holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update three-interface sample with latest 3.0 changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2718 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-21 16:26:16 +00:00
parent 76ba9e63ff
commit b0ba6f0c6d
6 changed files with 323 additions and 236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Samples/three-interfaces/interfaces
View File

@ -1,5 +1,5 @@
# #
# Shorewall version 2.6 - Interfaces File # Shorewall version 3.0 - Interfaces File
# #
# /etc/shorewall/interfaces # /etc/shorewall/interfaces
# #
@ -8,8 +8,9 @@
# #
# Columns are: # Columns are:
# #
# ZONE Zone for this interface. Must match the short name # ZONE Zone for this interface. Must match the name of a
# of a zone defined in /etc/shorewall/zones. # zone defined in /etc/shorewall/zones. You may not
# list the firewall zone in this column.
# #
# If the interface serves multiple zones that will be # If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should # defined in the /etc/shorewall/hosts file, you should

304
Samples/three-interfaces/masq
View File

@ -1,207 +1,219 @@
# #
# Shorewall 2.2 - Sample Masquerade file For Three Interfaces # Shorewall version 3.0 - Masq file
# #
# etc/shorewall/masq # /etc/shorewall/masq
# #
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT # Use this file to define dynamic NAT (Masquerading) and to define
# (SNAT). # Source NAT (SNAT).
# #
# Columns are: # Columns are:
# #
# INTERFACE # INTERFACE -- Outgoing interface. This is usually your internet
# Outgoing interface. This is usually your internet # interface. If ADD_SNAT_ALIASES=Yes in
# interface. If ADD_SNAT_ALIASES=Yes in # /etc/shorewall/shorewall.conf, you may add ":" and
# /etc/shorewall/shorewall.conf, you may add ":" and # a digit to indicate that you want the alias added with
# a digit to indicate that you want the alias added with # that name (e.g., eth0:0). This will allow the alias to
# that name (e.g., eth0:0). This will allow the alias to # be displayed with ifconfig. THAT IS THE ONLY USE FOR
# be displayed with ifconfig. THAT IS THE ONLY USE FOR # THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER # PLACE IN YOUR SHOREWALL CONFIGURATION.
# PLACE IN YOUR SHOREWALL CONFIGURATION.
# #
# This may be qualified by adding the character # This may be qualified by adding the character
# ":" followed by a destination host or subnet. # ":" followed by a destination host or subnet.
# #
# If you wish to inhibit the action of ADD_SNAT_ALIASES
# for this entry then include the ":" but omit the digit:
# #
# If you wish to inhibit the action of ADD_SNAT_ALIASES # eth0:
# for this entry then include the ":" but omit the digit: # eth2::192.0.2.32/27
# #
# eth0: # Normally Masq/SNAT rules are evaluated after those for
# eth2::192.0.2.32/27 # one-to-one NAT (/etc/shorewall/nat file). If you want
# the rule to be applied before one-to-one NAT rules,
# prefix the interface name with "+":
# #
# Normally Masq/SNAT rules are evaluated after those for # +eth0
# one-to-one NAT (/etc/shorewall/nat file). If you want # +eth0:192.0.2.32/27
# the rule to be applied before one-to-one NAT rules, # +eth0:2
# prefix the interface name with "+":
# #
# +eth0 # This feature should only be required if you need to
# +eth0:192.0.2.32/27 # insert rules in this file that preempt entries in
# +eth0:2 # /etc/shorewall/nat.
# #
# This feature should only be required if you need to # SUBNET -- Subnet that you wish to masquerade. You can specify this as
# insert rules in this file that preempt entries in # a subnet or as an interface. If you give the name of an
# /etc/shorewall/nat. # interface, you must have iproute installed and the interface
# must be up before you start the firewall.
# #
# SUBNET # In order to exclude a subset of the specified SUBNET, you
# Subnet that you wish to masquerade. You can specify this as # may append "!" and a comma-separated list of IP addresses
# a subnet or as an interface. If you give the name of an # and/or subnets that you wish to exclude.
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
