From b0ba6f0c6d2564d9b6731ec44ea325356c4e846f Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 21 Sep 2005 16:26:16 +0000 Subject: [PATCH] Update three-interface sample with latest 3.0 changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2718 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Samples/three-interfaces/interfaces | 11 +- Samples/three-interfaces/masq | 306 +++++++++++++------------- Samples/three-interfaces/policy | 100 ++++----- Samples/three-interfaces/routestopped | 68 ++++-- Samples/three-interfaces/rules | 64 +++++- Samples/three-interfaces/zones | 10 +- 6 files changed, 323 insertions(+), 236 deletions(-) diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index 461385c89..20346d4bc 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -1,5 +1,5 @@ # -# Shorewall version 2.6 - Interfaces File +# Shorewall version 3.0 - Interfaces File # # /etc/shorewall/interfaces # @@ -8,8 +8,9 @@ # # Columns are: # -# ZONE Zone for this interface. Must match the short name -# of a zone defined in /etc/shorewall/zones. +# ZONE Zone for this interface. Must match the name of a +# zone defined in /etc/shorewall/zones. You may not +# list the firewall zone in this column. # # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should @@ -193,7 +194,7 @@ # # upnp - Incoming requests from this interface # may be remapped via UPNP (upnpd). -# +# # WARNING: DO NOT SET THE detectnets OPTION ON YOUR # INTERNET INTERFACE. # @@ -233,5 +234,5 @@ #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians loc eth1 detect tcpflags,detectnets,nosmurfs -dmz eth2 detect +dmz eth2 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq index d141b2bd5..0ed4747b3 100755 --- a/Samples/three-interfaces/masq +++ b/Samples/three-interfaces/masq @@ -1,207 +1,219 @@ -# -# Shorewall 2.2 - Sample Masquerade file For Three Interfaces # -# etc/shorewall/masq +# Shorewall version 3.0 - Masq file # -# Use this file to define dynamic NAT (Masquerading) and to define Source NAT -# (SNAT). +# /etc/shorewall/masq # -# Columns are: +# Use this file to define dynamic NAT (Masquerading) and to define +# Source NAT (SNAT). # -# INTERFACE -# Outgoing interface. This is usually your internet -# interface. If ADD_SNAT_ALIASES=Yes in -# /etc/shorewall/shorewall.conf, you may add ":" and -# a digit to indicate that you want the alias added with -# that name (e.g., eth0:0). This will allow the alias to -# be displayed with ifconfig. THAT IS THE ONLY USE FOR -# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER -# PLACE IN YOUR SHOREWALL CONFIGURATION. +# Columns are: # -# This may be qualified by adding the character -# ":" followed by a destination host or subnet. +# INTERFACE -- Outgoing interface. This is usually your internet +# interface. If ADD_SNAT_ALIASES=Yes in +# /etc/shorewall/shorewall.conf, you may add ":" and +# a digit to indicate that you want the alias added with +# that name (e.g., eth0:0). This will allow the alias to +# be displayed with ifconfig. THAT IS THE ONLY USE FOR +# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER +# PLACE IN YOUR SHOREWALL CONFIGURATION. # +# This may be qualified by adding the character +# ":" followed by a destination host or subnet. # -# If you wish to inhibit the action of ADD_SNAT_ALIASES -# for this entry then include the ":" but omit the digit: +# If you wish to inhibit the action of ADD_SNAT_ALIASES +# for this entry then include the ":" but omit the digit: # -# eth0: -# eth2::192.0.2.32/27 +# eth0: +# eth2::192.0.2.32/27 # -# Normally Masq/SNAT rules are evaluated after those for -# one-to-one NAT (/etc/shorewall/nat file). If you want -# the rule to be applied before one-to-one NAT rules, -# prefix the interface name with "+": +# Normally Masq/SNAT rules are evaluated after those for +# one-to-one NAT (/etc/shorewall/nat file). If you want +# the rule to be applied before one-to-one NAT rules, +# prefix the interface name with "+": # -# +eth0 -# +eth0:192.0.2.32/27 -# +eth0:2 +# +eth0 +# +eth0:192.0.2.32/27 +# +eth0:2 # -# This feature should only be required if you need to -# insert rules in this file that preempt entries in -# /etc/shorewall/nat. +# This feature should only be required if you need to +# insert rules in this file that preempt entries in +# /etc/shorewall/nat. # -# SUBNET -# Subnet that you wish to masquerade. You can specify this as -# a subnet or as an interface. If you give the name of an -# interface, you must have iproute installed and the interface -# must be up before you start