From b2b099de05b3d55238a06abc97e04ef456ef71f4 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 21 Jun 2002 00:44:49 +0000 Subject: [PATCH] Initial revision git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@86 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Lrp/etc/shorewall/shorewall.conf | 231 +++++++++++++++++++++++++++++++ Lrp/var/lib/lrpkg/shorwall.list | 5 + 2 files changed, 236 insertions(+) create mode 100644 Lrp/etc/shorewall/shorewall.conf create mode 100644 Lrp/var/lib/lrpkg/shorwall.list diff --git a/Lrp/etc/shorewall/shorewall.conf b/Lrp/etc/shorewall/shorewall.conf new file mode 100644 index 000000000..b224edd31 --- /dev/null +++ b/Lrp/etc/shorewall/shorewall.conf @@ -0,0 +1,231 @@ +############################################################################## +# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to +# match your setup +# +# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] +# +# This file should be placed in /etc/shorewall +# +# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) +############################################################################## +# +# Name of the firewall zone -- if not set or if set to an empty string, "fw" +# is assumed. +# +FW=fw + + +# Set this to the name of the lock file expected by your init scripts. For +# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it +# should be /var/state/shorewall. If your init scripts don't use lock files, +# set -this to "". +# + +SUBSYSLOCK=/var/run/shorewall + +# This is the directory where the firewall maintains state information while +# it is running +# + +STATEDIR=/tmp/shorewall + +# +# Set this to "yes" or "Yes" if you want to accept all connection requests +# that are related to already established connections. For example, you want +# to accept FTP data connections. If you say "no" here, then to accept +# these connections between particular zones or hosts, you must include +# explicit "related" rules in /etc/shorewall/rules. +# + +ALLOWRELATED=yes + +# +# If your netfilter kernel modules are in a directory other than +# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that +# directory in this variable. Example: MODULESDIR=/etc/modules. + +MODULESDIR= + +# +# The next two variables can be used to control the amount of log output +# generated. LOGRATE is expressed as a number followed by an optional +# `/second', `/minute', `/hour', or `/day' suffix and specifies the maximum +# rate at which a particular message will occur. LOGBURST determines the +# maximum initial burst size that will be logged. If set empty, the default +# value of 5 will be used. +# +# If BOTH variables are set empty then logging will not be rate-limited. +# + +LOGRATE= +LOGBURST= + + +# +# This variable determines the level at which Mangled/Invalid packets are logged +# under the 'dropunclean' interface option. If you set this variable to an +# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped +# silently. +# + +LOGUNCLEAN=info + +# This variable tells the /sbin/shorewall program where to look for Shorewall +# log messages. If not set or set to an empty string (e.g., LOGFILE="") then +# /var/log/messages is assumed. +# +# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to +# look for Shorewall messages.It does NOT control the destination for +# these messages. For information about how to do that, see +# +# http://www.shorewall.net/FAQ.htm#faq6 + +LOGFILE=/var/log/messages + +# +# Enable nat support. +# +# You probally want yes here. Only gateways not doing NAT in any form, like +# SNAT,DNAT masquerading, port forwading etc. should say "no" here. +# +NAT_ENABLED=Yes + +# +# Enable mangle support. +# +# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file +# and will not initialize the mangle table when starting or stopping +# your firewall. You must enable mangling if you want Traffic Shaping +# (see TC_ENABLED below). +# +MANGLE_ENABLED=Yes + +# +# Enable IP Forwarding +# +# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you +# say "Off" or "off", packet forwarding will be disabled. You would only want +# to disable packet forwarding if you are installing Shorewall on a +# standalone system or if you want all traffic through the Shorewall system +# to be handled by proxies. +# +# If you set this variable to "Keep" or "keep", Shorewall will neither +# enable nor disable packet forwarding. +# +IP_FORWARDING=On +# +# Automatically add IP Aliases +# +# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases +# for each NAT external address that you give in /etc/shorewall/nat. If you say +# "No" or "no", you must add these aliases youself. +# +ADD_IP_ALIASES=Yes + +# +# Automatically add SNAT Aliases +# +# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases +# for each SNAT external address that you give in /etc/shorewall/masq. If you say +# "No" or "no", you must add these aliases youself. +# +ADD_SNAT_ALIASES=No + +# +# Enable Traffic Shaping +# +# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If +# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic +# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and +# you must enable packet mangling above. +# +TC_ENABLED=No + +# +# Blacklisting +# +# Set this variable to the action that you want to perform on packets from +# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, +# DROP is assumed. +# +BLACKLIST_DISPOSITION=DROP + +# +# Blacklist Logging +# +# Set this variable to the syslogd level that you want blacklist packets logged +# (beward of DOS attacks resulting from such logging). If not set, no logging +# of blacklist packets occurs. +# +BLACKLIST_LOGLEVEL= + +# +# MSS Clamping +# +# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" +# option. This option is most commonly required when your internet +# interface is some variant of PPP (PPTP or PPPoE). Your kernel must +# have CONFIG_IP_NF_TARGET_TCPMSS set. +# +# [From the kernel help: +# +# This option adds a `TCPMSS' target, which allows you to alter the +# MSS value of TCP SYN packets, to control the maximum size for that +# connection (usually limiting it to your outgoing interface's MTU +# minus 40). +# +# This is used to overcome criminally braindead ISPs or servers which +# block ICMP Fragmentation Needed packets. The symptoms of this +# problem are that everything works fine from your Linux +# firewall/router, but machines behind it can never exchange large +# packets: +# 1) Web browsers connect, then hang with no data received. +# 2) Small mail works fine, but large emails hang. +# 3) ssh works fine, but scp hangs after initial handshaking. +# ] +# +# If left blank, or set to "No" or "no", the option is not enabled. +# +CLAMPMSS=No + +# +# Route Filtering +# +# Set this variable to "Yes" or "yes" if you want kernel route filtering on all +# interfaces (anti-spoofing measure). +# +# If this variable is not set or is set to the empty value, "No" is assumed. + +ROUTE_FILTER=No + +# +# NAT before RULES +# +# Shorewall has traditionally processed static NAT rules before port forwarding +# rules. If you would like to reverse the order, set this variable to "No". +# +# If this variable is not set or is set to the empty value, "Yes" is assumed. + +NAT_BEFORE_RULES=Yes + +# MULTIPORT +# +# If your kernel includes the multiport match option +# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this +# option is enabled by setting it's value to "Yes" or "yes": +# +# 1) If you list more that 15 ports in a comma-seperated list in +# /etc/shorewall/rules, Shorewall will not use the multiport option +# but will generate a separate rule for each element of each port +# list. +# 2) If you include a port range (:) in the +# rule, Shorewall will not use the multiport option but will generate +# a separate rule for each element of each port list. +# +# See the /etc/shorewall/rules file for additional information on this option. +# +# if this variable is not set or is set to the empty value, "No" is assumed. + +MULTIPORT=No + +#LAST LINE -- DO NOT REMOVE diff --git a/Lrp/var/lib/lrpkg/shorwall.list b/Lrp/var/lib/lrpkg/shorwall.list new file mode 100644 index 000000000..c1cafd880 --- /dev/null +++ b/Lrp/var/lib/lrpkg/shorwall.list @@ -0,0 +1,5 @@ +etc/init.d/shorewall +etc/shorewall +sbin/shorewall +var/lib/shorewall +var/lib/lrpkg/shorwall.*