# #
# In order to exclude a subset of the specified SUBNET, you # Example: eth1!192.168.1.4,192.168.32.0/27
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
# #
# Example: eth1!192.168.1.4,192.168.32.0/27 # In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
# #
# In that example traffic from eth1 would be masqueraded unless # ADDRESS -- (Optional). If you specify an address here, SNAT will be
# it came from 192.168.1.4 or 196.168.32.0/27 # used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
# #
# ADDRESS (Optional) # You may also specify a range of up to 256
# If you specify an address here, SNAT will be # IP addresses if you want the SNAT address to
# used and this will be the source address. If # be assigned from that range in a round-robin
# ADD_SNAT_ALIASES is set to Yes or yes in # range by connection. The range is specified by
# /etc/shorewall/shorewall.conf then Shorewall # <first ip in range>-<last ip in range>.
# will automatically add this address to the
# INTERFACE named in the first column.
# #
# You may also specify a range of up to 256 IP addresses # Example: 206.124.146.177-206.124.146.180
# if you want the SNAT address to be assigned from that
# range in a round-robin range by connection. The range is
# specified by <first ip in range>-<last ip in range>.
# #
# Example: 206.124.146.177-206.124.146.180 # Finally, you may also specify a comma-separated
# list of ranges and/or addresses in this column.
# #
# This column may not contain a DNS Names. # This column may not contain DNS Names.
# #
# Normally, Netfilter will attempt to retain # Normally, Netfilter will attempt to retain
# the source port number. You may cause # the source port number. You may cause
# netfilter to remap the source port by following # netfilter to remap the source port by following
# an address or range (if any) by ":" and # an address or range (if any) by ":" and
# a port range with the format <low port>- # a port range with the format <low port>-
# <high port>. If this is done, you must # <high port>. If this is done, you must
# specify "tcp" or "udp" in the PROTO column. # specify "tcp" or "udp" in the PROTO column.
# #
# Examples: # Examples:
# #
# 192.0.2.4:5000-6000 # 192.0.2.4:5000-6000
# :4000-5000 # :4000-5000
# #
# If you want to leave this column empty # You can invoke the SAME target using the
# but you need to specify the next column then # following in this column:
# place a hyphen ("-") here.
# #
# PROTO -- (Optional) # SAME:[nodst:]<address-range>[,<address-range>...]
# If you wish to restrict this entry to a
# particular protocol then enter the protocol
# name (from /etc/protocols) or number here.
# #
# PORT(S) -- (Optional) # The <address-ranges> may be single addresses.
# If the PROTO column specifies TCP (protocol 6)
# or UDP (protocol 17) then you may list one
# or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
# #
# Where a comma-separated list is given, your # SAME works like SNAT with the exception that
# kernel and iptables must have multiport match # the same local IP address is assigned to each
# support and a maximum of 15 ports may be listed. # connection from a local address to a given
# remote address.
# #
# IPSEC -- (Optional) # If the 'nodst:' option is included, then the
# If you specify a value other than "-" in this # same source address is used for a given
# column, you must be running kernel 2.6 and # internal system regardless of which remote
# your kernel and iptables must include policy # system is involved.
# match support.
# #
# Comma-separated list of options from the following. # If you want to leave this column empty
# Only packets that will be encrypted via an SA that # but you need to specify the next column then
# matches these options will have their source address # place a hyphen ("-") here.
# changed.
# #
# Yes or yes -- must be the only option listed # PROTO -- (Optional) If you wish to restrict this entry to a
# and matches all outbound traffic that will be # particular protocol then enter the protocol
# encrypted. # name (from /etc/protocols) or number here.
