holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Large cleanup patch from Tuomo Soini

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2449 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-02 16:46:30 +00:00
parent 21a7315717
commit ac1983a5da
85 changed files with 1382 additions and 1138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Shorewall/accounting
View File

@ -29,7 +29,7 @@
# a jump to that chain. If :COUNT
# is including, a counting rule
# matching this record will be
# added to <chain>
# added to <chain>
#
# CHAIN - The name of a chain. If specified as "-" the
# 'accounting' chain is assumed. This is the chain
@ -49,10 +49,11 @@
# PROTOCOL A protocol name (from /etc/protocols), a protocol
# number, or "ipp2p"
#
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
# this column must contain an ipp2p option ("iptables -m
# ipp2p --help") without the leading "--". If no option
# is given in this column, "ipp2p" is assumed.
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p"
# then this column must contain an ipp2p option
# ("iptables -m ipp2p --help") without the leading
# "--". If no option is given in this column, "ipp2p"
# is assumed.
#
# Service name from /etc/services or port number. May
# only be specified if the protocol is TCP or UDP (6
@ -69,7 +70,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -81,17 +82,17 @@
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd
# +upnpd #program named upnpd
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards
#
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
# Please see http://shorewall.net/Accounting.html for examples and
# additional information about how to use this file.
#
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
#####################################################################################
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
# PORT PORT GROUP
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

34
Shorewall/action.Drop
View File

@ -1,21 +1,24 @@
#
# Shorewall 2.6 /usr/share/shorewall/action.Drop
# Shorewall version 2.6 - Drop Action
#
# /usr/share/shorewall/action.Drop
#
# The default DROP common rules
#
# This action is invoked before a DROP policy is enforced. The purpose of the action
# is:
# This action is invoked before a DROP policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
# Otherwise, you may experience problems establishing connections with
# servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful
# b) Ensure that 'auth' requests are rejected, even if the policy is
# DROP. Otherwise, you may experience problems establishing
# connections with servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
#
###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Reject 'auth'
#
@ -27,10 +30,10 @@ dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
# confuse people when they appear in the log.
# Drop packets that in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid
#
@ -41,9 +44,10 @@ DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

31
Shorewall/action.Reject
View File

@ -1,33 +1,37 @@
#
# Shorewall 2.6 /usr/share/shorewall/action.Reject
# Shorewall version 2.6 - Reject Action
#
# /usr/share/shorewall/action.Reject
#
# The default REJECT action common rules
#
# This action is invoked before a REJECT policy is enforced. The purpose of the action
# is:
# This action is invoked before a REJECT policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
# b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
######################################################################################
#TARGET SOURCE DEST PROTO
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###############################################################################
#TARGET SOURCE DEST PROTO
#
# Don't log 'auth' REJECT
#
Auth/REJECT
#
# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
AllowICMPs - - icmp
#
# Drop packets that in the INVALID state -- these are usually ICMP packets and just
# confuse people when they appear in the log (these ICMPs cannot be rejected).
# Drop packets that in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid
#
@ -38,9 +42,10 @@ DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

56
Shorewall/action.template
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 /etc/shorewall/action.template
# Shorewall version 2.6 - Template Action
#
# /etc/shorewall/action.template
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
@ -20,20 +22,21 @@
# TARGET ACCEPT, DROP, REJECT, LOG, QUEUE or a
# previously-defined <action>
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# LOG -- Simply log the packet and continue.
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
# CONTINUE -- Discontinue processing this action
# and return to the point where the
# action was invoked.
# <action> -- An <action> defined in
# /etc/shorewall/actions. The <action>
# must appear in that file BEFORE the
# one being defined in this file.
# /etc/shorewall/actions.
# The <action> must appear in that
# file BEFORE the one being defined
# in this file.
#
# The TARGET may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
@ -72,21 +75,21 @@
# kernel and iptables must have
# iprange match support.
#
# +remote The name of an ipset prefaced
# by "+". Your kernel and
# +remote The name of an ipset prefaced
# by "+". Your kernel and
# iptables must have set match
# support
#
# +remote[4] The name of the ipset may
# followed by a number of
# levels of ipset bindings
# enclosed in square brackets.
# +remote[4] The name of the ipset may
# followed by a number of
# levels of ipset bindings
# enclosed in square brackets.
#
# 192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2.
# ~00-A0-C9-15-39-78 Host with
# MAC address 00:A0:C9:15:39:78.
# ~00-A0-C9-15-39-78 Host with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# name. For example, eth1 specifies a
@ -95,14 +98,15 @@
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., eth1:192.168.1.5).
#
# DEST Location of destination host. Same as above with the exception that
# MAC addresses are not allowed and that you cannot specify
# an ipset name in both the SOURCE and DEST columns.
# DEST Location of destination host. Same as above with
# the exception that MAC addresses are not allowed and
# that you cannot specify an ipset name in both the
# SOURCE and DEST columns.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
@ -157,7 +161,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -169,11 +173,11 @@
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named upnpd
# +upnpd #program named upnpd
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
###############################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
Shorewall/actions
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 /etc/shorewall/actions
# Shorewall version 2.6 - Actions File
#
# /etc/shorewall/actions
#
# This file allows you to define new ACTIONS for use in rules
# (/etc/shorewall/rules). You define the iptables rules to
@ -24,9 +26,8 @@
# If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
# itself, the associated policy will have no common action.
#
# Please see http://shorewall.net/Actions.html for additional
# information.
# Please see http://shorewall.net/Actions.html for additional information.
#
###############################################################################
#ACTION
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

35
Shorewall/actions.std
View File

@ -1,27 +1,28 @@
#
# Shorewall 2.6 /usr/share/shorewall/actions.std
# Shorewall version 2.6 - Actions.std File
#
# /usr/share/shorewall/actions.std
#
# Please see http://shorewall.net/Actions.html for additional
# information.
#
# Builtin Actions are:
#
# allowBcast #Silently Allow Broadcast/multicast
# dropBcast #Silently Drop Broadcast/multicast
# dropNotSyn #Silently Drop Non-syn TCP packets
# rejNotSyn #Silently Reject Non-syn TCP packets
# dropInvalid #Silently Drop packets that are in the INVALID
# #conntrack state.
# allowInvalid #Accept packets that are in the INVALID
# #conntrack state.
# allowoutUPnP #Allow traffic from local command 'upnpd'
# allowinUPnP #Allow UPnP inbound (to firewall) traffic
# forwardUPnP #Allow traffic that upnpd has redirected from
# #'upnp' interfaces.
# allowBcast # Silently Allow Broadcast/multicast
# dropBcast # Silently Drop Broadcast/multicast
# dropNotSyn # Silently Drop Non-syn TCP packets
# rejNotSyn # Silently Reject Non-syn TCP packets
# dropInvalid # Silently Drop packets that are in the INVALID
# # conntrack state.
# allowInvalid # Accept packets that are in the INVALID
# # conntrack state.
# allowoutUPnP # Allow traffic from local command 'upnpd'
# allowinUPnP # Allow UPnP inbound (to firewall) traffic
# forwardUPnP # Allow traffic that upnpd has redirected from
# # 'upnp' interfaces.
#
###############################################################################
#ACTION
Drop:DROP #Common Action for DROP policy
Reject:REJECT #Common Action for REJECT policy
Drop:DROP # Common Action for DROP policy
Reject:REJECT # Common Action for REJECT policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

42
Shorewall/blacklist
View File

@ -1,21 +1,22 @@
#
# Shorewall 2.6 -- Blacklist File
# Shorewall version 2.6 - Blacklist File
#
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
# This file contains a list of IP addresses, MAC addresses and/or
# subnetworks.
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address
# ADDRESS/SUBNET - Host address, subnetwork, MAC address, IP address
# range (if your kernel and iptables contain iprange
# match support) or ipset name prefaced by "+" (if
# your kernel supports ipset match).
#
# MAC addresses must be prefixed with "~" and use "-"
# MAC addresses must be prefixed with "~" and use "-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
# Example: ~00-A0-C9-15-39-78
#
# PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols.
@ -24,27 +25,28 @@
# is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services.
#
# When a packet arrives on an interface that has the 'blacklist' option
# specified in /etc/shorewall/interfaces, its source IP address is checked
# against this file and disposed of according to the BLACKLIST_DISPOSITION and
# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
# When a packet arrives on an interface that has the 'blacklist' option
# specified in /etc/shorewall/interfaces, its source IP address is
# checked against this file and disposed of according to the
# BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
#
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
# Example:
#
# To block DNS queries from address 192.0.2.126:
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
# Example:
# Example:
#
# To block DNS queries from addresses in the ipset 'dnsblack':
# To block DNS queries from addresses in the ipset 'dnsblack':
#
# ADDRESS/SUBNET PROTOCOL PORT
# +dnsblack udp 53
# ADDRESS/SUBNET PROTOCOL PORT
# +dnsblack udp 53
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
@ -52,5 +54,3 @@
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

