forked from extern/shorewall_code
Update two-interface sample with latest 3.0 changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2719 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
b0ba6f0c6d
commit
b6041f5526
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 2.6 - Interfaces File
|
# Shorewall version 3.0 - Interfaces File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/interfaces
|
# /etc/shorewall/interfaces
|
||||||
#
|
#
|
||||||
@ -8,8 +8,9 @@
|
|||||||
#
|
#
|
||||||
# Columns are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
# ZONE Zone for this interface. Must match the short name
|
# ZONE Zone for this interface. Must match the name of a
|
||||||
# of a zone defined in /etc/shorewall/zones.
|
# zone defined in /etc/shorewall/zones. You may not
|
||||||
|
# list the firewall zone in this column.
|
||||||
#
|
#
|
||||||
# If the interface serves multiple zones that will be
|
# If the interface serves multiple zones that will be
|
||||||
# defined in the /etc/shorewall/hosts file, you should
|
# defined in the /etc/shorewall/hosts file, you should
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 2.6 - Masq file
|
# Shorewall version 3.0 - Masq file
|
||||||
#
|
#
|
||||||
# /etc/shorewall/masq
|
# /etc/shorewall/masq
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall 2.2 -- Sample Policy File For Two Interfaces
|
# Shorewall version 3.0 - Policy File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/policy
|
# /etc/shorewall/policy
|
||||||
#
|
#
|
||||||
@ -10,6 +10,14 @@
|
|||||||
# source/destination pair, the file is processed in order until a
|
# source/destination pair, the file is processed in order until a
|
||||||
# match is found ("all" will match any client or server).
|
# match is found ("all" will match any client or server).
|
||||||
#
|
#
|
||||||
|
# INTRA-ZONE POLICIES ARE PRE-DEFINED
|
||||||
|
#
|
||||||
|
# For $FW and for all of the zoned defined in /etc/shorewall/zones,
|
||||||
|
# the POLICY for connections from the zone to itself is ACCEPT (with no
|
||||||
|
# logging or TCP connection rate limiting but may be overridden by an
|
||||||
|
# entry in this file. The overriding entry must be explicit (cannot use
|
||||||
|
# "all" in the SOURCE or DEST).
|
||||||
|
#
|
||||||
# Columns are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
# SOURCE Source zone. Must be the name of a zone defined
|
# SOURCE Source zone. Must be the name of a zone defined
|
||||||
@ -18,42 +26,40 @@
|
|||||||
# DEST Destination zone. Must be the name of a zone defined
|
# DEST Destination zone. Must be the name of a zone defined
|
||||||
# in /etc/shorewall/zones, $FW or "all"
|
# in /etc/shorewall/zones, $FW or "all"
|
||||||
#
|
#
|
||||||
# WARNING: Firewall->Firewall policies are not allowed; if
|
|
||||||
# you have a policy where both SOURCE and DEST are $FW,
|
|
||||||
# Shorewall will not start!
|
|
||||||
#
|
|
||||||
# POLICY Policy if no match from the rules file is found. Must
|
# POLICY Policy if no match from the rules file is found. Must
|
||||||
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" Or "NONE"
|
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
|
||||||
#
|
#
|
||||||
# ACCEPT
|
# ACCEPT - Accept the connection
|
||||||
# Accept the connection
|
# DROP - Ignore the connection request
|
||||||
# DROP
|
# REJECT - For TCP, send RST. For all other,
|
||||||
# Ignore the connection request.
|
# send "port unreachable" ICMP.
|
||||||
# REJECT
|
# QUEUE - Send the request to a user-space
|
||||||
# For TCP, send RST. For all other, send
|
# application using the QUEUE target.
|
||||||
# "port unreachable" ICMP.
|
# CONTINUE - Pass the connection request past
|
||||||
# CONTINUE
|
|
||||||
# Pass the connection request past
|
|
||||||
# any other rules that it might also
|
# any other rules that it might also
|
||||||
# match (where the source or destination
|
# match (where the source or
|
||||||
# zone in those rules is a superset of
|
# destination zone in those rules is
|
||||||
# the SOURCE or DEST in this policy)
|
# a superset of the SOURCE or DEST
|
||||||
# NONE
|
# in this policy).
|
||||||
# Assume that there will never be any
|
# NONE - Assume that there will never be any
|
||||||
# packets from this SOURCE to this
|
# packets from this SOURCE
|
||||||
# DEST. Shorewall will not set up any
|
# to this DEST. Shorewall will not set
|
||||||
# infrastructure to handle such packets
|
# up any infrastructure to handle such
|
||||||
# and you may not have any rules with
|
# packets and you may not have any
|
||||||
# this SOURCE and DEST in the /etc/shorewall/rules
|
# rules with this SOURCE and DEST in
|
||||||
# file. If such a packet is received the result
|
# the /etc/shorewall/rules file. If
|
||||||
# is undefined. None may not be used if the SOURCE
|
# such a packet _is_ received, the
|
||||||
# or DEST columns contain the firewall zone ($FW)
|
# result is undefined. NONE may not be
|
||||||
# or "all"
|
# used if the SOURCE or DEST columns
|
||||||
|
# contain the firewall zone ($FW) or
|
||||||
|
# "all".
|
||||||
#
|
#
|
||||||
# If this column contains ACCEPT, DROP or REJECT and a
|
# If this column contains ACCEPT, DROP or REJECT and a
|
||||||
# corresponding common action is define in /etc/shorewall/actions
|
# corresponding common action is defined in
|
||||||
# (or /usr/share/shorewall/actions.std) then that column will be
|
# /etc/shorewall/actions (or
|
||||||
# invoked before the policy named in this column is inforced.
|
# /usr/share/shorewall/actions.std) then that action
|
||||||
|
# will be invoked before the policy named in this column
|
||||||
|
# is enforced.
|
||||||
#
|
#
|
||||||
# LOG LEVEL If supplied, each connection handled under the default
|
# LOG LEVEL If supplied, each connection handled under the default
|
||||||
# POLICY is logged at that level. If not supplied, no
|
# POLICY is logged at that level. If not supplied, no
|
||||||
@ -63,22 +69,18 @@
|
|||||||
# Beginning with Shorewall version 1.3.12, you may
|
# Beginning with Shorewall version 1.3.12, you may
|
||||||
# also specify ULOG (must be in upper case). This will
|
# also specify ULOG (must be in upper case). This will
|
||||||
# log to the ULOG target and sent to a separate log
|
# log to the ULOG target and sent to a separate log
|
||||||
# through use of ulogd (http://www.gnumonks.org/projects/ulogd).
|
# through use of ulogd
|
||||||
|
# (http://www.gnumonks.org/projects/ulogd).
|
||||||
#
|
#
|
||||||
# If you don't want to log but need to specify the
|
# If you don't want to log but need to specify the
|
||||||
# following column, place "_" here.
|
# following column, place "-" here.
|
||||||
#
|
#
|
||||||
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
|
||||||
# and the size of an acceptable burst. If not specified,
|
# and the size of an acceptable burst. If not specified,
|
||||||
# TCP connections are not limited.
|
# TCP connections are not limited.
|
||||||
#
|
#
|
||||||
# As shipped, the default policies are:
|
# See http://shorewall.net/Documentation.htm#Policy for additional information.
|
||||||
#
|
#
|
||||||
# a) All connections from the local network to the Internet are allowed
|
|
||||||
# b) All connections from the Internet are ignored but logged at syslog
|
|
||||||
# level KERNEL.INFO.
|
|
||||||
# d) All other connection requests are rejected and logged at level
|
|
||||||
# KERNEL.INFO.
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
|
@ -1,39 +1,65 @@
|
|||||||
##############################################################################
|
|
||||||
#
|
#
|
||||||
# Shorewall 2.2 -- Sample Routestopped file for two interfaces.
|
# Shorewall version 3.0 - Routestopped File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/routestopped
|
# /etc/shorewall/routestopped
|
||||||
#
|
#
|
||||||
# This file is used to define the hosts that are accessible when the
|
# This file is used to define the hosts that are accessible when the
|
||||||
# firewall is stopped.
|
# firewall is stopped or when it is in the process of being
|
||||||
|
# [re]started.
|
||||||
#
|
#
|
||||||
# Columns must be separated by white space and are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
# INTERFACE
|
# INTERFACE - Interface through which host(s) communicate with
|
||||||
# Interface through which host(s) communicate with
|
# the firewall
|
||||||
# the firewall.
|
# HOST(S) - (Optional) Comma-separated list of IP/subnet
|
||||||
# HOST(S)
|
# addresses. If your kernel and iptables include
|
||||||
# (Optional) Comma-separated list of IP/subnet
|
# iprange match support, IP address ranges are also
|
||||||
# addresses. If left empty or supplied as "-",
|
# allowed.
|
||||||
|
#
|
||||||
|
# If left empty or supplied as "-",
|
||||||
# 0.0.0.0/0 is assumed.
|
# 0.0.0.0/0 is assumed.
|
||||||
#
|
# OPTIONS - (Optional) A comma-separated list of
|
||||||
# If your kernel and iptables include iprange match
|
|
||||||
# support, IP address ranges are also allowed.
|
|
||||||
#
|
|
||||||
# OPTIONS (Optional) A comma-separated list of
|
|
||||||
# options. The currently-supported options are:
|
# options. The currently-supported options are:
|
||||||
#
|
#
|
||||||
# routeback - Set up a rule to ACCEPT traffic from
|
# routeback - Set up a rule to ACCEPT traffic from
|
||||||
# these hosts back to themselves.
|
# these hosts back to themselves.
|
||||||
#
|
#
|
||||||
|
# source - Allow traffic from these hosts to ANY
|
||||||
|
# destination. Without this option or the 'dest'
|
||||||
|
# option, only traffic from this host to other
|
||||||
|
# listed hosts (and the firewall) is allowed. If
|
||||||
|
# 'source' is specified then 'routeback' is redundent.
|
||||||
|
#
|
||||||
|
# dest - Allow traffic to these hosts from ANY
|
||||||
|
# source. Without this option or the 'source'
|
||||||
|
# option, only traffic from this host to other
|
||||||
|
# listed hosts (and the firewall) is allowed. If
|
||||||
|
# 'dest' is specified then 'routeback' is redundent.
|
||||||
|
#
|
||||||
|
# critical - Allow traffic between the firewall and
|
||||||
|
# these hosts throughout '[re]start', 'stop' and
|
||||||
|
# 'clear'. Specifying 'critical' on one or more
|
||||||
|
# entries will cause your firewall to be "totally
|
||||||
|
# open" for a brief window during each of those
|
||||||
|
# operations.
|
||||||
|
#
|
||||||
|
# NOTE: The 'source' and 'dest' options work best when used
|
||||||
|
# in conjunction with ADMINISABSENTMINDED=Yes in
|
||||||
|
# /etc/shorewall/shorewall.conf.
|
||||||
|
#
|
||||||
# Example:
|
# Example:
|
||||||
#
|
#
|
||||||
# INTERFACE HOST(S) OPTIONS
|
# INTERFACE HOST(S) OPTIONS
|
||||||
# eth1 -
|
# eth2 192.168.1.0/24
|
||||||
# eth1 192.168.1.0/24
|
# eth0 192.0.2.44
|
||||||
# eth1 192.0.2.44
|
|
||||||
# br0 - routeback
|
# br0 - routeback
|
||||||
|
# eth3 - source
|
||||||
|
#
|
||||||
|
# See http://shorewall.net/Documentation.htm#Routestopped and
|
||||||
|
# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
|
||||||
|
# information.
|
||||||
|
#
|
||||||
##############################################################################
|
##############################################################################
|
||||||
#INTERFACE HOST(S)
|
#INTERFACE HOST(S) OPTIONS
|
||||||
eth1 -
|
eth1 -
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 2.6 - Rules File
|
# Shorewall version 3.0 - Rules File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/rules
|
# /etc/shorewall/rules
|
||||||
#
|
#
|
||||||
@ -19,6 +19,45 @@
|
|||||||
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
# you cannot use an ACCEPT rule to allow traffic from the internet to
|
||||||
# that system. You *must* use a DNAT rule instead.
|
# that system. You *must* use a DNAT rule instead.
|
||||||
#------------------------------------------------------------------------------
|
#------------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# The rules file is divided into sections. Each section is introduced by