# #
# reqid=<number> where <number> is specified # PORT(S) -- (Optional) If the PROTO column specifies TCP (protocol 6)
# using setkey(8) using the 'unique:<number> # or UDP (protocol 17) then you may list one
# option for the SPD level. # or more port numbers (or names from
# /etc/services) separated by commas or you
# may list a single port range
# (<low port>:<high port>).
# #
# spi=<number> where <number> is the SPI of # Where a comma-separated list is given, your
# the SA. # kernel and iptables must have multiport match
# support and a maximum of 15 ports may be
# listed.
# #
# proto=ah|esp|ipcomp # IPSEC -- (Optional) If you specify a value other than "-" in this
# column, you must be running kernel 2.6 and
# your kernel and iptables must include policy
# match support.
# #
# mode=transport|tunnel # Comma-separated list of options from the
# following. Only packets that will be encrypted
# via an SA that matches these options will have
# their source address changed.
# #
# tunnel-src=<address>[/<mask>] (only # Yes or yes -- must be the only option
# available with mode=tunnel) # listed and matches all outbound
# traffic that will be encrypted.
# #
# tunnel-dst=<address>[/<mask>] (only # reqid=<number> where <number> is
# available with mode=tunnel) # specified using setkey(8) using the
# 'unique:<number> option for the SPD
# level.
# #
# strict Means that packets must match all # spi=<number> where <number> is the
# rules. # SPI of the SA.
# #
# next Separates rules; can only be used # proto=ah|esp|ipcomp
# with strict..
# #
# Example 1: # mode=transport|tunnel
# #
# You have a simple masquerading setup where eth0 connects to # tunnel-src=<address>[/<mask>] (only
# a DSL or cable modem and eth1 connects to your local network # available with mode=tunnel)
# with subnet 192.168.0.0/24.
# #
# Your entry in the file can be either: # tunnel-dst=<address>[/<mask>] (only
# available with mode=tunnel)
# #
# #INTERFACE SUBNET ADDRESS # strict Means that packets must match
# eth0 eth1 # all rules.
# #
# or # next Separates rules; can only be
# used with strict..
# #
# #INTERFACE SUBNET ADDRESS # Example 1:
# eth0 192.168.0.0/24
# #
# Example 2: # You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
# #
# You add a router to your local network to connect subnet # Your entry in the file can be either:
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
# #
# #INTERFACE SUBNET ADDRESS # eth0 eth1
# eth0 192.168.1.0/24
# #
# Example 3: # or
# #
# You have an IPSEC tunnel through ipsec0 and you want to # eth0 192.168.0.0/24
# masquerade packets coming from 192.168.1.0/24 but only if #
# these packets are destined for hosts in 10.1.1.0/24: # Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
# #
# #INTERFACE SUBNET ADDRESS
# ipsec0:10.1.1.0/24 196.168.1.0/24 # ipsec0:10.1.1.0/24 196.168.1.0/24
# #
# Example 4: # Example 4:
# #
# You want all outgoing traffic from 192.168.1.0/24 through # You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the # eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to # primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0. # be added to eth0 with name eth0:0.
# #
# #INTERFACE SUBNET ADDRESS # eth0:0 192.168.1.0/24 206.124.146.176
# eth0:0 192.168.1.0/24 206.124.146.176
# #
# Example 5: # Example 5:
# #
# You want all outgoing SMTP traffic entering the firewall # You want all outgoing SMTP traffic entering the firewall
# on eth1 to be sent from eth0 with source IP address # on eth1 to be sent from eth0 with source IP address
# 206.124.146.177. You want all other outgoing traffic # 206.124.146.177. You want all other outgoing traffic
# from eth1 to be sent from eth0 with source IP address # from eth1 to be sent from eth0 with source IP address
# 206.124.146.176. # 206.124.146.176.
# #
# INTERFACE SUBNET ADDRESS PROTO PORT(S) # eth0 eth1 206.124.146.177 tcp smtp
# eth0 eth1 206.124.146.177 tcp smtp # eth0 eth1 206.124.146.176
# eth0 eth1 206.124.146.176
# #
# THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!! # THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
# #
############################################################################## ##############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC

92
Samples/three-interfaces/policy
View File

@ -1,15 +1,23 @@
# #
# Shorewall 2.2 -- Sample Policy File For Three Interfaces # Shorewall version 3.0 - Policy File
# #
# /etc/shorewall/policy # /etc/shorewall/policy
# #
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT # THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
# #
# This file determines what to do with a new connection request if we # This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file For each # don't get a match from the /etc/shorewall/rules file . For each
# source/destination pair, the file is processed in order until a # source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server). # match is found ("all" will match any client or server).
# #
# INTRA-ZONE POLICIES ARE PRE-DEFINED
#
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
# the POLICY for connections from the zone to itself is ACCEPT (with no
# logging or TCP connection rate limiting but may be overridden by an
# entry in this file. The overriding entry must be explicit (cannot use
# "all" in the SOURCE or DEST).
#
# Columns are: # Columns are:
# #
# SOURCE Source zone. Must be the name of a zone defined # SOURCE Source zone. Must be the name of a zone defined
@ -18,42 +26,40 @@
# DEST Destination zone. Must be the name of a zone defined # DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all" # in /etc/shorewall/zones, $FW or "all"
# #
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must # POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" Or "NONE" # be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
# #
# ACCEPT # ACCEPT - Accept the connection
# Accept the connection # DROP - Ignore the connection request
# DROP # REJECT - For TCP, send RST. For all other,
# Ignore the connection request. # send "port unreachable" ICMP.
# REJECT # QUEUE - Send the request to a user-space
# For TCP, send RST. For all other, send # application using the QUEUE target.
# "port unreachable" ICMP. # CONTINUE - Pass the connection request past
# CONTINUE # any other rules that it might also
# Pass the connection request past # match (where the source or
# any other rules that it might also # destination zone in those rules is
# match (where the source or destination # a superset of the SOURCE or DEST
# zone in those rules is a superset of # in this policy).
# the SOURCE or DEST in this policy) # NONE - Assume that there will never be any
# NONE # packets from this SOURCE
# Assume that there will never be any # to this DEST. Shorewall will not set
# packets from this SOURCE to this # up any infrastructure to handle such
# DEST. Shorewall will not set up any # packets and you may not have any
# infrastructure to handle such packets # rules with this SOURCE and DEST in
# and you may not have any rules with # the /etc/shorewall/rules file. If
# this SOURCE and DEST in the /etc/shorewall/rules # such a packet _is_ received, the
# file. If such a packet is received the result # result is undefined. NONE may not be
# is undefined. NONE may not be used if the # used if the SOURCE or DEST columns
# SOURCE or DEST Columns contain the firewall # contain the firewall zone ($FW) or
# zone ($FW) or "all". # "all".
# #
# If This column contains ACCEPT, DROP or REJECT and a # If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in /etc/shorewall/actions # corresponding common action is defined in
# (or /usr/share/shorewall/actions.std) then that action will be # /etc/shorewall/actions (or
# invoked before the policy named in this column is inforced. # /usr/share/shorewall/actions.std) then that action
# will be invoked before the policy named in this column
# is enforced.
# #
# LOG LEVEL If supplied, each connection handled under the default # LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no # POLICY is logged at that level. If not supplied, no
@ -63,22 +69,18 @@
# Beginning with Shorewall version 1.3.12, you may # Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will # also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log # log to the ULOG target and sent to a separate log
# through use of ulogd (http://www.gnumonks.org/projects/ulogd). # through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
# #
# If you don't want to log but need to specify the # If you don't want to log but need to specify the
# following column, place "_" here. # following column, place "-" here.
# #
# LIMIT:BURST If passed, specifies the maximum TCP connection rate # LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified, # and the size of an acceptable burst. If not specified,
# TCP connections are not limited. # TCP connections are not limited.
# #
# As shipped, the default policies are: # See http://shorewall.net/Documentation.htm#Policy for additional information.
# #
# a) All connections from the local network to the Internet are allowed
# b) All connections from the Internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
############################################################################### ###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT loc net ACCEPT

68
Samples/three-interfaces/routestopped
View File

@ -1,38 +1,64 @@
##############################################################################
# #
# Shorewall 2.2 -- Sample Routestopped File For Three Interfaces. # Shorewall version 3.0 - Routestopped File
# #
# /etc/shorewall/routestopped # /etc/shorewall/routestopped
# #
# This file is used to define the hosts that are accessible when the # This file is used to define the hosts that are accessible when the
# firewall is stopped. # firewall is stopped or when it is in the process of being
# [re]started.
# #
# Columns must be separated by white space and are: # Columns are:
# #
# INTERFACE # INTERFACE - Interface through which host(s) communicate with
# Interface through which host(s) communicate with # the firewall
# the firewall. # HOST(S) - (Optional) Comma-separated list of IP/subnet
# HOST(S) # addresses. If your kernel and iptables include
# (Optional) Comma-separated list of IP/subnet # iprange match support, IP address ranges are also
# addresses. If left empty or supplied as "-", # allowed.
# 0.0.0.0/0 is assumed.
# #
# If your kernel and iptables include iprange match # If left empty or supplied as "-",
# support, IP address ranges are also allowed. # 0.0.0.0/0 is assumed.
# OPTIONS - (Optional) A comma-separated list of
# options. The currently-supported options are:
# #
# OPTIONS (Optional) A comma-separated list of # routeback - Set up a rule to ACCEPT traffic from
# options. The currently-supported options are: # these hosts back to themselves.
# #
# routeback - Set up a rule to ACCEPT traffic from # source - Allow traffic from these hosts to ANY
# these hosts back to themselves. # destination. Without this option or the 'dest'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'source' is specified then 'routeback' is redundent.
#
# dest - Allow traffic to these hosts from ANY
# source. Without this option or the 'source'
# option, only traffic from this host to other
# listed hosts (and the firewall) is allowed. If
# 'dest' is specified then 'routeback' is redundent.
#
# critical - Allow traffic between the firewall and
# these hosts throughout '[re]start', 'stop' and
# 'clear'. Specifying 'critical' on one or more
# entries will cause your firewall to be "totally
# open" for a brief window during each of those
# operations.
#
# NOTE: The 'source' and 'dest' options work best when used
# in conjunction with ADMINISABSENTMINDED=Yes in
# /etc/shorewall/shorewall.conf.
# #
# Example: # Example:
# #
# INTERFACE HOST(S) OPTIONS # INTERFACE HOST(S) OPTIONS
# eth1 - # eth2 192.168.1.0/24
# eth1 192.168.1.0/24 # eth0 192.0.2.44
# eth1 192.0.2.44
# br0 - routeback # br0 - routeback
# eth3 - source
#
# See http://shorewall.net/Documentation.htm#Routestopped and
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
############################################################################## ##############################################################################
#INTERFACE HOST(S) #INTERFACE HOST(S)
eth1 - eth1 -

54
Samples/three-interfaces/rules
View File

@ -1,5 +1,5 @@
# #
# Shorewall version 2.6 - Rules File # Shorewall version 3.0 - Rules File
# #
# /etc/shorewall/rules # /etc/shorewall/rules
# #
@ -19,6 +19,45 @@
# you cannot use an ACCEPT rule to allow traffic from the internet to # you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead. # that system. You *must* use a DNAT rule instead.
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
# ESTABLISHED Packets in the ESTABLISHED state are processed
# by rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# RELATED Packets in the RELATED state are processed by
# rules in this section.
#
# The only ACTIONs allowed in this section are
# ACCEPT, DROP, REJECT, LOG and QUEUE
#
# There is an implicit ACCEPT rule inserted
# at the end of this section.
#
# NEW Packets in the NEW and INVALID states are
# processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
# ESTABLISHED and RELATED sections must be empty.
#
# Note: If you are not familiar with Netfilter to the point where you are
# comfortable with the differences between the various connection
# tracking states, then I suggest that you omit the ESTABLISHED and
# RELATED sections and place all of your rules in the NEW section.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are: # Columns are:
# #
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
@ -77,6 +116,9 @@
# /etc/shorewall/actions or in # /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std. # /usr/share/shorewall/actions.std.
# #
# <macro> -- The name of a macro defined in a
# file named macro.<macro-name>.
#
# The ACTION may optionally be followed # The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or # by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be # DNAT:debug). This causes the packet to be
@ -219,14 +261,20 @@
# contain the port number on the firewall that the # contain the port number on the firewall that the
# request should be redirected to. # request should be redirected to.
# #
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or # PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# "all". # a number, or "all". "ipp2p" requires ipp2p match
# support in your kernel and iptables.
# #
# DEST PORT(S) Destination Ports. A comma-separated list of Port # DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port # names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is # ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s). # interpreted as the destination icmp-type(s).
# #
# If the protocol is ipp2p, this column is interpreted
# as an ipp2p option without the leading "--" (example
# "bit" for bit-torrent). If no port is given, "ipp2p" is
# assumed.
#
# A port range is expressed as <low port>:<high port>. # A port range is expressed as <low port>:<high port>.
# #
# This column is ignored if PROTOCOL = all but must be # This column is ignored if PROTOCOL = all but must be

6
Samples/three-interfaces/zones
View File

@ -1,5 +1,5 @@
# #
# Shorewall version 2.6 - Zones File # Shorewall version 3.0 - Zones File
# #
# /etc/shorewall/zones # /etc/shorewall/zones
# #
@ -82,10 +82,8 @@
# If you wish to leave a column empty but need to make an entry # If you wish to leave a column empty but need to make an entry
# in a following column, use "-". # in a following column, use "-".
# #
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR # For more information, see http://www.shorewall.net/Documentation.htm#Zones
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
# #
# See http://www.shorewall.net/Documentation.htm#Nested
############################################################################### ###############################################################################
#ZONE TYPE OPTIONS IN OUT #ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS # OPTIONS OPTIONS