16
Shorewall/continue
View File

@ -1,8 +1,14 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing connections.
# Shorewall version 2.6 - Continue File
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
# /etc/shorewall/continue
#
# Add commands below that you want to be executed after shorewall has
# cleared any existing Netfilter rules and has enabled existing
# connections.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

9
Shorewall/ecn
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 - /etc/shorewall/ecn
# Shorewall version 2.6 - Ecn File
#
# /etc/shorewall/ecn
#
# Use this file to list the destinations for which you want to
# disable ECN.
#
# This feature requires kernel 2.4.20 or later. If you run 2.4.20,
# you also need the patch found at http://www.shorewall.net/ecn/patch.
# you also need the patch found at http://www.shorewall.net/ecn/patch.
# That patch is included in kernels 2.4.21 and later.
#
# INTERFACE - Interface through which host(s) communicate with
@ -17,6 +19,7 @@
# are also permitted.
#
# For additional information, see http://shorewall.net/Documentation.htm#ECN
##############################################################################
#
###############################################################################
#INTERFACE HOST(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

28
Shorewall/hosts
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 - /etc/shorewall/hosts
# Shorewall version 2.6 - Hosts file
#
# /etc/shorewall/hosts
#
# THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
# ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
@ -37,7 +39,8 @@
# be defined in /etc/shorewall/interfaces and may
# optionally followed by a colon (":") and a
# host or network IP or a range.
# See http://www.shorewall.net/Bridge.html for details.
# See http://www.shorewall.net/Bridge.html
# for details.
# e) The name of an ipset (preceded by "+").
#
# Examples:
@ -60,11 +63,12 @@
# an ethernet NIC and must be up before
# Shorewall is started.
#
# routeback - Shorewall should set up the infrastructure
# to pass packets from this/these
# address(es) back to themselves. This is
# necessary if hosts in this group use the
# services of a transparent proxy that is
# routeback - Shorewall should set up the
# infrastructure to pass packets
# from this/these address(es) back
# to themselves. This is necessary if
# hosts in this group use the services
# of a transparent proxy that is
# a member of the group or if DNAT is used
# to send requests originating from this
# group to a server in the group.
@ -120,14 +124,16 @@
# This option has no effect if
# NEWNOTSYN=Yes.
#
# ipsec - The zone is accessed via a
# ipsec - The zone is accessed via a
# kernel 2.6 ipsec SA. Note that if the
# zone named in the ZONE column is
# specified as an IPSEC zone in the
# /etc/shorewall/zones file then you do NOT
# need to specify the 'ipsec' option here.
# /etc/shorewall/zones file then you
# do NOT need to specify the 'ipsec'
# option here.
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
#
#ZONE HOST(S) OPTIONS
###############################################################################
#ZONE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

15
Shorewall/init
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
# Shorewall version 2.4 - Init File
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
# /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

17
Shorewall/initdone
View File

@ -1,9 +1,14 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
# Shorewall version 2.6 - Initdone File
#
# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
# /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

83
Shorewall/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 2.6 -- Interfaces File
# Shorewall version 2.6 - Interfaces File
#
# /etc/shorewall/interfaces
#
@ -49,14 +49,14 @@
# dhcp - Specify this option when any of
# the following are true:
# 1. the interface gets its IP address
# via DHCP
# via DHCP
# 2. the interface is used by
# a DHCP server running on the firewall
# a DHCP server running on the firewall
# 3. you have a static IP but are on a LAN
# segment with lots of Laptop DHCP
# segment with lots of Laptop DHCP
# clients.
# 4. the interface is a bridge with
# a DHCP server on one port and DHCP
# a DHCP server on one port and DHCP
# clients on another port.
#
# norfc1918 - This interface should not receive
@ -71,7 +71,7 @@
#
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
#
# logmartians - turn on kernel martian logging (logging
@ -118,24 +118,25 @@
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf. In other
# words, packets coming in on this interface
# are processed as if NEWNOTSYN=Yes had been
# specified in /etc/shorewall/shorewall.conf.
# words, packets coming in on this
# interface are processed as if
# NEWNOTSYN=Yes had been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# It is the opinion of the author that
# NEWNOTSYN=No creates more problems than
# NEWNOTSYN=No creates more problems than
# it solves and I recommend against using
# that setting in shorewall.conf (hence
# making the use of the 'newnotsyn'
# interface option unnecessary).
#
# routeback - If specified, indicates that Shorewall
# should include rules that allow filtering
# traffic arriving on this interface back
# out that same interface.
# should include rules that allow
# filtering traffic arriving on this
# interface back out that same interface.
#
# arp_filter - If specified, this interface will only
# respond to ARP who-has requests for IP
@ -143,7 +144,7 @@
# If not specified, the interface can
# respond to ARP who-has requests for
# IP addresses on any of the firewall's
# interface. The interface must be up
# interface. The interface must be up
# when Shorewall is started.
#
# arp_ignore[=<number>]
@ -151,31 +152,31 @@
# respond to arp requests based on the
# value of <number>.
#
# 1 - reply only if the target IP address
# is local address configured on the
# incoming interface
# 1 - reply only if the target IP address
# is local address configured on the
# incoming interface
#
# 2 - reply only if the target IP address
# is local address configured on the
# incoming interface and both with the
# sender's IP address are part from same
# subnet on this interface
# 2 - reply only if the target IP address
# is local address configured on the
# incoming interface and both with the
# sender's IP address are part from same
# subnet on this interface
#
# 3 - do not reply for local addresses
# configured with scope host, only
# resolutions for global and link
# addresses are replied
# 3 - do not reply for local addresses
# configured with scope host, only
# resolutions for global and link
# addresses are replied
#
# 4-7 - reserved
# 4-7 - reserved
#
# 8 - do not reply for all local
# addresses
# 8 - do not reply for all local
# addresses
#
# If no <number> is given then the value
# 1 is assumed
# If no <number> is given then the value
# 1 is assumed
#
# WARNING -- DO NOT SPECIFY arp_ignore
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
# WARNING -- DO NOT SPECIFY arp_ignore
# FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
# nosmurfs - Filter packets for smurfs
# (packets with a broadcast
@ -190,11 +191,11 @@
# in the ZONE column to include only those
# hosts routed through the interface.
#
# upnp - Incoming requests from this interface may
# be remapped via UPNP (upnpd).
# upnp - Incoming requests from this interface
# may be remapped via UPNP (upnpd).
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE.
#
# The order in which you list the options is not
# significant but the list should have no embedded white
@ -231,9 +232,9 @@
#
# net ppp0 -
#
# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
#
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Shorewall/ipsec
View File

@ -4,4 +4,4 @@
# /etc/shorewall/zones file.
#
# See the IPSECFILE option in shorewall.conf for further information.
#

10
Shorewall/maclist
View File

@ -1,13 +1,13 @@
#
# Shorewall 2.6 - MAC list file
# Shorewall version 2.6 - Maclist file
#
# /etc/shorewall/maclist
#
# This file is used to define the MAC addresses and optionally their
# associated IP addresses to be allowed to use the specified interface.
# The feature is enabled by using the maclist option in the interfaces
# or hosts configuration file.
#
# /etc/shorewall/maclist
#
# Columns are:
#
# INTERFACE Network interface to a host. If the interface
@ -26,6 +26,6 @@
#
# For additional information, see http://shorewall.net/MAC_Validation.html
#
##############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
###############################################################################
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