the firewall. +# SUBNET -- Subnet that you wish to masquerade. You can specify this as +# a subnet or as an interface. If you give the name of an +# interface, you must have iproute installed and the interface +# must be up before you start the firewall. # -# In order to exclude a subset of the specified SUBNET, you -# may append "!" and a comma-separated list of IP addresses -# and/or subnets that you wish to exclude. +# In order to exclude a subset of the specified SUBNET, you +# may append "!" and a comma-separated list of IP addresses +# and/or subnets that you wish to exclude. # -# Example: eth1!192.168.1.4,192.168.32.0/27 +# Example: eth1!192.168.1.4,192.168.32.0/27 # -# In that example traffic from eth1 would be masqueraded unless -# it came from 192.168.1.4 or 196.168.32.0/27 +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 # -# ADDRESS (Optional) -# If you specify an address here, SNAT will be -# used and this will be the source address. If -# ADD_SNAT_ALIASES is set to Yes or yes in -# /etc/shorewall/shorewall.conf then Shorewall -# will automatically add this address to the -# INTERFACE named in the first column. +# ADDRESS -- (Optional). If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. # -# You may also specify a range of up to 256 IP addresses -# if you want the SNAT address to be assigned from that -# range in a round-robin range by connection. The range is -# specified by -. +# You may also specify a range of up to 256 +# IP addresses if you want the SNAT address to +# be assigned from that range in a round-robin +# range by connection. The range is specified by +# -. # -# Example: 206.124.146.177-206.124.146.180 +# Example: 206.124.146.177-206.124.146.180 # -# This column may not contain a DNS Names. +# Finally, you may also specify a comma-separated +# list of ranges and/or addresses in this column. # -# Normally, Netfilter will attempt to retain -# the source port number. You may cause -# netfilter to remap the source port by following -# an address or range (if any) by ":" and -# a port range with the format - -# . If this is done, you must -# specify "tcp" or "udp" in the PROTO column. +# This column may not contain DNS Names. # -# Examples: +# Normally, Netfilter will attempt to retain +# the source port number. You may cause +# netfilter to remap the source port by following +# an address or range (if any) by ":" and +# a port range with the format - +# . If this is done, you must +# specify "tcp" or "udp" in the PROTO column. # -# 192.0.2.4:5000-6000 -# :4000-5000 +# Examples: # -# If you want to leave this column empty -# but you need to specify the next column then -# place a hyphen ("-") here. +# 192.0.2.4:5000-6000 +# :4000-5000 # -# PROTO -- (Optional) -# If you wish to restrict this entry to a -# particular protocol then enter the protocol -# name (from /etc/protocols) or number here. +# You can invoke the SAME target using the +# following in this column: # -# PORT(S) -- (Optional) -# If the PROTO column specifies TCP (protocol 6) -# or UDP (protocol 17) then you may list one -# or more port numbers (or names from -# /etc/services) separated by commas or you -# may list a single port range -# (:). +# SAME:[nodst:][,...] # -# Where a comma-separated list is given, your -# kernel and iptables must have multiport match -# support and a maximum of 15 ports may be listed. +# The may be single addresses. # -# IPSEC -- (Optional) -# If you specify a value other than "-" in this -# column, you must be running kernel 2.6 and -# your kernel and iptables must include policy -# match support. +# SAME works like SNAT with the exception that +# the same local IP address is assigned to each +# connection from a local address to a given +# remote address. # -# Comma-separated list of options from the following. -# Only packets that will be encrypted via an SA that -# matches these options will have their source address -# changed. +# If the 'nodst:' option is included, then the +# same source address is used for a given +# internal system regardless of which remote +# system is involved. # -# Yes or yes -- must be the only option listed -# and matches all outbound traffic that will be -# encrypted. +# If you want to leave this column empty +# but you need to specify the next column then +# place a hyphen ("-") here. # -# reqid= where is specified -# using setkey(8) using the 'unique: -# option for the SPD level. +# PROTO -- (Optional) If you wish to restrict this entry to a +# particular protocol then enter the protocol +# name (from /etc/protocols) or number here. # -# spi= where is the SPI of -# the SA. +# PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6) +# or UDP (protocol 17) then you may list one +# or more port numbers (or names from +# /etc/services) separated by commas or you +# may list a single port range +# (:). # -# proto=ah|esp|ipcomp +# Where a comma-separated list is given, your +# kernel and iptables must have multiport match +# support and a maximum of 15 ports may be +# listed. # -# mode=transport|tunnel +# IPSEC -- (Optional) If you specify a value other than "-" in this +# column, you must be running kernel 2.6 and +# your kernel and iptables must include policy +# match support. # -# tunnel-src=
[/] (only -# available with mode=tunnel) +# Comma-separated list of options from the +# following. Only packets that will be encrypted +# via an SA that matches these options will have +# their source address changed. # -# tunnel-dst=
[/] (only -# available with mode=tunnel) +# Yes or yes -- must be the only option +# listed and matches all outbound +# traffic that will be encrypted. # -# strict Means that packets must match all -# rules. +# reqid= where is +# specified using setkey(8) using the +# 'unique: option for the SPD +# level. # -# next Separates rules; can only be used -# with strict.. +# spi= where is the +# SPI of the SA. # -# Example 1: +# proto=ah|esp|ipcomp # -# You have a simple masquerading setup where eth0 connects to -# a DSL or cable modem and eth1 connects to your local network -# with subnet 192.168.0.0/24. +# mode=transport|tunnel # -# Your entry in the file can be either: +# tunnel-src=
[/] (only +# available with mode=tunnel) # -# #INTERFACE SUBNET ADDRESS -# eth0 eth1 +# tunnel-dst=
[/] (only +# available with mode=tunnel) # -# or +# strict Means that packets must match +# all rules. # -# #INTERFACE SUBNET ADDRESS -# eth0 192.168.0.0/24 +# next Separates rules; can only be +# used with strict.. # -# Example 2: +# Example 1: # -# You add a router to your local network to connect subnet -# 192.168.1.0/24 which you also want to masquerade. You then -# add a second entry for eth0 to this file: +# You have a simple masquerading setup where eth0 connects to +# a DSL or cable modem and eth1 connects to your local network +# with subnet 192.168.0.0/24. # -# #INTERFACE SUBNET ADDRESS -# eth0 192.168.1.0/24 +# Your entry in the file can be either: # -# Example 3: +# eth0 eth1 # -# You have an IPSEC tunnel through ipsec0 and you want to -# masquerade packets coming from 192.168.1.0/24 but only if -# these packets are destined for hosts in 10.1.1.0/24: +# or +# +# eth0 192.168.0.0/24 +# +# Example 2: +# +# You add a router to your local network to connect subnet +# 192.168.1.0/24 which you also want to masquerade. You then +# add a second entry for eth0 to this file: +# +# eth0 192.168.1.0/24 +# +# Example 3: +# +# You have an IPSEC tunnel through ipsec0 and you want to +# masquerade packets coming from 192.168.1.0/24 but only if +# these packets are destined for hosts in 10.1.1.0/24: # -# #INTERFACE SUBNET ADDRESS # ipsec0:10.1.1.0/24 196.168.1.0/24 # -# Example 4: +# Example 4: # -# You want all outgoing traffic from 192.168.1.0/24 through -# eth0 to use source address 206.124.146.176 which is NOT the -# primary address of eth0. You want 206.124.146.176 added to -# be added to eth0 with name eth0:0. +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176 which is NOT the +# primary address of eth0. You want 206.124.146.176 added to +# be added to eth0 with name eth0:0. # -# #INTERFACE SUBNET ADDRESS -# eth0:0 192.168.1.0/24 206.124.146.176 +# eth0:0 192.168.1.0/24 206.124.146.176 # -# Example 5: +# Example 5: # -# You want all outgoing SMTP traffic entering the firewall -# on eth1 to be sent from eth0 with source IP address -# 206.124.146.177. You want all other outgoing traffic -# from eth1 to be sent from eth0 with source IP address -# 206.124.146.176. +# You want all outgoing SMTP traffic entering the firewall +# on eth1 to be sent from eth0 with source IP address +# 206.124.146.177. You want all other outgoing traffic +# from eth1 to be sent from eth0 with source IP address +# 206.124.146.176. # -# INTERFACE SUBNET ADDRESS PROTO PORT(S) -# eth0 eth1 206.124.146.177 tcp smtp -# eth0 eth1 206.124.146.176 +# eth0 eth1 206.124.146.177 tcp smtp +# eth0 eth1 206.124.146.176 # -# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! +# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! +# +# For additional