|
||||||
|
# a "Section Header" which is a line beginning with SECTION followed by the
|
||||||
|
# section name.
|
||||||
|
#
|
||||||
|
# Sections are as follows and must appear in the order listed:
|
||||||
|
#
|
||||||
|
# ESTABLISHED Packets in the ESTABLISHED state are processed
|
||||||
|
# by rules in this section.
|
||||||
|
#
|
||||||
|
# The only ACTIONs allowed in this section are
|
||||||
|
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||||
|
#
|
||||||
|
# There is an implicit ACCEPT rule inserted
|
||||||
|
# at the end of this section.
|
||||||
|
#
|
||||||
|
# RELATED Packets in the RELATED state are processed by
|
||||||
|
# rules in this section.
|
||||||
|
#
|
||||||
|
# The only ACTIONs allowed in this section are
|
||||||
|
# ACCEPT, DROP, REJECT, LOG and QUEUE
|
||||||
|
#
|
||||||
|
# There is an implicit ACCEPT rule inserted
|
||||||
|
# at the end of this section.
|
||||||
|
#
|
||||||
|
# NEW Packets in the NEW and INVALID states are
|
||||||
|
# processed by rules in this section.
|
||||||
|
#
|
||||||
|
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
|
||||||
|
# ESTABLISHED and RELATED sections must be empty.
|
||||||
|
#
|
||||||
|
# Note: If you are not familiar with Netfilter to the point where you are
|
||||||
|
# comfortable with the differences between the various connection
|
||||||
|
# tracking states, then I suggest that you omit the ESTABLISHED and
|
||||||
|
# RELATED sections and place all of your rules in the NEW section.
|
||||||
|
#
|
||||||
|
# You may omit any section that you don't need. If no Section Headers appear
|
||||||
|
# in the file then all rules are assumed to be in the NEW section.
|
||||||
|
#
|
||||||
# Columns are:
|
# Columns are:
|
||||||
#
|
#
|
||||||
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
|
||||||
@ -77,6 +116,9 @@
|
|||||||
# /etc/shorewall/actions or in
|
# /etc/shorewall/actions or in
|
||||||
# /usr/share/shorewall/actions.std.
|
# /usr/share/shorewall/actions.std.
|
||||||
#
|
#
|
||||||
|
# <macro> -- The name of a macro defined in a
|
||||||
|
# file named macro.<macro-name>.
|
||||||
|
#
|
||||||
# The ACTION may optionally be followed
|
# The ACTION may optionally be followed
|
||||||
# by ":" and a syslog log level (e.g, REJECT:info or
|
# by ":" and a syslog log level (e.g, REJECT:info or
|
||||||
# DNAT:debug). This causes the packet to be
|
# DNAT:debug). This causes the packet to be
|
||||||
@ -219,14 +261,20 @@
|
|||||||
# contain the port number on the firewall that the
|
# contain the port number on the firewall that the
|
||||||
# request should be redirected to.
|
# request should be redirected to.
|
||||||
#
|
#
|
||||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||||
# "all".
|
# a number, or "all". "ipp2p" requires ipp2p match
|
||||||
|
# support in your kernel and iptables.
|
||||||
#
|
#
|
||||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||||
# names (from /etc/services), port numbers or port
|
# names (from /etc/services), port numbers or port
|
||||||
# ranges; if the protocol is "icmp", this column is
|
# ranges; if the protocol is "icmp", this column is
|
||||||
# interpreted as the destination icmp-type(s).
|
# interpreted as the destination icmp-type(s).
|
||||||
#
|
#
|
||||||
|
# If the protocol is ipp2p, this column is interpreted
|
||||||
|
# as an ipp2p option without the leading "--" (example
|
||||||
|
# "bit" for bit-torrent). If no port is given, "ipp2p" is
|
||||||
|
# assumed.
|
||||||
|
#
|
||||||
# A port range is expressed as <low port>:<high port>.
|
# A port range is expressed as <low port>:<high port>.
|
||||||
#
|
#
|
||||||
# This column is ignored if PROTOCOL = all but must be
|
# This column is ignored if PROTOCOL = all but must be
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
#
|
#
|
||||||
# Shorewall version 2.6 - Zones File
|
# Shorewall version 3.0 - Zones File
|
||||||
#
|
#
|
||||||
# /etc/shorewall/zones
|
# /etc/shorewall/zones
|
||||||
#
|
#
|
||||||
@ -82,10 +82,8 @@
|
|||||||
# If you wish to leave a column empty but need to make an entry
|
# If you wish to leave a column empty but need to make an entry
|
||||||
# in a following column, use "-".
|
# in a following column, use "-".
|
||||||
#
|
#
|
||||||
# THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
|
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
|
||||||
# OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
|
|
||||||
#
|
#
|
||||||
# See http://www.shorewall.net/Documentation.htm#Nested
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ZONE TYPE OPTIONS IN OUT
|
#ZONE TYPE OPTIONS IN OUT
|
||||||
# OPTIONS OPTIONS
|
# OPTIONS OPTIONS
|
||||||
|
Loading…
Reference in New Issue
Block a user