16
Shorewall/macro.AllowICMPs
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.AllowICMPs
# Shorewall version 2.6 - AllowICMPs Macro
#
# /usr/share/shorewall/macro.AllowICMPs
#
# ACCEPT needed ICMP types
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
#
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT - - icmp fragmentation-needed
ACCEPT - - icmp time-exceeded
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Amanda
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.Amanda
# Shorewall version 2.6 - Amanda Macro
#
# /usr/share/shorewall/macro.Amanda
#
# This macro handles connections to the AMANDA backup system.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - udp 10080
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 10080
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Auth
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Auth
# Shorewall version 2.6 - Auth Macro
#
# /usr/share/shorewall/macro.Auth
#
# This macro handles Auth (identd) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 113
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.BitTorrent
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.BitTorrent
# Shorewall version 2.6 - BitTorrent Macro
#
# /usr/share/shorewall/macro.BitTorrent
#
# This macro handles BitTorrent traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 6881:6889
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 6881:6889
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.CVS
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.CVS
# Shorewall version 2.6 - CVS Macro
#
# /usr/share/shorewall/macro.CVS
#
# This macro handles connections to the CVS pserver.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 2401
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 2401
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.DNS
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.DNS
# Shorewall version 2.6 - DNS Macro
#
# /usr/share/shorewall/macro.DNS
#
# This macro handles DNS traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 53
PARAM - - tcp 53
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 53
PARAM - - tcp 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Distcc
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.Distcc
# Shorewall version 2.6 - Distoc Macro
#
# /usr/share/shorewall/macro.Distcc
#
# This macro handles connections to the Distributed Compiler
# service.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 3632
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3632
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.DropDNSrep
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.DropDNSrep
# Shorewall version 2.6 - DropDNSrep Macro
#
# /usr/share/shorewall/macro.DropDNSrep
#
# This macro silently drops DNS UDP replies
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp - 53
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
DROP - - udp - 53
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.DropUPnP
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.DropUPnP
# Shorewall version 2.6 - DropUPnP Macro
#
# /usr/share/shorewall/macro.DropUPnP
#
# This macro silently drops UPnP probes on UDP port 1900
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
DROP - - udp 1900
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
DROP - - udp 1900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

50
Shorewall/macro.Edonkey
View File

@ -1,31 +1,35 @@
#
# Shorewall macro.Edonkey
# Shorewall version 2.6 - Edonkey Macro
#
# /usr/share/shorewall/macro.Edonkey
#
# This macro handles Edonkey traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 4662
PARAM - - udp 4665
#
# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
# says to use udp 5737 rather than 4665
# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
# says to use udp 5737 rather than 4665.
#
# http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
# 4661 TCP (outgoing)
# Port, on which a server listens for connection (defined by server).
#4665 UDP (outgoing)
# used for global server searches and global source queries. This is
#always Server TCP port (in this case 4661) + 4.
#4662 TCP (outgoing and incoming)
# Client to client transfers.
#4672 UDP (outgoing and incoming)
# Extended eMule protocol, Queue Rating, File Reask Ping
#4711 TCP
# WebServer listening port.
#4712 TCP
# External Connection port. Used to communicate aMule with other
#applications such as aMule WebServer or aMuleCMD.
# http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
#
# 4661 TCP (outgoing) Port, on which a server listens for connection
# (defined by server).
#
# 4665 UDP (outgoing) used for global server searches and global source
# queries. This is always Server TCP port (in this case 4661) + 4.
#
# 4662 TCP (outgoing and incoming) Client to client transfers.
#
# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
# Rating, File Reask Ping
#
# 4711 TCP WebServer listening port.
#
# 4712 TCP External Connection port. Used to communicate aMule with other
# applications such as aMule WebServer or aMuleCMD.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 4662
PARAM - - udp 4665
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.FTP
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.FTP
# Shorewall version 2.6 - FTP Macro
#
# /usr/share/shorewall/macro.FTP
#
# This macro handles FTP traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 21
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.Gnutella
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.Gnutella
# Shorewall version 2.6 - Gnutella Macro
#
# /usr/share/shorewall/macro.Gnutella
#
# This macro handles gnutella traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 6346
PARAM - - udp 6346
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 6346
PARAM - - udp 6346
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.ICQ
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.ICQ
# Shorewall version 2.6 - ICQ Macro
#
# /usr/share/shorewall/macro.ICQ
#
# This macro handles ICQ traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 5190
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5190
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.IMAP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.IMAP
# Shorewall version 2.6 - IMAP Macro
#
# /usr/share/shorewall/macro.IMAP
#
# This macro handles IMAP traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 143 #Unsecure IMAP
PARAM - - tcp 993 #Secure IMAP
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 143 # Unsecure IMAP
PARAM - - tcp 993 # Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.LDAP
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.LDAP
# Shorewall version 2.6 - LDAP Macro
#
# /usr/share/shorewall/macro.LDAP
#
# This macro handles LDAP traffic (secure and insecure)
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 389
PARAM - - tcp 636
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 389
PARAM - - tcp 636
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.MySQL
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.MySQL
# Shorewall version 2.6 - MySQL Macro
#
# /usr/share/shorewall/macro.MySQL
#
# This action macro.handles connections to the MySQL server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 3306
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3306
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.NNTP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.NNTP
# Shorewall version 2.6 NNTP Macro
#
# /usr/share/shorewall/macro.NNTP
#
# This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 119
PARAM - - tcp 563
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 119
PARAM - - tcp 563
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.NTP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.NTP
# Shorewall version 2.6 - NTP Macro
#
# /usr/share/shorewall/macro.NTP
#
# This macro handles NTP traffic (ntpd).
# For broadcast NTP traffic, use NTPbrd Macro.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
PARAM - - udp 123
PARAM - - udp 1024: 123
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

18
Shorewall/macro.NTPbrd Normal file
View File

@ -0,0 +1,18 @@
#
# Shorewall version 2.6 - NTPbrd Macro
#
# /usr/share/shorewall/macro.NTPbrd
#
# This macro handles NTP traffic (ntpd) including replies to Broadcast
# NTP traffic.
#
# It is recommended only to use this where the source host is trusted -
# otherwise it opens up a large hole in your firewall because
# Netfilter doesn't track connections for broadcast traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 123
PARAM - - udp 1024: 123
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.PCA
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.PCA
# Shorewall version 2.6 - PCA Macro
#
# /usr/share/shorewall/macro.PCA
#
# This macro handles PCAnywere (tm)
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 5632
PARAM - - tcp 5631
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 5632
PARAM - - tcp 5631
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.POP3
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.POP3
# Shorewall version 2.6 - POP3 Macro
#
# /usr/share/shorewall/macro.POP3
#
# This macro handles POP3 traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
PARAM - - tcp 110 #Unsecure POP3
PARAM - - tcp 995 #Secure POP3
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 110 # Unsecure POP3
PARAM - - tcp 995 # Secure POP3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Ping
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Ping
# Shorewall version 2.6 - Ping Macro
#
# /usr/share/shorewall/macro.Ping
#
# This macro handles 'ping' requests.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - icmp 8
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.PostgreSQL
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.PostgreSQL
# Shorewall version 2.6 - PostgreSQL Macro
#
# /usr/share/shorewall/macro.PostgreSQL
#
# This macro handles connections to the PostgreSQL server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 5432
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5432
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Rdate
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Rdate
# Shorewall version 2.6 - Rdate Macro
#
# /usr/share/shorewall/macro.Rdate
#
# This macro handles remote time retrieval (rdate).
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 37
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 37
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Rsync
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.Rsync
# Shorewall version 2.6 - Rsync Macro
#
# /usr/share/shorewall/macro.Rsync
#
# This macro handles connections to the rsync server.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 873
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

18
Shorewall/macro.SMB
View File

@ -1,14 +1,16 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SMB
# Shorewall version 2.6 - SMB Macro
#
# /usr/share/shorewall/macro.SMB
#
# Handle Microsoft SMB traffic. You need to invoke this macro in
# both directions.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 135,445
PARAM - - udp 137:139
PARAM - - udp 1024: 137
PARAM - - tcp 135,139,445
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SMBswat
View File

@ -1,11 +1,13 @@
#
# Shorewall macro.SMBswat
# Shorewall version 2.6 - SMBswat Macro
#
# /usr/share/shorewall/macro.SMBswat
#
# This macro handles connections to the Samba Web Administration
# Tool (SWAT).
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 901
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 901
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SMTP
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SMTP
# Shorewall version 2.6 - SMTP Macro
#
# /usr/share/shorewall/macro.SMTP
#
# This macro handles SMTP (email) traffic.
#
@ -8,8 +10,8 @@
# reading of email via POP3 or IMAP. For those you need to use
# the POP3 or IMAP macros.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 25
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 25
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.SNMP
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SNMP
# Shorewall version 2.6 - SNMP Macro
#
# /usr/share/shorewall/macro.SNMP
#
# This macro accepts SNMP traffic (including traps):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 161:162
PARAM - - tcp 161
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 161:162
PARAM - - tcp 161
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SPAMD
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.SPAMD
# Shorewall version 2.6 - SPAMD Macro
#
# /usr/share/shorewall/macro.SPAMD
#
# This macro handles Spam Assassin SPAMD traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 783
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 783
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.SSH
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.SSH
# Shorewall version 2.6 - SSH Macro
#
# /usr/share/shorewall/macro.SSH
#
# This macro handles secure shell (SSH) traffic.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 22
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 22
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.SVN
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.SVN
# Shorewall version 2.6 - SVN Macro
#
# This macro handles connections to the Subversion server.
# /usr/share/shorewall/macro.SVN
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - tcp 3690
# This macro handles connections to the Subversion (SVN) server.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 3690
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Submission Normal file
View File

@ -0,0 +1,12 @@
#
# Shorewall version 2.6 - Submission Macro
#
# /usr/share/shorewall/macro.Submission
#
# This macro handles mail message submission traffic.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 587
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Syslog
View File

@ -1,10 +1,12 @@
#
# Shorewall macro.Syslog
# Shorewall version 2.6 - Syslog Macro
#
# /usr/share/shorewall/macro.Syslog
#
# This macro handles syslog UDP traffic.
#
################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE
# PORT PORT(S) LIMIT
PARAM - - udp 514
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 514
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.Telnet
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Telnet
# Shorewall version 2.6 - Telnet Macro
#
# /usr/share/shorewall/macro.Telnet
#
# This macro handles Telnet traffic. For traffic over the
# internet, telnet is inappropriate; use SSH instead
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 23
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 23
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.Trcrt
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Trcrt
# Shorewall version 2.6 -Trcrt Macro
#
# /usr/share/shorewall/macro.Trcrt
#
# This macro handles Traceroute (for up to 30 hops):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - udp 33434:33524 #UDP Traceroute
PARAM - - icmp 8 #ICMP Traceroute
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - udp 33434:33524 # UDP Traceroute
PARAM - - icmp 8 # ICMP Traceroute
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

12
Shorewall/macro.VNC
View File

@ -1,10 +1,12 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.VNC
# Shorewall version 2.6 - VNC Macro
#
# /usr/share/shorewall/macro.VNC
#
# This macro handles VNC traffic for VNC display's 0 - 9.
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5900:5909
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5900:5909
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

15
Shorewall/macro.VNCL
View File

@ -1,10 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.VNCL
# Shorewall version 2.6 -VNCL Macro
#
# This macro handles VNC traffic from Vncservers to Vncviewers in listen mode.
# /usr/share/shorewall/macro.VNCL
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 5500
# This macro handles VNC traffic from Vncservers to Vncviewers in listen
# mode.
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 5500
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

14
Shorewall/macro.Web
View File

@ -1,11 +1,13 @@
#
# Shorewall 2.6 /usr/share/shorewall/macro.Web
# Shorewall version 2.6 - Web Macro
#
# /usr/share/shorewall/macro.Web
#
# This macro handles WWW traffic (secure and insecure):
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
PARAM - - tcp 80
PARAM - - tcp 443
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
PARAM - - tcp 80
PARAM - - tcp 443
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

77
Shorewall/macro.template
View File

@ -1,21 +1,24 @@
#
# Shorewall version 2.6 - Macro Template File
# Shorewall version 2.6 - Template Macro
#
# /usr/share/shorewall/macro.template
#
# Macro files are similar to template files with the following exceptions:
#
# - A macro file is not processed unless the marcro that it defines is referenced in the
# /etc/shorewall/rules file or in an action definition file.
# - A macro file is not processed unless the marcro that it defines is
# referenced in the /etc/shorewall/rules file or in an action
# definition file.
#
# - Macros are translated directly into one or more rules whereas actions become their own
# chain.
# - Macros are translated directly into one or more rules whereas
# actions become their own chain.
#
# - All entries in a macro undergo substitution when the macro is invoked in the rules file.
# - All entries in a macro undergo substitution when the macro is
# invoked in the rules file.
#
# - Macros may not invoke other macros.
#
# The columns in a macro definition are the same as those in the action.template file.
# The columns in a macro definition are the same as those in the
# action.template file.
# A few examples should help show how Macros work.
#
# /etc/shorewall/macro.FwdFTP:
@ -26,44 +29,52 @@
#
# /etc/shorewall/rules:
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# FwdFTP net loc:192.168.1.5
#
# The result is equivalent to:
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# DNAT net loc:192.168.1.5 tcp 21
#
# The substitution rules are as follows:
#
# ACTION column If in the invocation of the macro, the macro name is followed by
# slash ("/") and a second name, the second name is substituted for
# each entry in the macro whose ACTION is PARAM
# ACTION column If in the invocation of the macro, the macro
# name is followed by slash ("/") and a second
# name, the second name is substituted for each
# entry in the macro whose ACTION is PARAM
#
# For example, if macro FOO is invoked as FOO/ACCEPT then when
# expanding macro.FOO, Shorewall will substitute ACCEPT in each
# entry in macro.FOO whose ACTION column contains PARAM. PARAM may
# be optionally followed by a colon and a log level.
# For example, if macro FOO is invoked as
# FOO/ACCEPT then when expanding macro.FOO,
# Shorewall will substitute ACCEPT in each
# entry in macro.FOO whose ACTION column
# contains PARAM. PARAM may be optionally
# followed by a colon and a log level.
#
# Any logging specified when the macro is invoked is applied to each
# entry in the macros.
# Any logging specified when the macro is
# invoked is applied to each entry in the macros.
#
# SOURCE and DEST If the column in the macro is empty then the value in the rules
# columns file is used. If the column in the macro is non-empty then any
# value in the rules file is appended with a ":" separator.
#
# Example: Macro File DNAT net loc tcp 21
# rules File FwdFTP - 192.168.1.5
# Result DNAT net loc:192.168.1.5 tcp 21
#
# Remaining Any value in the rules file REPLACES the value given in the macro
# columns file.
# SOURCE and DEST If the column in the macro is empty then the
# columns value in the rules file is used. If the column
# in the macro is non-empty then any value in
# the rules file is appended with a ":"
# separator.
#
#
# Example: ###############################################
# #ACTION SOURCE DEST PROTO DEST
# # PORT
# Macro File DNAT net loc tcp 21
# rules File FwdFTP - 192.168.1.5
# Result DNAT net loc:192.168.1.5 tcp 21
#
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT PORT(S) LIMIT GROUP
# Remaining Any value in the rules file REPLACES the value
# columns given in the macro file.
#
#
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

78
Shorewall/masq
View File

@ -1,10 +1,10 @@
#
# Shorewall 2.6 - Masquerade file
# Shorewall version 2.6 - Masq file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
# Use this file to define dynamic NAT (Masquerading) and to define
# Source NAT (SNAT).
#
# Columns are:
#
@ -12,13 +12,13 @@
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
# ":" followed by a destination host or subnet.
#
# If you wish to inhibit the action of ADD_SNAT_ALIASES
# for this entry then include the ":" but omit the digit:
@ -53,7 +53,7 @@
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
@ -89,26 +89,29 @@
# You can invoke the SAME target using the
# following in this column:
#
# SAME:[nodst:]<address-range>[,<address-range>...]
# SAME:[nodst:]<address-range>[,<address-range>...]
#
# The <address-ranges> may be single addresses.
#
# SAME works like SNAT with the exception that the
# same local IP address is assigned to each connection
# from a local address to a given remote address. If
# the 'nodst:' option is included, then the same source
# address is used for a given internal system regardless
# of which remote system is involved.
# SAME works like SNAT with the exception that
# the same local IP address is assigned to each
# connection from a local address to a given
# remote address.
#
# If the 'nodst:' option is included, then the
# same source address is used for a given
# internal system regardless of which remote
# system is involved.
#
# If you want to leave this column empty
# but you need to specify the next column then
# place a hyphen ("-") here.
#
# PROTO -- (Optional) If you wish to restrict this entry to a
# PROTO -- (Optional) If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
#
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
@ -125,21 +128,22 @@
# your kernel and iptables must include policy
# match support.
#
# Comma-separated list of options from the following.
# Only packets that will be encrypted via an SA that
# matches these options will have their source address
# changed.
# Comma-separated list of options from the
# following. Only packets that will be encrypted
# via an SA that matches these options will have
# their source address changed.
#
# Yes or yes -- must be the only option listed
# and matches all outbound traffic that will be
# encrypted.
# Yes or yes -- must be the only option
# listed and matches all outbound
# traffic that will be encrypted.
#
# reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
# option for the SPD level.
# reqid=<number> where <number> is
# specified using setkey(8) using the
# 'unique:<number> option for the SPD
# level.
#
# spi=<number> where <number> is the SPI of
# the SA.
# spi=<number> where <number> is the
# SPI of the SA.
#
# proto=ah|esp|ipcomp
#
@ -151,11 +155,11 @@
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all
# rules.
# strict Means that packets must match
# all rules.
#
# next Separates rules; can only be used
# with strict..
# next Separates rules; can only be
# used with strict..
#
# Example 1:
#
@ -179,13 +183,13 @@
#
# eth0 192.168.1.0/24
#
# Example 3:
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
@ -212,5 +216,5 @@
# For additional information, see http://shorewall.net/Documentation.htm#Masq
#
###############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

52
Shorewall/modules
View File

@ -1,27 +1,31 @@
##############################################################################
# Shorewall 2.6 /etc/shorewall/modules
#
# This file loads the modules needed by the firewall.
# Shorewall version 2.6 - Modules File
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1 before
# you load M2.
# /etc/shorewall/modules
#
# For additional information, see http://shorewall.net/Documentation.htm#modules
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
# This file loads the modules needed by the firewall.
#
# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
# dependency order. i.e., if M2 depends on M1 then you must load M1
# before you load M2.
#
# For additional information, see
# http://shorewall.net/Documentation.htm#modules
#
###############################################################################
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
Shorewall/nat
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Network Address Translation Table
# Shorewall version 2.6 - Nat File
#
# /etc/shorewall/nat
#
@ -8,17 +7,17 @@
# (NAT).
#
# WARNING: If all you want to do is simple port forwarding, do NOT use this
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# cases, Proxy ARP is a better solution that one-to-one NAT.
#
# Columns must be separated by white space and are:
# Columns are:
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column and must not be a DNS Name.
#
# INTERFACE Interface that you want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to
@ -31,17 +30,17 @@
# ":" and no digit (e.g., "eth0:").
# INTERNAL Internal Address (must not be a DNS Name).
#
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE
# column
# ALL INTERFACES If Yes or yes, NAT will be effective from all hosts.
# If No or no (or left empty) then NAT will be effective
# only through the interface named in the INTERFACE
# column
#
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
# LOCAL If Yes or yes, NAT will be effective from the firewall
# system
#
# For additional information, see http://shorewall.net/NAT.htm
##############################################################################
#
###############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

10
Shorewall/netmap
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Network Mapping Table
# Shorewall version 2.6 - Netmap File
#
# /etc/shorewall/netmap
#
@ -10,9 +9,9 @@
# WARNING: To use this file, your kernel and iptables must have
# NETMAP support included.
#
# Columns must be separated by white space and are:
# Columns are:
#
# TYPE Must be DNAT or SNAT.
# TYPE Must be DNAT or SNAT.
#
# If DNAT, traffic entering INTERFACE and addressed to
# NET1 has it's destination address rewritten to the
@ -32,7 +31,6 @@
# See http://shorewall.net/netmap.html for an example and usage
# information.
#
##############################################################################
###############################################################################
#TYPE NET1 INTERFACE NET2
#
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

30
Shorewall/params
View File

@ -1,25 +1,27 @@
#
# Shorewall 2.6 /etc/shorewall/params
# Shorewall version 2.4 - Params File
#
# Assign any variables that you need here.
# /etc/shorewall/params
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
# Assign any variables that you need here.
#
# Example:
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
# Example:
#
# Example (/etc/shorewall/interfaces record):
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter,norfc1918
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
# Example (/etc/shorewall/interfaces record):
#
# The result will be the same as if the record had been written
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# net eth0 130.252.100.255 routefilter,norfc1918
# The result will be the same as if the record had been written
#
##############################################################################
# net eth0 130.252.100.255 routefilter,norfc1918
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

53
Shorewall/policy
View File

@ -1,9 +1,9 @@
#
# Shorewall 2.6 -- Policy File
# Shorewall version 2.6 - Policy File
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file . For each
@ -23,39 +23,43 @@
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# REJECT - For TCP, send RST. For all other,
# send "port unreachable" ICMP.
# QUEUE - Send the request to a user-space
# application using the QUEUE target.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or destination
# zone in those rules is a superset of
# the SOURCE or DEST in this policy).
# match (where the source or
# destination zone in those rules is
# a superset of the SOURCE or DEST
# in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set up
# any infrastructure to handle such
# packets and you may not have any rules
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined. NONE may not be used if the
# SOURCE or DEST columns contain the
# firewall zone ($FW) or "all".
# to this DEST. Shorewall will not set
# up any infrastructure to handle such
# packets and you may not have any
# rules with this SOURCE and DEST in
# the /etc/shorewall/rules file. If
# such a packet _is_ received, the
# result is undefined. NONE may not be
# used if the SOURCE or DEST columns
# contain the firewall zone ($FW) or
# "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
# then that action will be invoked before the policy named in
# this column is inforced.
# /etc/shorewall/actions (or
# /usr/share/shorewall/actions.std) then that action
# will be invoked before the policy named in this column
# is inforced.
#
# The policy determined the default treatment of new
# connection requests and may optionally be followed by ":"
# and an ESTABLISHED policy which determines what
# is to be done with packets that are part of an established
# connection. The choices are ACCEPT (the default) and QUEUE
# (to queue the packet to a user-space filter like Snort Inline).
# connection requests and may optionally be followed by
# ":" and an ESTABLISHED policy which determines what
# is to be done with packets that are part of an
# established connection. The choices are ACCEPT (the
# default) and QUEUE (to queue the packet to a
# user-space filter like Snort Inline).
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
@ -93,6 +97,7 @@
# all all REJECT info
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL

17
Shorewall/providers
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Internet Service Providers
# Shorewall version 2.6 - Providers File
#
# /etc/shorewall/providers
#
@ -15,7 +14,7 @@
#
# To omit a column, enter "-".
#
# Columns must be separated by white space and are:
# Columns are:
#
# NAME The provider name.
#
@ -76,11 +75,13 @@
# eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the
# ISP's gateway router has IP address 130.252.99.254.
#
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
# ISP1 1 1 main eth0 206.124.146.254 track,balance
# ISP2 2 2 main eth1 130.252.99.254 track,balance
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
# ISP1 1 1 main eth0 206.124.146.254 track,balance
# ISP2 2 2 main eth1 130.252.99.254 track,balance
#
# For additional information, see http://shorewall.net/Shorewall_and_Routing.html
##############################################################################################
# For additional information, see
# http://shorewall.net/Shorewall_and_Routing.html
#
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

8
Shorewall/proxyarp
View File

@ -1,12 +1,11 @@
##############################################################################
#
# Shorewall 2.6 -- Proxy ARP
# Shorewall version 2.6 - Proxyarp File
#
# /etc/shorewall/proxyarp
#
# This file is used to define Proxy ARP.
#
# Columns must be separated by white space and are:
# Columns are:
#
# ADDRESS IP Address
#
@ -41,6 +40,7 @@
# 155.186.235.6 eth1 eth0
#
# See http://shorewall.net/ProxyARP.htm for additional information.
##############################################################################
#
###############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

34
Shorewall/rfc1918
View File

@ -1,18 +1,19 @@
#
# Shorewall 2.6 -- RFC1918 File
# Shorewall version 2.6 - Rfc1918 File
#
# /etc/shorewall/rfc1918
#
# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
# Lists the subnetworks that are blocked by the 'norfc1918' interface
# option.
#
# The default list includes those IP addresses listed in RFC 1918.
# The default list includes those IP addresses listed in RFC 1918.
#
# DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
# TO /etc/shorewall AND MODIFY THE COPY.
#
# Columns are:
#
# SUBNETS A comma-separated list of subnet addresses
# SUBNETS A comma-separated list of subnet addresses
# (host addresses also allowed as are IP
# address ranges provided that your kernel and iptables
# have iprange match support).
@ -21,23 +22,24 @@
# DROP - silently drop the packet
# logdrop - log then drop
#
# By default, the RETURN target causes 'norfc1918' processing to cease for a
# packet if the packet's source IP address matches the rule. Thus, if you have:
# By default, the RETURN target causes 'norfc1918' processing to cease
# for a packet if the packet's source IP address matches the rule. Thus,
# if you have:
#
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
# SUBNETS TARGET
# 192.168.1.0/24 RETURN
#
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you
# also have:
# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though
# you also have:
#
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
# SUBNETS TARGET
# 10.0.0.0/8 logdrop
#
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be
# logged and dropped since while the packet's source matches the RETURN rule,
# the packet's destination matches the 'logdrop' rule.
# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic
# to be logged and dropped since while the packet's source matches the
# RETURN rule, the packet's destination matches the 'logdrop' rule.
#
################################################################################
###############################################################################
#SUBNETS TARGET
172.16.0.0/12 logdrop # RFC 1918
192.168.0.0/16 logdrop # RFC 1918

20
Shorewall/routestopped
View File

@ -1,6 +1,5 @@
##############################################################################
#
# Shorewall 2.6 -- Hosts Accessible when the Firewall is Stopped
# Shorewall version 2.6 - Routestopped File
#
# /etc/shorewall/routestopped
#
@ -8,7 +7,7 @@
# firewall is stopped or when it is in the process of being
# [re]started.
#
# Columns must be separated by white space and are:
# Columns are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
@ -19,7 +18,7 @@
#
# If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
#
# routeback - Set up a rule to ACCEPT traffic from
@ -27,15 +26,15 @@
#
# source - Allow traffic from these hosts to ANY
# destination. Without this option or the 'dest'
# option, only traffic from this host to other
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'source' is specified then 'routeback' is redundent.
# 'source' is specified then 'routeback' is redundent.
#
# dest - Allow traffic to these hosts from ANY
# source. Without this option or the 'source'
# option, only traffic from this host to other
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'dest' is specified then 'routeback' is redundent.
# 'dest' is specified then 'routeback' is redundent.
#
# critical - Allow traffic between the firewall and
# these hosts throughout '[re]start', 'stop' and
@ -55,6 +54,7 @@
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
##############################################################################
#INTERFACE HOST(S) OPTIONS
#
###############################################################################
#INTERFACE HOST(S) OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

143
Shorewall/rules
View File

@ -5,9 +5,9 @@
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
@ -16,29 +16,29 @@
# address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#-------------------------------------------------------------------------------#
#------------------------------------------------------------------------------
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
@ -48,7 +48,7 @@
# listed, all requests from a given
# remote system go to the same
# server.
# SAME- -- Advanced users only.
# SAME- -- Advanced users only.
# Like SAME but only generates the
# NAT iptables rule and not
# the companion ACCEPT rule.
@ -69,7 +69,7 @@
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
@ -111,14 +111,14 @@
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all" or "none" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, "all" or "none" If the ACTION is DNAT
# or REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
@ -134,11 +134,12 @@
# Hosts may be specified as an IP address range using the
# syntax <low address>-<high address>. This requires that
# your kernel and iptables contain iprange match support.
# If you kernel and iptables have ipset match support then
# you may give the name of an ipset prefaced by "+". The
# ipset name may be optionally followed by a number from
# 1 to 6 enclosed in square brackets ([]) to indicate the
# number of levels of source bindings to be matched.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of source bindings to be
# matched.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
@ -148,8 +149,8 @@
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# net:192.0.2.11-192.0.2.17
# Hosts 192.0.2.11-192.0.2.17 in
@ -167,8 +168,8 @@
# /etc/shorewall/zones, $FW to indicate the firewall
# itself, "all" or "none".
#
# When "none" is used either in the SOURCE or DEST column,
# the rule is ignored.
# When "none" is used either in the SOURCE or DEST
# column, the rule is ignored.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
@ -194,13 +195,13 @@
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# If you kernel and iptables have ipset match support then
# you may give the name of an ipset prefaced by "+". The
# ipset name may be optionally followed by a number from
# 1 to 6 enclosed in square brackets ([]) to indicate the
# number of levels of destination bindings to be matched.
# Only one of the SOURCE and DEST columns may specify an
# ipset name.
# If you kernel and iptables have ipset match support
# then you may give the name of an ipset prefaced by "+".
# The ipset name may be optionally followed by a number
# from 1 to 6 enclosed in square brackets ([]) to
# indicate the number of levels of destination bindings
# to be matched. Only one of the SOURCE and DEST columns
# may specify an ipset name.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
@ -220,7 +221,7 @@
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
@ -246,8 +247,8 @@
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ORIGINAL DEST in the next column, then place
# "-" in this column.
# specify an ORIGINAL DEST in the next column, then
# place "-" in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
@ -257,8 +258,8 @@
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then
# if included and different from the IP
# ORIGINAL DEST (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# then if included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
@ -277,12 +278,12 @@
# For other actions, this column may be included and may
# contain one or more addresses (host or network)
# separated by commas. Address ranges are not allowed.
# When this column is supplied, rules are generated
# that require that the original destination address matches
# one of the listed addresses. This feature is most useful when
# you want to generate a filter rule that corresponds to a
# DNAT- or REDIRECT- rule. In this usage, the list of
# addresses should not begin with "!".
# When this column is supplied, rules are generated
# that require that the original destination address
# matches one of the listed addresses. This feature is
# most useful when you want to generate a filter rule
# that corresponds to a DNAT- or REDIRECT- rule. In this
# usage, the list of addresses should not begin with "!".
#
# See http://shorewall.net/PortKnocking.html for an
# example of using an entry in this column with a
@ -306,7 +307,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>][+<program name>]
# [!][<user name or number>][:<group name or number>][+<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -318,54 +319,54 @@
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# !:kids #program must not be run by a member
# #of the 'kids' group
# +upnpd #program named 'upnpd'
# +upnpd #program named 'upnpd'
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
# Example: Forward all ssh and http connection requests from the
# internet to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# # PORT PORT(S) DEST LIMIT
# DNAT net loc:192.168.1.3 tcp http - - 3/sec:10
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

122
Shorewall/shorewall.conf
View File

@ -1,4 +1,4 @@
##############################################################################
###############################################################################
# /etc/shorewall/shorewall.conf V2.6 - Change the following variables to
# match your setup
#
@ -7,17 +7,19 @@
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
##############################################################################
# S T A R T U P E N A B L E D
##############################################################################
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
#
# Once you have configured Shorewall, you may change the setting of
# this variable to 'Yes'
#
STARTUP_ENABLED=No
##############################################################################
# L O G G I N G
##############################################################################
###############################################################################
# L O G G I N G
###############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
@ -53,7 +55,7 @@ STARTUP_ENABLED=No
# installed by default). Ulogd is also available from
# http://www.gnumonks.org/projects/ulogd and can be configured to log all
# Shorewall message to their own log file
################################################################################
###############################################################################
#
# LOG FILE LOCATION
#
@ -62,10 +64,11 @@ STARTUP_ENABLED=No
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/shorewall_logging.html
#
# http://www.shorewall.net/shorewall_logging.html
LOGFILE=/var/log/messages
@ -77,8 +80,8 @@ LOGFILE=/var/log/messages
# template is expected to accept either two or three arguments; the first is
# the chain name, the second (optional) is the logging rule number within that
# chain and the third is the ACTION specifying the disposition of the packet
# being logged. You must use the %d formatting type for the rule number; if your
# template does not contain %d then the rule number will not be included.
# being logged. You must use the %d formatting type for the rule number; if
# your template does not contain %d then the rule number will not be included.
#
# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
#
@ -92,6 +95,7 @@ LOGFILE=/var/log/messages
# 'status' and 'hits' commands. This part should not be omitted (the
# LOGFORMAT should not begin with "%") and the leading part should be
# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
#
LOGFORMAT="Shorewall:%s:%s:"
@ -174,6 +178,7 @@ BLACKLIST_LOGLEVEL=
# See the comment at the top of this section for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
#
LOGNEWNOTSYN=info
@ -220,7 +225,6 @@ RFC1918_LOG_LEVEL=info
#'nosmurfs' interface option in /etc/shorewall/interfaces and in
# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
# ) then dropped smurfs are not logged.
#
# See the comment at the top of this section for a description of log levels
#
@ -238,9 +242,9 @@ SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
################################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
################################################################################
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
#
# IPTABLES
#
@ -253,7 +257,7 @@ IPTABLES=
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@ -263,6 +267,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# The firewall script is normally interpreted by /bin/sh. If you wish to change
# the shell used to interpret that script, specify the shell here.
#
SHOREWALL_SHELL=/bin/sh
@ -281,6 +286,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
# If your netfilter kernel modules are in a directory other than
# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
#
MODULESDIR=
@ -296,6 +302,7 @@ MODULESDIR=
#
# If not specified or specified as null ("CONFIG_PATH=""),
# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
#
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
@ -314,6 +321,7 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
# directory /var/lib/shorewall. If this option is not set or if it is
# set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
# assumed.
#
RESTOREFILE=
@ -323,14 +331,16 @@ RESTOREFILE=
# Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file.
# Beginning with 2.5.0, those files were combined. For users who haven't
# converted, we offer this variable that sets the name of the file for ipsec
# information. This option must take the value "zones" or "ipsec". If the option
# is not set or is set to the empty value (IPSECFILE="") then "ipsec" is assumed.
# information. This option must take the value "zones" or "ipsec". If the
# option is not set or is set to the empty value (IPSECFILE="") then "ipsec"
# is assumed.
#
IPSECFILE=zones
################################################################################
# F I R E W A L L O P T I O N S
################################################################################
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
# NAME OF THE FIREWALL ZONE
#
@ -369,9 +379,9 @@ ADD_IP_ALIASES=Yes
# AUTOMATICALLY ADD SNAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you say
# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
# you are sure that you need it -- most people don't!!!
# for each SNAT external address that you give in /etc/shorewall/masq. If you
# say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No"
# unless you are sure that you need it -- most people don't!!!
#
ADD_SNAT_ALIASES=No
@ -395,8 +405,9 @@ RETAIN_ALIASES=No
#
# ENABLE TRAFFIC SHAPING
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled.
# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall.
# If you say "No" or "no" then traffic shaping is not enabled.
#
TC_ENABLED=No
@ -413,6 +424,7 @@ TC_ENABLED=No
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
#
CLEAR_TC=Yes
@ -425,14 +437,15 @@ CLEAR_TC=Yes
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
# packets destined for Masqueraded/SNATed local hosts have had their
# destination address rewritten so they can be marked based on their
# destination. When packets are marked in the PREROUTING chain, packets
# destined for Masqueraded/SNATed local hosts still have a destination address
# corresponding to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
# setting this variable to Yes may cause startup problems.
#
MARK_IN_FORWARD_CHAIN=No
@ -456,7 +469,7 @@ MARK_IN_FORWARD_CHAIN=No
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
@ -481,12 +494,14 @@ CLAMPMSS=No
# interfaces started while Shorewall is started (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
# on individual interfaces using the 'routefilter' option in the
# Regardless of the setting of ROUTE_FILTER, you can still enable route
# filtering on individual interfaces using the 'routefilter' option in the
# /etc/shorewall/interfaces file.
#
ROUTE_FILTER=No
#
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
@ -515,6 +530,7 @@ ROUTE_FILTER=No
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started.
#
DETECT_DNAT_IPADDRS=No
@ -530,6 +546,7 @@ DETECT_DNAT_IPADDRS=No
#
# An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart" command.
#
MUTEX_TIMEOUT=60
@ -541,8 +558,8 @@ MUTEX_TIMEOUT=60
# CLIENT SERVER
#
# SYN-------------------->
# <------------------SYN,ACK
# ACK-------------------->
# <------------------SYN,ACK
# ACK-------------------->
#
# The first packet in that exchange (packet with the SYN flag on and the ACK
# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
@ -575,6 +592,7 @@ MUTEX_TIMEOUT=60
# connection from the conntrack table but the end-points haven't
# completed shutting down the connection). I therefore have chosen
# NEWNOTSYN=Yes as the default value.
#
NEWNOTSYN=Yes
@ -595,8 +613,8 @@ NEWNOTSYN=Yes
# a remote firewall (or worse, they have to get someone out of bed to drive
# across town to restart a very remote firewall).
#
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
# when the firewall enters the 'stopped' state:
# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this
# setting, when the firewall enters the 'stopped' state:
#
# All traffic that is part of or related to established connections is still
# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
@ -613,8 +631,8 @@ ADMINISABSENTMINDED=Yes
#
# Shorewall offers two types of blacklisting:
#
# - static blacklisting through the /etc/shorewall/blacklist file together
# with the 'blacklist' interface option.
# - static blacklisting through the /etc/shorewall/blacklist file
# together with the 'blacklist' interface option.
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
#
# The following variable determines whether the blacklist is checked for each
@ -636,6 +654,7 @@ BLACKLISTNEWONLY=Yes
# time and that new connections are disabled during that time. By setting
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
# before loading the blacklist.
#
DELAYBLACKLISTLOAD=No
@ -700,6 +719,7 @@ DYNAMIC_ZONES=No
# able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
# will use IP addresses to detect broadcasts rather than pkttype. If not given
# or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
#
PKTTYPE=Yes
@ -727,7 +747,8 @@ PKTTYPE=Yes
# RFC1918_STRICT=No is assumed.
#
# WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
# 'conntrack state' match.
# 'conntrack state' match.
#
RFC1918_STRICT=No
@ -751,6 +772,7 @@ RFC1918_STRICT=No
# If MACLIST_TTL is not specified or is specified as empty (e.g,
# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
# be cached.
#
MACLIST_TTL=
@ -762,9 +784,10 @@ MACLIST_TTL=
# Restore the last saved ipset contents during "shorewall [re]start"
# Save the current ipset contents during "shorewall save"
#
# Regardless of the setting of SAVE_IPSETS, if ipset contents were
# Regardless of the setting of SAVE_IPSETS, if ipset contents were
# saved during a "shorewall save" then they will be restored during
# a subsequent "shorewall restore".
#
SAVE_IPSETS=No
@ -776,12 +799,13 @@ SAVE_IPSETS=No
# compatibility, Shorewall can map the old names into invocations of the new
# macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to
# the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed
#
MAPOLDACTIONS=No
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
#
# BLACKLIST DISPOSITION
#
@ -800,6 +824,7 @@ BLACKLIST_DISPOSITION=DROP
# that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
#
MACLIST_DISPOSITION=REJECT
@ -811,6 +836,7 @@ MACLIST_DISPOSITION=REJECT
# 'tcpflags' option specified in /etc/shorewall/interfaces or in
# /etc/shorewall/hosts. If not specified or specified as empty
# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
#
TCP_FLAGS_DISPOSITION=DROP

13
Shorewall/start
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
# Shorewall version 2.4 - Start File
#
# /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

26
Shorewall/started
View File

@ -1,17 +1,23 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/started
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up.
# Shorewall version 2.6 - Started File
#
# This script should not change the firewall configuration directly but may
# do so indirectly by running /sbin/shorewall with the 'nolock' option.
# /etc/shorewall/started
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up.
#
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock'
# option.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. Note though that the "ensure_and_save_command" function
# should not be used in this script because Shorewall is already running
# when this function is called.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

13
Shorewall/stop
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
# Shorewall version 2.6 - Stop File
#
# /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

13
Shorewall/stopped
View File

@ -1,8 +1,13 @@
############################################################################
# Shorewall 2.6 -- /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
# Shorewall version 2.4 - Stopped File
#
# /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

75
Shorewall/tcrules
View File

@ -1,12 +1,12 @@
#
# Shorewall version 2.6 - Traffic Control Rules File
# Shorewall version 2.6 - Tcrules File
#
# /etc/shorewall/tcrules
#
# Entries in this file cause packets to be marked as a means of
# classifying them for traffic control or policy routing.
#
# I M P O R T A N T ! ! ! !
# I M P O R T A N T ! ! ! !
#
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
@ -24,13 +24,14 @@
#
#
# MARK/ a) A mark value which is an integer in the range 1-255
# CLASSIFY
# CLASSIFY
# May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the chain is
# determined by the setting of MARK_IN_FORWARD_CHAIN in
# ":P" nor ":F" follow the mark value then the chain
# is determined by the setting of
# MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf.
#
# If your kernel and iptables include CONNMARK support
@ -38,19 +39,20 @@
# the packet.
#
# The mark value may be optionally followed by "/"
# and a mask value (used to determine those bits of
# the connection mark to actually be set). The
# mark and optional mask are then followed by one of:
# and a mask value (used to determine those bits of
# the connection mark to actually be set). The
# mark and optional mask are then followed by one of:
#
# C - Mark the connection in the chain determined
# by the setting of MARK_IN_FORWARD_CHAIN
# by the setting of MARK_IN_FORWARD_CHAIN
#
# CF: Mark the connection in the FORWARD chain
# CF: Mark the connection in the FORWARD chain
#
# CP: Mark the connection in the PREROUTING chain.
# CP: Mark the connection in the PREROUTING
# chain.
#
# b) A classification of the form <major>:<minor> where
# <major> and <minor> are integers. Corresponds to
# <major> and <minor> are integers. Corresponds to
# the 'class' specification in these traffic shaping
# modules:
#
@ -65,19 +67,24 @@
#
# c) RESTORE[/mask] -- restore the packet's mark from the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# Your kernel and iptables must include CONNMARK
# support.
#
# As in a) above, may be followed by ":P" or ":F
#
# c) SAVE[/mask] -- save the packet's mark to the
# connection's mark using the supplied mask if any.
# Your kernel and iptables must include CONNMARK support.
# Your kernel and iptables must include CONNMARK
# support.
#
# As in a) above, may be followed by ":P" or ":F
#
# d) CONTINUE -- don't process any more marking rules in
# the table. As in a) above, may be followed by ":P" or
# ":F".
# the table.
#
# SOURCE Source of the packet. A comma-separated list of
# As in a) above, may be followed by ":P" or ":F".
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses
# and/or subnets. If your kernel and iptables include
# iprange match support, IP address ranges are also
@ -97,9 +104,9 @@
# iptables include iprange match support, IP address
# ranges are also allowed.
#
# If the MARK column specificies a classification of
# the form <major>:<minor> then this column may also
# contain an interface name.
# If the MARK column specificies a classification of
# the form <major>:<minor> then this column may also
# contain an interface name.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# a number, or "all". "ipp2p" requires ipp2p match
@ -111,8 +118,8 @@
# interpreted as the destination icmp-type(s).
#
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example "bit"
# for bit-torrent). If no PORT is given, "ipp2p" is
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no PORT is given, "ipp2p" is
# assumed.
#
# This column is ignored if PROTOCOL = all but must be
@ -134,27 +141,29 @@
#
# It may contain :
#
# [<user name or number>]:[<group name or number>][+<program name>]
# [<user name or number>]:[<group name or number>][+<program name>]
#
# The colon is optionnal when specifying only a user
# or a program name.
# Examples : john: , john , :users , john:users , +mozilla-bin
# Examples : john: , john , :users , john:users ,
# +mozilla-bin
#
# TEST Defines a test on the existing packet or connection mark.
# The rule will match only if the test returns true. Tests
# have the format [!]<value>[/<mask>][:C]
# TEST Defines a test on the existing packet or connection
# mark. The rule will match only if the test returns
# true. Tests have the format [!]<value>[/<mask>][:C]
#
# Where:
#
# ! Inverts the test (not equal)
# <value> Value of the packet or connection mark.
# <mask> A mask to be applied to the mark before
# <mask> A mask to be applied to the mark before
# testing
# :C Designates a connection mark. If omitted,
# the packet mark's value is tested.
# :C Designates a connection mark. If
# omitted, the packet mark's value is
# tested.
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
###############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

11
Shorewall/tos
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.6 -- /etc/shorewall/tos
# Shorewall version 2.6 - Tos File
#
# /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
@ -10,7 +12,7 @@
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address, a MAC address, a subnet
# specification or the name of an interface.
# specification or the name of an interface.
#
# Example: loc:192.168.2.3
#
@ -41,6 +43,7 @@
# Minimize-Cost (2)
# Normal-Service (0)
#
##############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
###############################################################################
#SOURCE DEST PROTOCOL SOURCE DEST TOS
# PORTS PORTS
#LAST LINE -- Add your entries above -- DO NOT REMOVE

29
Shorewall/tunnels
View File

@ -1,5 +1,7 @@
#
# Shorewall 2.4 - /etc/shorewall/tunnels
# Shorewall version 2.6 - Tunnels File
#
# /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
@ -9,13 +11,13 @@
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ipip"
# "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or
# "generic"
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat",
# "ipip", "gre", "6to4", "pptpclient", "pptpserver",
# "openvpn" or "generic"
#
# If the type is "ipsec" or "ipsecnat", it may be followed
# by ":noah" to indicate that the Authentication Header
# protocol (51) is not used by the tunnel.
# If the type is "ipsec" or "ipsecnat", it may be
# followed by ":noah" to indicate that the Authentication
# Header protocol (51) is not used by the tunnel.
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
@ -102,16 +104,17 @@
#
# Example 8:
#
# You have a tunnel that is not one of the supported types.
# Your tunnel uses UDP port 4444. The other end of the
# tunnel is 4.3.99.124.
# You have a tunnel that is not one of the supported
# types. Your tunnel uses UDP port 4444. The other end
# of the tunnel is 4.3.99.124.
#
# generic:udp:4444 net 4.3.99.124
#
#
# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
# See http://shorewall.net/Documentation.htm#Tunnels for additional
# information.
#
# TYPE ZONE GATEWAY GATEWAY
###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

26
Shorewall/zones
View File

@ -1,20 +1,24 @@
#
# Shorewall 2.6 /etc/shorewall/zones
# Shorewall version 2.6 - Zones File
#
# This file determines your network zones. Columns are:
# /etc/shorewall/zones
#
# This file determines your network zones.
#
# Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# The names "all" and "none" are reserved and may not be
# used as zone names.
#
# IPSEC Yes -- Communication with all zone hosts is encrypted
# IPSEC Yes -- Communication with all zone hosts is encrypted
# ONLY Your kernel and iptables must include policy
# match support.
# No -- Communication with some zone hosts may be encrypted.
# No -- Communication with some zone hosts may be encrypted.
# Encrypted hosts are designated using the 'ipsec'
# option in /etc/shorewall/hosts.
#
# OPTIONS, A comma-separated list of options as follows:
# OPTIONS, A comma-separated list of options as follows:
# IN OPTIONS,
# OUT OPTIONS reqid=<number> where <number> is specified
# using setkey(8) using the 'unique:<number>
@ -35,10 +39,10 @@
# tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
#
# strict Means that packets must match all rules.
# strict Means that packets must match all rules.
#
# next Separates rules; can only be used with
# strict..
# next Separates rules; can only be used with
# strict..
#
# Example:
# mode=transport,reqid=44
@ -55,16 +59,18 @@
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
#
# See http://www.shorewall.net/Documentation.htm#Nested
#--------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Example zones:
#
# You have a three interface firewall with internet, local and DMZ interfaces.
# You have a three interface firewall with internet, local and DMZ
# interfaces.
#
# #ZONE IPSEC OPTIONS IN OUT
# net
# loc
# dmz
#
###############################################################################
#ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE