|
|
||||||
TC_ENABLED=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# Clear Traffic Shapping/Control
|
|
||||||
#
|
|
||||||
# If this option is set to 'No' then Shorewall won't clear the current
|
|
||||||
# traffic control rules during [re]start. This setting is intended
|
|
||||||
# for use by people that prefer to configure traffic shaping when
|
|
||||||
# the network interfaces come up rather than when the firewall
|
|
||||||
# is started. If that is what you want to do, set TC_ENABLED=Yes and
|
|
||||||
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
|
||||||
# way, your traffic shaping rules can still use the 'fwmark'
|
|
||||||
# classifier based on packet marking defined in /etc/shorewall/tcrules.
|
|
||||||
#
|
|
||||||
# If omitted, CLEAR_TC=Yes is assumed.
|
|
||||||
|
|
||||||
CLEAR_TC=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# Mark Packets in the forward chain
|
|
||||||
#
|
|
||||||
# When processing the tcrules file, Shorewall normally marks packets in the
|
|
||||||
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
|
|
||||||
# this to "Yes". If not specified or if set to the empty value (e.g.,
|
|
||||||
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
|
|
||||||
#
|
|
||||||
# Marking packets in the FORWARD chain has the advantage that inbound
|
|
||||||
# packets destined for Masqueraded/SNATed local hosts have had their destination
|
|
||||||
# address rewritten so they can be marked based on their destination. When
|
|
||||||
# packets are marked in the PREROUTING chain, packets destined for
|
|
||||||
# Masqueraded/SNATed local hosts still have a destination address corresponding
|
|
||||||
# to the firewall's external interface.
|
|
||||||
#
|
|
||||||
# Note: Older kernels do not support marking packets in the FORWARD chain and
|
|
||||||
# setting this variable to Yes may cause startup problems.
|
|
||||||
|
|
||||||
MARK_IN_FORWARD_CHAIN=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# MSS CLAMPING
|
|
||||||
#
|
|
||||||
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
|
|
||||||
# option. This option is most commonly required when your internet
|
|
||||||
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
|
|
||||||
# have CONFIG_IP_NF_TARGET_TCPMSS set.
|
|
||||||
#
|
|
||||||
# [From the kernel help:
|
|
||||||
#
|
|
||||||
# This option adds a `TCPMSS' target, which allows you to alter the
|
|
||||||
# MSS value of TCP SYN packets, to control the maximum size for that
|
|
||||||
# connection (usually limiting it to your outgoing interface's MTU
|
|
||||||
# minus 40).
|
|
||||||
#
|
|
||||||
# This is used to overcome criminally braindead ISPs or servers which
|
|
||||||
# block ICMP Fragmentation Needed packets. The symptoms of this
|
|
||||||
# problem are that everything works fine from your Linux
|
|
||||||
# firewall/router, but machines behind it can never exchange large
|
|
||||||
# packets:
|
|
||||||
# 1) Web browsers connect, then hang with no data received.
|
|
||||||
# 2) Small mail works fine, but large emails hang.
|
|
||||||
# 3) ssh works fine, but scp hangs after initial handshaking.
|
|
||||||
# ]
|
|
||||||
#
|
|
||||||
# If left blank, or set to "No" or "no", the option is not enabled.
|
|
||||||
#
|
|
||||||
# You may also set this option to a numeric value in which case Shorewall will
|
|
||||||
# set up a rule to modify the MSS value in SYN packets to the value that
|
|
||||||
# you specify.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# CLAMPMSS=1400
|
|
||||||
#
|
|
||||||
CLAMPMSS=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# ROUTE FILTERING
|
|
||||||
#
|
|
||||||
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
|
|
||||||
# interfaces started while Shorewall is started (anti-spoofing measure).
|
|
||||||
#
|
|
||||||
# If this variable is not set or is set to the empty value, "No" is assumed.
|
|
||||||
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
|
|
||||||
# on individual interfaces using the 'routefilter' option in the
|
|
||||||
# /etc/shorewall/interfaces file.
|
|
||||||
|
|
||||||
ROUTE_FILTER=No
|
|
||||||
|
|
||||||
# DNAT IP ADDRESS DETECTION
|
|
||||||
#
|
|
||||||
# Normally when Shorewall encounters the following rule:
|
|
||||||
#
|
|
||||||
# DNAT net loc:192.168.1.3 tcp 80
|
|
||||||
#
|
|
||||||
# it will forward TCP port 80 connections from the net to 192.168.1.3
|
|
||||||
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
|
|
||||||
# convenient for two reasons:
|
|
||||||
#
|
|
||||||
# a) If the the network interface has a dynamic IP address, the
|
|
||||||
# firewall configuration will work even when the address
|
|
||||||
# changes.
|
|
||||||
#
|
|
||||||
# b) It saves having to configure the IP address in the rule
|
|
||||||
# while still allowing the firewall to be started before the
|
|
||||||
# internet interface is brought up.
|
|
||||||
#
|
|
||||||
# This default behavior can also have a negative effect. If the
|
|
||||||
# internet interface has more than one IP address then the above
|
|
||||||
# rule will forward connection requests on all of these addresses;
|
|
||||||
# that may not be what is desired.
|
|
||||||
#
|
|
||||||
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
|
|
||||||
# only if the original destination address is the primary IP address of
|
|
||||||
# one of the interfaces associated with the source zone. Note that this
|
|
||||||
# requires all interfaces to the source zone to be up when the firewall
|
|
||||||
# is [re]started.
|
|
||||||
|
|
||||||
DETECT_DNAT_IPADDRS=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# MUTEX TIMEOUT
|
|
||||||
#
|
|
||||||
# The value of this variable determines the number of seconds that programs
|
|
||||||
# will wait for exclusive access to the Shorewall lock file. After the number
|
|
||||||
# of seconds corresponding to the value of this variable, programs will assume
|
|
||||||
# that the last program to hold the lock died without releasing the lock.
|
|
||||||
#
|
|
||||||
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
|
|
||||||
#
|
|
||||||
# An appropriate value for this parameter would be twice the length of time
|
|
||||||
# that it takes your firewall system to process a "shorewall restart" command.
|
|
||||||
|
|
||||||
MUTEX_TIMEOUT=60
|
|
||||||
|
|
||||||
#
|
|
||||||
# NEWNOTSYN
|
|
||||||
#
|
|
||||||
# TCP connections are established using the familiar three-way "handshake":
|
|
||||||
#
|
|
||||||
# CLIENT SERVER
|
|
||||||
#
|
|
||||||
# SYN-------------------->
|
|
||||||
# <------------------SYN,ACK
|
|
||||||
# ACK-------------------->
|
|
||||||
#
|
|
||||||
# The first packet in that exchange (packet with the SYN flag on and the ACK
|
|
||||||
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
|
|
||||||
# A packet is said to be NEW if it is not part of or related to an already
|
|
||||||
# established connection.
|
|
||||||
#
|
|
||||||
# The NEWNOTSYN option determines the handling of non-SYN packets (those with
|
|
||||||
# SYN off or with ACK or RST on) that are not associated with an already
|
|
||||||
# established connection.
|
|
||||||
#
|
|
||||||
# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
|
|
||||||
# part of an already established connection will be dropped by the
|
|
||||||
# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
|
|
||||||
# logged before they are dropped.
|
|
||||||
#
|
|
||||||
# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
|
|
||||||
# dropped but will pass through the normal rule/policy processing.
|
|
||||||
#
|
|
||||||
# Users with a High-availability setup with two firewall's and one acting
|
|
||||||
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
|
|
||||||
# also need to select NEWNOTSYN=Yes.
|
|
||||||
#
|
|
||||||
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
|
|
||||||
# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
|
|
||||||
# network or host basis using the same option in /etc/shorewall/hosts.
|
|
||||||
|
|
||||||
#
|
|
||||||
# I find that NEWNOTSYN=No tends to result in lots of "stuck"
|
|
||||||
# connections because any network timeout during TCP session tear down
|
|
||||||
# results in retries being dropped (Netfilter has removed the
|
|
||||||
# connection from the conntrack table but the end-points haven't
|
|
||||||
# completed shutting down the connection). I therefore have chosen
|
|
||||||
# NEWNOTSYN=Yes as the default value.
|
|
||||||
|
|
||||||
NEWNOTSYN=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
|
|
||||||
#
|
|
||||||
# Normally, when a "shorewall stop" command is issued or an error occurs during
|
|
||||||
# the execution of another shorewall command, Shorewall puts the firewall into
|
|
||||||
# a state where only traffic to/from the hosts listed in
|
|
||||||
# /etc/shorewall/routestopped is accepted.
|
|
||||||
#
|
|
||||||
# When performing remote administration on a Shorewall firewall, it is
|
|
||||||
# therefore recommended that the IP address of the computer being used for
|
|
||||||
# administration be added to the firewall's /etc/shorewall/routestopped file.
|
|
||||||
#
|
|
||||||
# Some administrators have a hard time remembering to do this with the result
|
|
||||||
# that they get to drive across town in the middle of the night to restart
|
|
||||||
# a remote firewall (or worse, they have to get someone out of bed to drive
|
|
||||||
# across town to restart a very remote firewall).
|
|
||||||
#
|
|
||||||
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
|
|
||||||
# when the firewall enters the 'stopped' state:
|
|
||||||
#
|
|
||||||
# All traffic that is part of or related to established connections is still
|
|
||||||
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
|
|
||||||
# to and from hosts listed in /etc/shorewall/routestopped.
|
|
||||||
#
|
|
||||||
# If this variable is not set or it is set to the null value then
|
|
||||||
# ADMINISABSENTMINDED=No is assumed.
|
|
||||||
#
|
|
||||||
ADMINISABSENTMINDED=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# BLACKLIST Behavior
|
|
||||||
#
|
|
||||||
# Shorewall offers two types of blacklisting:
|
|
||||||
#
|
|
||||||
# - static blacklisting through the /etc/shorewall/blacklist file together
|
|
||||||
# with the 'blacklist' interface option.
|
|
||||||
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
|
|
||||||
#
|
|
||||||
# The following variable determines whether the blacklist is checked for each
|
|
||||||
# packet or for each new connection.
|
|
||||||
#
|
|
||||||
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
|
|
||||||
# requests
|
|
||||||
#
|
|
||||||
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
|
|
||||||
#
|
|
||||||
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
|
|
||||||
# BLACKLISTNEWONLY=No is assumed.
|
|
||||||
#
|
|
||||||
BLACKLISTNEWONLY=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# Users with a large blacklist find that "shorwall [re]start" takes a long
|
|
||||||
# time and that new connections are disabled during that time. By setting
|
|
||||||
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
|
|
||||||
# before loading the blacklist.
|
|
||||||
|
|
||||||
DELAYBLACKLISTLOAD=No
|
|
||||||
|
|
||||||
# MODULE NAME SUFFIX
|
|
||||||
#
|
|
||||||
# When loading a module named in /etc/shorewall/modules, Shorewall normally
|
|
||||||
# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
|
|
||||||
# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a
|
|
||||||
# different naming convention then you can specify the suffix (extension) for
|
|
||||||
# module names in this variable.
|
|
||||||
#
|
|
||||||
# To see what suffix is used by your distribution:
|
|
||||||
#
|
|
||||||
# ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
|
|
||||||
#
|
|
||||||
# All of the file names listed should have the same suffix (extension). Set
|
|
||||||
# MODULE_SUFFIX to that suffix.
|
|
||||||
#
|
|
||||||
# Examples:
|
|
||||||
#
|
|
||||||
# If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
|
|
||||||
# If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
|
|
||||||
#
|
|
||||||
|
|
||||||
MODULE_SUFFIX=
|
|
||||||
|
|
||||||
#
|
|
||||||
# DISABLE IPV6
|
|
||||||
#
|
|
||||||
# Distributions (notably SuSE) are beginning to ship with IPV6
|
|
||||||
# enabled. If you are not using IPV6, you are at risk of being
|
|
||||||
# exploited by users who do. Setting DISABLE_IPV6=Yes will cause
|
|
||||||
# Shorewall to disable IPV6 traffic to/from and through your
|
|
||||||
# firewall system. This requires that you have ip6tables installed.
|
|
||||||
# Should be set to "No" for LEAF/LRP
|
|
||||||
|
|
||||||
DISABLE_IPV6=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# BRIDGING
|
|
||||||
#
|
|
||||||
# If you wish to control traffic through a bridge (see http://bridge.sf.net),
|
|
||||||
# then set BRIDGING=Yes. Your kernel must have the physdev match option
|
|
||||||
# enabled; that option is available at the above URL for 2.4 kernels and
|
|
||||||
# is included as a standard part of the 2.6 series kernels. If not
|
|
||||||
# specified or specified as empty (BRIDGING="") then "No" is assumed.
|
|
||||||
#
|
|
||||||
|
|
||||||
BRIDGING=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# DYNAMIC ZONES
|
|
||||||
#
|
|
||||||
# If you need to be able to add and delete hosts from zones dynamically then
|
|
||||||
# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
|
|
||||||
|
|
||||||
DYNAMIC_ZONES=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# USE PKTTYPE MATCH
|
|
||||||
#
|
|
||||||
# Some users have reported problems with the PKTTYPE match extension not being
|
|
||||||
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
|
|
||||||
# will use IP addresses to detect broadcasts rather than pkttype. If not given
|
|
||||||
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
|
|
||||||
|
|
||||||
PKTTYPE=Yes
|
|
||||||
|
|
||||||
#
|
|
||||||
# DROP INVALID PACKETS
|
|
||||||
#
|
|
||||||
# Netfilter classifies packets relative to its connection tracking table into
|
|
||||||
# four states:
|
|
||||||
#
|
|
||||||
# NEW - thes packet initiates a new connection
|
|
||||||
# ESTABLISHED - thes packet is part of an established connection
|
|
||||||
# RELATED - thes packet is related to an established connection; it may
|
|
||||||
# establish a new connection
|
|
||||||
# INVALID - the packet does not related to the table in any sensible way.
|
|
||||||
#
|
|
||||||
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
|
|
||||||
# Window analysis. This can cause packets that were previously classified as
|
|
||||||
# NEW or ESTABLISHED to be classified as INVALID.
|
|
||||||
#
|
|
||||||
# The new kernel code can be disabled by including this command in your
|
|
||||||
# /etc/shorewall/init file:
|
|
||||||
#
|
|
||||||
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
|
|
||||||
#
|
|
||||||
# Additional kernel logging about INVALID TCP packets may be obtained by
|
|
||||||
# adding this command to /etc/shorewall/init:
|
|
||||||
#
|
|
||||||
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
|
|
||||||
#
|
|
||||||
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
|
|
||||||
# option allows INVALID packets to be passed through the normal rules chains by
|
|
||||||
# setting DROPINVALID=No.
|
|
||||||
#
|
|
||||||
# If not specified or if specified as empty (e.g., DROPINVALID="") then
|
|
||||||
# DROPINVALID=Yes is assumed.
|
|
||||||
|
|
||||||
DROPINVALID=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# RFC 1918 BEHAVIOR
|
|
||||||
#
|
|
||||||
# Traditionally, the RETURN target in the 'rfc1918' file has caused 'norfc1918'
|
|
||||||
# processing to cease for a packet if the packet's source IP address matches
|
|
||||||
# the rule. Thus, if you have:
|
|
||||||
#
|
|
||||||
# SUBNETS TARGET
|
|
||||||
# 192.168.1.0/24 RETURN
|
|
||||||
#
|
|
||||||
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
|
|
||||||
# also have:
|
|
||||||
#
|
|
||||||
# SUBNETS TARGET
|
|
||||||
# 10.0.0.0/8 logdrop
|
|
||||||
#
|
|
||||||
# Setting RFC1918_STRICT=Yes will cause such traffic to be logged and dropped
|
|
||||||
# since while the packet's source matches the RETURN rule, the packet's
|
|
||||||
# destination matches the 'logdrop' rule.
|
|
||||||
#
|
|
||||||
# If not specified or specified as empty (e.g., RFC1918_STRICT="") then
|
|
||||||
# RFC1918_STRICT=No is assumed.
|
|
||||||
#
|
|
||||||
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
|
|
||||||
# 'conntrack state' match.
|
|
||||||
|
|
||||||
RFC1918_STRICT=No
|
|
||||||
|
|
||||||
#
|
|
||||||
# MACLIST caching
|
|
||||||
#
|
|
||||||
# If your iptables and kernel support the "Recent Match" (see the output of
|
|
||||||
# "shorewall check" near the top), you can cache the results of a 'maclist'
|
|
||||||
# file lookup and thus reduce the overhead associated with MAC Verification
|
|
||||||
# (/etc/shorewall/maclist).
|
|
||||||
#
|
|
||||||
# When a new connection arrives from a 'maclist' interface, the packet passes
|
|
||||||
# through then list of entries for that interface in /etc/shorewall/maclist. If
|
|
||||||
# there is a match then the source IP address is added to the 'Recent' set for
|
|
||||||
# that interface. Subsequent connection attempts from that IP address occuring
|
|
||||||
# within $MACLIST_TTL seconds will be accepted without having to scan all of
|
|
||||||
# the entries. After $MACLIST_TTL from the first accepted connection request,
|
|
||||||
# the next connection request from that IP address will be checked against
|
|
||||||
# the entire list.
|
|
||||||
#
|
|
||||||
# If MACLIST_TTL is not specified or is specified as empty (e.g,
|
|
||||||
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
|
|
||||||
# be cached.
|
|
||||||
|
|
||||||
MACLIST_TTL=
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# P A C K E T D I S P O S I T I O N
|
|
||||||
################################################################################
|
|
||||||
#
|
|
||||||
# BLACKLIST DISPOSITION
|
|
||||||
#
|
|
||||||
# Set this variable to the action that you want to perform on packets from
|
|
||||||
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
|
|
||||||
# DROP is assumed.
|
|
||||||
#
|
|
||||||
|
|
||||||
BLACKLIST_DISPOSITION=DROP
|
|
||||||
|
|
||||||
#
|
|
||||||
# MAC List Disposition
|
|
||||||
#
|
|
||||||
# This variable determines the disposition of connection requests arriving
|
|
||||||
# on interfaces that have the 'maclist' option and that are from a device
|
|
||||||
# that is not listed for that interface in /etc/shorewall/maclist. Valid
|
|
||||||
# values are ACCEPT, DROP and REJECT. If not specified or specified as
|
|
||||||
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
|
|
||||||
|
|
||||||
MACLIST_DISPOSITION=REJECT
|
|
||||||
|
|
||||||
#
|
|
||||||
# TCP FLAGS Disposition
|
|
||||||
#
|
|
||||||
# This variable determins the disposition of packets having an invalid
|
|
||||||
# combination of TCP flags that are received on interfaces having the
|
|
||||||
# 'tcpflags' option specified in /etc/shorewall/interfaces or in
|
|
||||||
# /etc/shorewall/hosts. If not specified or specified as empty
|
|
||||||
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
|
|
||||||
|
|
||||||
TCP_FLAGS_DISPOSITION=DROP
|
|
||||||
|
|
||||||
#LAST LINE -- DO NOT REMOVE
|
|
@ -1,12 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 2.2 -- /etc/shorewall/start
|
|
||||||
#
|
|
||||||
# Add commands below that you want to be executed after shorewall has
|
|
||||||
# been started or restarted.
|
|
||||||
#
|
|
||||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
|
||||||
# information.
|
|
||||||
#
|
|
||||||
for file in /etc/shorewall/start.d/* ; do
|
|
||||||
run_user_exit $file
|
|
||||||
done
|
|
@ -1,11 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 2.2 -- /etc/shorewall/stop
|
|
||||||
#
|
|
||||||
# Add commands below that you want to be executed at the beginning of a
|
|
||||||
# "shorewall stop" command.
|
|
||||||
#
|
|
||||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
|
||||||
# information.
|
|
||||||
for file in /etc/shorewall/stop.d/* ; do
|
|
||||||
run_user_exit $file
|
|
||||||
done
|
|
@ -1,8 +0,0 @@
|
|||||||
############################################################################
|
|
||||||
# Shorewall 2.2 -- /etc/shorewall/stopped
|
|
||||||
#
|
|
||||||
# Add commands below that you want to be executed at the completion of a
|
|
||||||
# "shorewall stop" command.
|
|
||||||
#
|
|
||||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
|
||||||
# information.
|
|
@ -1,155 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall version 2.2 - Traffic Control Rules File
|
|
||||||
#
|
|
||||||
# /etc/shorewall/tcrules
|
|
||||||
#
|
|
||||||
# Entries in this file cause packets to be marked as a means of
|
|
||||||
# classifying them for traffic control or policy routing.
|
|
||||||
#
|
|
||||||
# I M P O R T A N T ! ! ! !
|
|
||||||
#
|
|
||||||
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
|
|
||||||
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
|
|
||||||
#
|
|
||||||
# Unlike rules in the /etc/shorewall/rules file, evaluation
|
|
||||||
# of rules in this file will continue after a match. So the
|
|
||||||
# final mark for each packet will be the one assigned by the
|
|
||||||
# LAST tcrule that matches.
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# MARK/ a) A mark value which is a integer in the range 1-255
|
|
||||||
# CLASSIFY
|
|
||||||
# May optionally be followed by ":P" or ":F"
|
|
||||||
# where ":P" indicates that marking should occur in
|
|
||||||
# the PREROUTING chain and ":F" indicates that marking
|
|
||||||
# should occur in the FORWARD chain. If neither
|
|
||||||
# ":P" nor ":F" follow the mark value then the chain is
|
|
||||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
|
||||||
# /etc/shorewall/shorewall.conf.
|
|
||||||
#
|
|
||||||
# If your kernel and iptables include CONNMARK support
|
|
||||||
# then you can also mark the connection rather than
|
|
||||||
# the packet.
|
|
||||||
#
|
|
||||||
# The mark value may be optionally followed by "/"
|
|
||||||
# and a mask value (used to determine those bits of
|
|
||||||
# the connection mark to actually be set). The
|
|
||||||
# mark and optional mask are then followed by one of:
|
|
||||||
#
|
|
||||||
# C - Mark the connection in the chain determined
|
|
||||||
# by the setting of MARK_IN_FORWARD_CHAIN
|
|
||||||
#
|
|
||||||
# CF: Mark the connection in the FORWARD chain
|
|
||||||
#
|
|
||||||
# CP: Mark the connection in the PREROUTING chain.
|
|
||||||
#
|
|
||||||
# b) A classification of the form <major>:<minor> where
|
|
||||||
# <major> and <minor> are integers. Corresponds to
|
|
||||||
# the 'class' specification in these traffic shaping
|
|
||||||
# modules:
|
|
||||||
#
|
|
||||||
# - atm
|
|
||||||
# - cbq
|
|
||||||
# - dsmark
|
|
||||||
# - pfifo_fast
|
|
||||||
# - htb
|
|
||||||
# - prio
|
|
||||||
#
|
|
||||||
# Classify always occurs in the POSTROUTING chain.
|
|
||||||
#
|
|
||||||
# c) RESTORE[/mask] -- restore the packet's mark from the
|
|
||||||
# connection's mark using the supplied mask if any.
|
|
||||||
# Your kernel and iptables must include CONNMARK support.
|
|
||||||
# As in a) above, may be followed by ":P" or ":F
|
|
||||||
#
|
|
||||||
# c) SAVE[/mask] -- save the packet's mark to the
|
|
||||||
# connection's mark using the supplied mask if any.
|
|
||||||
# Your kernel and iptables must include CONNMARK support.
|
|
||||||
# As in a) above, may be followed by ":P" or ":F
|
|
||||||
#
|
|
||||||
# d) CONTINUE -- don't process any more marking rules in
|
|
||||||
# the table. As in a) above, may be followed by ":P" or
|
|
||||||
# ":F".
|
|
||||||
#
|
|
||||||
# SOURCE Source of the packet. A comma-separated list of
|
|
||||||
# interface names, IP addresses, MAC addresses
|
|
||||||
# and/or subnets. If your kernel and iptables include
|
|
||||||
# iprange match support, IP address ranges are also
|
|
||||||
# allowed. Use $FW if the packet originates on
|
|
||||||
# the firewall in which case the MARK column may NOT
|
|
||||||
# specify either ":P" or ":F" (marking always occurs
|
|
||||||
# in the OUTPUT chain). $FW may be optionally followed
|
|
||||||
# by ":" and a host/network address.
|
|
||||||
#
|
|
||||||
# MAC addresses must be prefixed with "~" and use
|
|
||||||
# "-" as a separator.
|
|
||||||
#
|
|
||||||
# Example: ~00-A0-C9-15-39-78
|
|
||||||
#
|
|
||||||
# DEST Destination of the packet. Comma separated list of
|
|
||||||
# IP addresses and/or subnets. If your kernel and
|
|
||||||
# iptables include iprange match support, IP address
|
|
||||||
# ranges are also allowed.
|
|
||||||
#
|
|
||||||
# If the MARK column specificies a classification of
|
|
||||||
# the form <major>:<minor> then this column may also
|
|
||||||
# contain an interface name.
|
|
||||||
#
|
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
|
||||||
# a number, or "all". "ipp2p" requires ipp2p match
|
|
||||||
# support in your kernel and iptables.
|
|
||||||
#
|
|
||||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
|
||||||
# names (from /etc/services), port numbers or port
|
|
||||||
# ranges; if the protocol is "icmp", this column is
|
|
||||||
# interpreted as the destination icmp-type(s).
|
|
||||||
#
|
|
||||||
# If the protocol is ipp2p, this column is interpreted
|
|
||||||
# as an ipp2p option without the leading "--" (example "bit"
|
|
||||||
# for bit-torrent). If no PORT is given, "ipp2p" is
|
|
||||||
# assumed.
|
|
||||||
#
|
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
|
||||||
# entered if any of the following field is supplied.
|
|
||||||
# In that case, it is suggested that this field contain
|
|
||||||
# "-"
|
|
||||||
#
|
|
||||||
# SOURCE PORT(S) (Optional) Source port(s). If omitted,
|
|
||||||
# any source port is acceptable. Specified as a comma-
|
|
||||||
# separated list of port names, port numbers or port
|
|
||||||
# ranges.
|
|
||||||
#
|
|
||||||
# USER This column may only be non-empty if the SOURCE is
|
|
||||||
# the firewall itself.
|
|
||||||
#
|
|
||||||
# When this column is non-empty, the rule applies only
|
|
||||||
# if the program generating the output is running under
|
|
||||||
# the effective user and/or group.
|
|
||||||
#
|
|
||||||
# It may contain :
|
|
||||||
#
|
|
||||||
# [<user name or number>]:[<group name or number>]
|
|
||||||
#
|
|
||||||
# The colon is optionnal when specifying only a user.
|
|
||||||
# Examples : john: / john / :users / john:users
|
|
||||||
#
|
|
||||||
# TEST Defines a test on the existing packet or connection mark.
|
|
||||||
# The rule will match only if the test returns true. Tests
|
|
||||||
# have the format [!]<value>[/<mask>][:C]
|
|
||||||
#
|
|
||||||
# Where:
|
|
||||||
#
|
|
||||||
# ! Inverts the test (not equal)
|
|
||||||
# <value> Value of the packet or connection mark.
|
|
||||||
# <mask> A mask to be applied to the mark before
|
|
||||||
# testing
|
|
||||||
# :C Designates a connection mark. If omitted,
|
|
||||||
# the packet mark's value is tested.
|
|
||||||
#
|
|
||||||
# See http://shorewall.net/traffic_shaping.htm for additional information.
|
|
||||||
##############################################################################
|
|
||||||
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
|
||||||
# PORT(S)
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,46 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 -- /etc/shorewall/tos
|
|
||||||
#
|
|
||||||
# This file defines rules for setting Type Of Service (TOS)
|
|
||||||
#
|
|
||||||
# Columns are:
|
|
||||||
#
|
|
||||||
# SOURCE Name of a zone declared in /etc/shorewall/zones, "all"
|
|
||||||
# or $FW.
|
|
||||||
#
|
|
||||||
# If not "all" or $FW, may optionally be followed by
|
|
||||||
# ":" and an IP address, a MAC address, a subnet
|
|
||||||
# specification or the name of an interface.
|
|
||||||
#
|
|
||||||
# Example: loc:192.168.2.3
|
|
||||||
#
|
|
||||||
# MAC addresses must be prefixed with "~" and use
|
|
||||||
# "-" as a separator.
|
|
||||||
#
|
|
||||||
# Example: ~00-A0-C9-15-39-78
|
|
||||||
#
|
|
||||||
# DEST Name of a zone declared in /etc/shorewall/zones, "all"
|
|
||||||
# or $FW.
|
|
||||||
#
|
|
||||||
# If not "all" or $FW, may optionally be followed by
|
|
||||||
# ":" and an IP address or a subnet specification
|
|
||||||
#
|
|
||||||
# Example: loc:192.168.2.3
|
|
||||||
#
|
|
||||||
# PROTOCOL Protocol.
|
|
||||||
#
|
|
||||||
# SOURCE PORTS Source port or port range. If all ports, use "-".
|
|
||||||
#
|
|
||||||
# DEST PORTS Destination port or port range. If all ports, use "-"
|
|
||||||
#
|
|
||||||
# TOS Type of service. Must be one of the following:
|
|
||||||
#
|
|
||||||
# Minimize-Delay (16)
|
|
||||||
# Maximize-Throughput (8)
|
|
||||||
# Maximize-Reliability (4)
|
|
||||||
# Minimize-Cost (2)
|
|
||||||
# Normal-Service (0)
|
|
||||||
#
|
|
||||||
##############################################################################
|
|
||||||
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
|
|
||||||
#LAST LINE -- Add your entries above -- DO NOT REMOVE
|
|
@ -1,117 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 - /etc/shorewall/tunnels
|
|
||||||
#
|
|
||||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
|
||||||
#
|
|
||||||
# IPIP, GRE and OPENVPN tunnels must be configured on the
|
|
||||||
# firewall/gateway itself. IPSEC endpoints may be defined
|
|
||||||
# on the firewall/gateway or on an internal system.
|
|
||||||
#
|
|
||||||
# The columns are:
|
|
||||||
#
|
|
||||||
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip"
|
|
||||||
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
|
|
||||||
# "generic"
|
|
||||||
#
|
|
||||||
# If the type is "ipsec" or "ipsecnat", it may be followed
|
|
||||||
# by ":noah" to indicate that the Authentication Header
|
|
||||||
# protocol (51) is not used by the tunnel.
|
|
||||||
#
|
|
||||||
# If type is "openvpn", it may optionally be followed
|
|
||||||
# by ":" and the port number used by the tunnel. if no
|
|
||||||
# ":" and port number are included, then the default port
|
|
||||||
# of 5000 will be used
|
|
||||||
#
|
|
||||||
# If type is "generic", it must be followed by ":" and
|
|
||||||
# a protocol name (from /etc/protocols) or a protocol
|
|
||||||
# number. If the protocol is "tcp" or "udp" (6 or 17),
|
|
||||||
# then it may optionally be followed by ":" and a
|
|
||||||
# port number.
|
|
||||||
#
|
|
||||||
# ZONE -- The zone of the physical interface through which
|
|
||||||
# tunnel traffic passes. This is normally your internet
|
|
||||||
# zone.
|
|
||||||
#
|
|
||||||
# GATEWAY -- The IP address of the remote tunnel gateway. If the
|
|
||||||
# remote getway has no fixed address (Road Warrior)
|
|
||||||
# then specify the gateway as 0.0.0.0/0. May be
|
|
||||||
# specified as a network address and if your kernel and
|
|
||||||
# iptables include iprange match support then IP address
|
|
||||||
# ranges are also allowed.
|
|
||||||
#
|
|
||||||
# GATEWAY
|
|
||||||
# ZONES -- Optional. If the gateway system specified in the third
|
|
||||||
# column is a standalone host then this column should
|
|
||||||
# contain a comma-separated list of the names of the
|
|
||||||
# zones that the host might be in. This column only
|
|
||||||
# applies to IPSEC and generic tunnels.
|
|
||||||
#
|
|
||||||
# Example 1:
|
|
||||||
#
|
|
||||||
# IPSec tunnel. The remote gateway is 4.33.99.124 and
|
|
||||||
# the remote subnet is 192.168.9.0/24. The tunnel does
|
|
||||||
# not use the AH protocol
|
|
||||||
#
|
|
||||||
# ipsec:noah net 4.33.99.124
|
|
||||||
#
|
|
||||||
# Example 2:
|
|
||||||
#
|
|
||||||
# Road Warrior (LapTop that may connect from anywhere)
|
|
||||||
# where the "gw" zone is used to represent the remote
|
|
||||||
# LapTop.
|
|
||||||
#
|
|
||||||
# ipsec net 0.0.0.0/0 gw
|
|
||||||
#
|
|
||||||
# Example 3:
|
|
||||||
#
|
|
||||||
# Host 4.33.99.124 is a standalone system connected
|
|
||||||
# via an ipsec tunnel to the firewall system. The host
|
|
||||||
# is in zone gw.
|
|
||||||
#
|
|
||||||
# ipsec net 4.33.99.124 gw
|
|
||||||
#
|
|
||||||
# Example 4:
|
|
||||||
#
|
|
||||||
# Road Warriors that may belong to zones vpn1, vpn2 or
|
|
||||||
# vpn3. The FreeS/Wan _updown script will add the
|
|
||||||
# host to the appropriate zone using the "shorewall add"
|
|
||||||
# command on connect and will remove the host from the
|
|
||||||
# zone at disconnect time.
|
|
||||||
#
|
|
||||||
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
|
|
||||||
#
|
|
||||||
# Example 5:
|
|
||||||
#
|
|
||||||
# You run the Linux PPTP client on your firewall and
|
|
||||||
# connect to server 192.0.2.221.
|
|
||||||
#
|
|
||||||
# pptpclient net 192.0.2.221
|
|
||||||
#
|
|
||||||
# Example 6:
|
|
||||||
#
|
|
||||||
# You run a PPTP server on your firewall.
|
|
||||||
#
|
|
||||||
# pptpserver net
|
|
||||||
#
|
|
||||||
# Example 7:
|
|
||||||
#
|
|
||||||
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
|
|
||||||
# openvpn uses port 7777.
|
|
||||||
#
|
|
||||||
# openvpn:7777 net 4.33.99.124
|
|
||||||
#
|
|
||||||
# Example 8:
|
|
||||||
#
|
|
||||||
# You have a tunnel that is not one of the supported types.
|
|
||||||
# Your tunnel uses UDP port 4444. The other end of the
|
|
||||||
# tunnel is 4.3.99.124.
|
|
||||||
#
|
|
||||||
# generic:udp:4444 net 4.3.99.124
|
|
||||||
#
|
|
||||||
#
|
|
||||||
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
|
|
||||||
#
|
|
||||||
# TYPE ZONE GATEWAY GATEWAY
|
|
||||||
# ZONE
|
|
||||||
#
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
@ -1,21 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 /etc/shorewall/zones
|
|
||||||
#
|
|
||||||
# This file determines your network zones. Columns are:
|
|
||||||
#
|
|
||||||
# ZONE Short name of the zone (5 Characters or less in length).
|
|
||||||
# The names "all" and "none" are reserved and may not be
|
|
||||||
# used as zone names.
|
|
||||||
# DISPLAY Display name of the zone
|
|
||||||
# COMMENTS Comments about the zone
|
|
||||||
#
|
|
||||||
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
|
|
||||||
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
|
|
||||||
#
|
|
||||||
# See http://www.shorewall.net/Documentation.htm#Nested
|
|
||||||
#
|
|
||||||
#ZONE DISPLAY COMMENTS
|
|
||||||
net Net Internet
|
|
||||||
loc Local Local networks
|
|
||||||
#dmz DMZ Demilitarized zone
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
1330
Lrp2/sbin/shorewall
1330
Lrp2/sbin/shorewall
File diff suppressed because it is too large
Load Diff
@ -1,10 +0,0 @@
|
|||||||
#
|
|
||||||
# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
|
|
||||||
#
|
|
||||||
# This action accepts Auth (identd) traffic.
|
|
||||||
#
|
|
||||||
######################################################################################
|
|
||||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
|
||||||
# PORT PORT(S) LIMIT GROUP
|
|
||||||
ACCEPT - - tcp 113
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user