information, see http://shorewall.net/Documentation.htm#Masq # ############################################################################## #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC diff --git a/Samples/three-interfaces/policy b/Samples/three-interfaces/policy index fa5ea41d1..e66dbbb04 100644 --- a/Samples/three-interfaces/policy +++ b/Samples/three-interfaces/policy @@ -1,15 +1,23 @@ -# -# Shorewall 2.2 -- Sample Policy File For Three Interfaces # -# /etc/shorewall/policy +# Shorewall version 3.0 - Policy File # -# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT +# /etc/shorewall/policy +# +# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT # # This file determines what to do with a new connection request if we -# don't get a match from the /etc/shorewall/rules file For each -# source/destination pair, the file is processed in order until a +# don't get a match from the /etc/shorewall/rules file . For each +# source/destination pair, the file is processed in order until a # match is found ("all" will match any client or server). # +# INTRA-ZONE POLICIES ARE PRE-DEFINED +# +# For $FW and for all of the zoned defined in /etc/shorewall/zones, +# the POLICY for connections from the zone to itself is ACCEPT (with no +# logging or TCP connection rate limiting but may be overridden by an +# entry in this file. The overriding entry must be explicit (cannot use +# "all" in the SOURCE or DEST). +# # Columns are: # # SOURCE Source zone. Must be the name of a zone defined @@ -18,42 +26,40 @@ # DEST Destination zone. Must be the name of a zone defined # in /etc/shorewall/zones, $FW or "all" # -# WARNING: Firewall->Firewall policies are not allowed; if -# you have a policy where both SOURCE and DEST are $FW, -# Shorewall will not start! -# # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT", "CONTINUE" Or "NONE" +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". # -# ACCEPT -# Accept the connection -# DROP -# Ignore the connection request. -# REJECT -# For TCP, send RST. For all other, send -# "port unreachable" ICMP. -# CONTINUE -# Pass the connection request past -# any other rules that it might also -# match (where the source or destination -# zone in those rules is a superset of -# the SOURCE or DEST in this policy) -# NONE -# Assume that there will never be any -# packets from this SOURCE to this -# DEST. Shorewall will not set up any -# infrastructure to handle such packets -# and you may not have any rules with -# this SOURCE and DEST in the /etc/shorewall/rules -# file. If such a packet is received the result -# is undefined. NONE may not be used if the -# SOURCE or DEST Columns contain the firewall -# zone ($FW) or "all". +# ACCEPT - Accept the connection +# DROP - Ignore the connection request +# REJECT - For TCP, send RST. For all other, +# send "port unreachable" ICMP. +# QUEUE - Send the request to a user-space +# application using the QUEUE target. +# CONTINUE - Pass the connection request past +# any other rules that it might also +# match (where the source or +# destination zone in those rules is +# a superset of the SOURCE or DEST +# in this policy). +# NONE - Assume that there will never be any +# packets from this SOURCE +# to this DEST. Shorewall will not set +# up any infrastructure to handle such +# packets and you may not have any +# rules with this SOURCE and DEST in +# the /etc/shorewall/rules file. If +# such a packet _is_ received, the +# result is undefined. NONE may not be +# used if the SOURCE or DEST columns +# contain the firewall zone ($FW) or +# "all". # -# If This column contains ACCEPT, DROP or REJECT and a -# corresponding common action is defined in /etc/shorewall/actions -# (or /usr/share/shorewall/actions.std) then that action will be -# invoked before the policy named in this column is inforced. +# If this column contains ACCEPT, DROP or REJECT and a +# corresponding common action is defined in +# /etc/shorewall/actions (or +# /usr/share/shorewall/actions.std) then that action +# will be invoked before the policy named in this column +# is enforced. # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no @@ -63,29 +69,25 @@ # Beginning with Shorewall version 1.3.12, you may # also specify ULOG (must be in upper case). This will # log to the ULOG target and sent to a separate log -# through use of ulogd (http://www.gnumonks.org/projects/ulogd). +# through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). # # If you don't want to log but need to specify the -# following column, place "_" here. +# following column, place "-" here. # # LIMIT:BURST If passed, specifies the maximum TCP connection rate # and the size of an acceptable burst. If not specified, # TCP connections are not limited. # -# As shipped, the default policies are: +# See http://shorewall.net/Documentation.htm#Policy for additional information. # -# a) All connections from the local network to the Internet are allowed -# b) All connections from the Internet are ignored but logged at syslog -# level KERNEL.INFO. -# d) All other connection requests are rejected and logged at level -# KERNEL.INFO. ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT -# If you want open access to the Internet from your Firewall +# If you want open access to the Internet from your Firewall # remove the comment from the following line. #$FW net ACCEPT -# Also If You Wish To Open Up DMZ Access To The Internet +# Also If You Wish To Open Up DMZ Access To The Internet # remove the comment from the following line. #dmz net ACCEPT net all DROP info diff --git a/Samples/three-interfaces/routestopped b/Samples/three-interfaces/routestopped index 6801b28c3..d4a5f4ffe 100644 --- a/Samples/three-interfaces/routestopped +++ b/Samples/three-interfaces/routestopped @@ -1,38 +1,64 @@ -############################################################################## # -# Shorewall 2.2 -- Sample Routestopped File For Three Interfaces. +# Shorewall version 3.0 - Routestopped File # -# /etc/shorewall/routestopped +# /etc/shorewall/routestopped # # This file is used to define the hosts that are accessible when the -# firewall is stopped. +# firewall is stopped or when it is in the process of being +# [re]started. # -# Columns must be separated by white space and are: +# Columns are: # -# INTERFACE -# Interface through which host(s) communicate with -# the firewall. -# HOST(S) -# (Optional) Comma-separated list of IP/subnet -# addresses. If left empty or supplied as "-", -# 0.0.0.0/0 is assumed. +# INTERFACE - Interface through which host(s) communicate with +# the firewall +# HOST(S) - (Optional) Comma-separated list of IP/subnet +# addresses. If your kernel and iptables include +# iprange match support, IP address ranges are also +# allowed. # -# If your kernel and iptables include iprange match -# support, IP address ranges are also allowed. +# If left empty or supplied as "-", +# 0.0.0.0/0 is assumed. +# OPTIONS - (Optional) A comma-separated list of +# options. The currently-supported options are: # -# OPTIONS (Optional) A comma-separated list of -# options. The currently-supported options are: +# routeback - Set up a rule to ACCEPT traffic from +# these hosts back to themselves. # -# routeback - Set up a rule to ACCEPT traffic from -# these hosts back to themselves. +# source - Allow traffic from these hosts to ANY +# destination. Without this option or the 'dest' +# option, only traffic from this host to other +# listed hosts (and the firewall) is allowed. If +# 'source' is specified then 'routeback' is redundent. +# +# dest - Allow traffic to these hosts from ANY +# source. Without this option or the 'source' +# option, only traffic from this host to other +# listed hosts (and the firewall) is allowed. If +# 'dest' is specified then 'routeback' is redundent. +# +# critical - Allow traffic between the firewall and +# these hosts throughout '[re]start', 'stop' and +# 'clear'. Specifying 'critical' on one or more +# entries will cause your firewall to be "totally +# open" for a brief window during each of those +# operations. +# +# NOTE: The 'source' and 'dest' options work best when used +# in conjunction with ADMINISABSENTMINDED=Yes in +# /etc/shorewall/shorewall.conf. # # Example: # # INTERFACE HOST(S) OPTIONS -# eth1 - -# eth1 192.168.1.0/24 -# eth1 192.0.2.44 +# eth2 192.168.1.0/24 +# eth0 192.0.2.44 # br0 - routeback +# eth3 - source +# +# See http://shorewall.net/Documentation.htm#Routestopped and +# http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# information. +# ############################################################################## #INTERFACE HOST(S) eth1 - diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index 5cfca7a15..23a9bc401 100755 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -1,5 +1,5 @@ # -# Shorewall version 2.6 - Rules File +# Shorewall version 3.0 - Rules File # # /etc/shorewall/rules # @@ -19,6 +19,45 @@ # you cannot use an ACCEPT rule to allow traffic from the internet to # that system. You *must* use a DNAT rule instead. #------------------------------------------------------------------------------ +# +# The rules file is divided into sections. Each section is introduced by +# a "Section Header" which is a line beginning with SECTION followed by the +# section name. +# +# Sections are as follows and must appear in the order listed: +# +# ESTABLISHED Packets in the ESTABLISHED state are processed +# by rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# RELATED Packets in the RELATED state are processed by +# rules in this section. +# +# The only ACTIONs allowed in this section are +# ACCEPT, DROP, REJECT, LOG and QUEUE +# +# There is an implicit ACCEPT rule inserted +# at the end of this section. +# +# NEW Packets in the NEW and INVALID states are +# processed by rules in this section. +# +# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the +# ESTABLISHED and RELATED sections must be empty. +# +# Note: If you are not familiar with Netfilter to the point where you are +# comfortable with the differences between the various connection +# tracking states, then I suggest that you omit the ESTABLISHED and +# RELATED sections and place all of your rules in the NEW section. +# +# You may omit any section that you don't need. If no Section Headers appear +# in the file then all rules are assumed to be in the NEW section. +# # Columns are: # # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, @@ -77,6 +116,9 @@ # /etc/shorewall/actions or in # /usr/share/shorewall/actions.std. # +# -- The name of a macro defined in a +# file named macro.. +# # The ACTION may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or # DNAT:debug). This causes the packet to be @@ -219,14 +261,20 @@ # contain the port number on the firewall that the # request should be redirected to. # -# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or -# "all". +# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p", +# a number, or "all". "ipp2p" requires ipp2p match +# support in your kernel and iptables. # # DEST PORT(S) Destination Ports. A comma-separated list of Port # names (from /etc/services), port numbers or port # ranges; if the protocol is "icmp", this column is # interpreted as the destination icmp-type(s). # +# If the protocol is ipp2p, this column is interpreted +# as an ipp2p option without the leading "--" (example +# "bit" for bit-torrent). If no port is given, "ipp2p" is +# assumed. +# # A port range is expressed as :. # # This column is ignored if PROTOCOL = all but must be @@ -288,7 +336,7 @@ # # See http://shorewall.net/PortKnocking.html for an # example of using an entry in this column with a -# user-defined action rule. +# user-defined action rule. # # RATE LIMIT You may rate-limit the rule by placing a value in # this colume: @@ -305,7 +353,7 @@ # # USER/GROUP This column may only be non-empty if the SOURCE is # the firewall itself. -# +# # The column may contain: # # [!][][:][+] @@ -402,13 +450,13 @@ Ping/ACCEPT dmz loc Ping/ACCEPT dmz net ACCEPT $FW net icmp -ACCEPT $FW loc icmp -ACCEPT $FW dmz icmp +ACCEPT $FW loc icmp +ACCEPT $FW dmz icmp # Uncomment this if using Proxy ARP and static NAT and you want to allow ping from # the net zone to the dmz and loc -#Ping/ACCEPT net dmz +#Ping/ACCEPT net dmz #Ping/ACCEPT net loc #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/zones b/Samples/three-interfaces/zones index 9b51560dd..ba8e768b4 100644 --- a/Samples/three-interfaces/zones +++ b/Samples/three-interfaces/zones @@ -1,5 +1,5 @@ # -# Shorewall version 2.6 - Zones File +# Shorewall version 3.0 - Zones File # # /etc/shorewall/zones # @@ -38,9 +38,9 @@ # Your kernel and iptables must include policy # match support. # firewall -# - Designates the firewall itself. You must have +# - Designates the firewall itself. You must have # exactly one 'firewall' zone. No options are -# permitted with a 'firewall' zone. The name that you +# permitted with a 'firewall' zone. The name that you # enter in the ZONE column will be stored in the shell # variable $FW which you may use in other configuration # files to designate the firewall zone. @@ -82,10 +82,8 @@ # If you wish to leave a column empty but need to make an entry # in a following column, use "-". # -# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR -# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. +# For more information, see http://www.shorewall.net/Documentation.htm#Zones # -# See http://www.shorewall.net/Documentation.htm#Nested ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS