holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Baseline 2.0 Sample Files Revision 1.0

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1187 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
frannie 2004-03-14 18:16:35 +00:00
parent 699a4cf567
commit c5f747624b
16 changed files with 223 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Samples/one-interface/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4.8a -- Sample Interface File For One Interface
# Shorewall 2.0 -- Sample Interface File For One Interface
#
# /etc/shorewall/interfaces
#
@ -24,7 +24,8 @@
# want to make a entry that applies to all PPP
# interfaces, use 'ppp+'
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
@ -65,11 +66,6 @@
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# dropunclean
# Logs and drops mangled/invalid packets
# logunclean
# Logs mangled/invalid packets but does
# not drop them.
# blacklist
# Check packets arriving on this interface
# against the /etc/shorewall/blacklist
@ -118,6 +114,15 @@
# the interface can respond to ARP who-has requests
# for IP addresses on any of the firewall's interface.
# The interface must be up when shorewall is started.
# nosmurfs
# Filter packers for smurfs (Packets with a broadcast
# address as the source).
# detectnets
# Automatically taylors the zone named in the ZONE
# column to include only those hosts routed through
# the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
#
# The order in which you list the options is not
# significant but the list should have no embedded white
@ -147,5 +152,5 @@
# net ppp0 -
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,routefilter,dhcp
net eth0 detect norfc1918,routefilter,dhcp,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

25
Samples/one-interface/policy
View File

@ -1,13 +1,14 @@
#
# Shorewall 1.4.8a -- Sample Policy File For One Interface
# Shorewall 2.0 -- Sample Policy File For One Interface
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRYS IN THIS FILE IS IMPORTANT!
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
# don't get a match from the /etc/shorewall/rules file For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# Columns are:
#
@ -17,10 +18,6 @@
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE"
#
@ -45,7 +42,15 @@
# and you may not have any rules with
# this SOURCE and DEST in the /etc/shorewall/rules
# file. If such a packet is received the result
# is undefined.
# is undefined. NONE may not be used if the
# SOURCE or DEST columns contain the firewall
# zone ($FW) or "all".
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresonding common action is defined in
# /etc/shorewall/actions (or /usr/share/shorewall/actions.std)
# then that action will be invoked before the policy named in
# this column is inforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no

86
Samples/one-interface/rules
View File

@ -1,10 +1,13 @@
#
# Shorewall version 1.4.8a - Sample Rules File For One Interface
# Shorewall version 2.0 - Sample Rules File For One Interface
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
# For any particular (source,dest) pair of zones, the rules are evaluated
# in the order in which they appear in this file and the first match is
# the one that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
@ -12,11 +15,14 @@
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# WARNING: If you masquerade or use SNAT from a local system to the internet
# you cannot use a ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
# REDIRECT-, CONTINUE, LOG or QUEUE.
# REDIRECT-, CONTINUE, LOG, QUEUE or an <action>.
#
# ACCEPT
# Allow the connection request
@ -56,34 +62,21 @@
# Simply log the packet and continue.
# QUEUE
# Queue the packet to a user-space
# application such as p2pwall.
# application such as ftwall.
# (http://p2pwall.sf.net).
# <action>
# The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# You may rate-limit the rule by optionally following
# ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# Where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the largest
# burst permitted. If no <burst> is given, a value of 5
# is assumed. There may be no whitespace embedded in the
# specification.
#
# Example:
# ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed by ":"
# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
# This causes the packet to be logged at the specified level.
#
# NOTE: For those of you who prefer to place the rate limit in a separate column,
# see the RATE LIMIT column below. If you specify a value in that column you must include
# a rate limit in the action column.
#
# You may also specify ULOG (must be in upper case) as a
# log level. This will log to the ULOG target for routing
# to a separate log through use of ulogd.
# (http://www.gnumonks.org/projects/ulogd).
# The ACTION may optionally be followed by ":" and a syslog
# log level (e.g, REJECT:info or DNAT:debug). This causes the
# packet to be logged at the specified level.
#
# You may also specify ULOG (Must be in upper case) as a log
# level. This will log to the ULOG target for routing to a
# seperate log through the use of ulogd.
# (http://www.gnumonks.org/projects/ulogd).
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
@ -243,20 +236,21 @@
# If you place a rate limit in this column, you may not place
# a similiar limit in the ACTION column.
#
# USER SET This Column may only be non-empty if the SOURCE is the firewall
# itself and the ACTION is ACCEPT, DROP or REJECT.
# USER/GROUP
# This column may only be non-empty if the SOURCE is the firewall itself.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
# This column may contain:
#
# [<user name or number>]:[<group name or number>]
# [!][<user name or number>][:<group name or number>]
#
# When this column is non-empty, the rule applies only if the
# program generating the output is running under the effective
# <user>(s) and/or <group>(s) specified. When a user set name is
# given, a log level may not be present in the ACTION column;
# logging for such rules is controlled by user set's entry in
# /etc/shorewall/usersets.
# When this column is non-empty, the rule applies only if the program
# generating the output is running under the effective <user> and/or
# <group> specified (or is NOT running under that id if "!' is given).
#
# Examples:
# joe # program must be run by joe
# :kids # program must be run by a member of the 'kids' group.
# !:kids # program must not be run by a member of the 'kids' group.
#
# Note: Most one interface rules are of the type ACCEPT, REDIRECT or REJECT.
# DNAT, DNAT-, CONTINUE rules are for multiple interface firewall.
@ -265,18 +259,18 @@
#
# Example: Accept www requests to the one interface server.
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# ACCEPT net fw tcp http
#
# Example: Redirect port 88 Internet traffic to fw port 80
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# REDIRECT net 80 tcp 88
#
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT SET
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT fw net icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Samples/one-interface/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4.8a -- Sample Zone File For One Interface
# Shorewall 2.0 -- Sample Zone File For One Interface
# /etc/shorewall/zones
#
# This file determines your network zones. Columns are:

22
Samples/three-interfaces/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4.8a -- Sample Interface File For Three Interfaces
# Shorewall 2.0 -- Sample Interface File For Three Interfaces
#
# /etc/shorewall/interfaces
#
@ -22,7 +22,8 @@
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
# There is no need to define the loopback interface (lo)
# in this file.
#
# BROADCAST
# The broadcast address for the subnetwork to which the
@ -65,11 +66,6 @@
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# dropunclean
# Logs and drops mangled/invalid packets
# logunclean
# Logs mangled/invalid packets but does
# not drop them.
# blacklist
# Check packets arriving on this interface
# against the /etc/shorewall/blacklist
@ -118,6 +114,18 @@
# the interface can respond to ARP who-has requests
# for IP addresses on any of the firewall's interface.
# The interface must be up when shorewall is started.
# nosmurfs
# Filter packets for smurfs (packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based on the setting
# of SMURF_LOG_LEVEL in shorewall.conf. After logging,
# the packets are dropped.
# detectnets
# Automatically taylors the zone named in the ZONE column
# to include only those hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
#
# The order in which you list the options is not
# significant but the list should have no embedded white

2
Samples/three-interfaces/masq
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4.8a - Sample Masquerade file For Three Interfaces
# Shorewall 2.0 - Sample Masquerade file For Three Interfaces
#
# etc/shorewall/masq
#

20
Samples/three-interfaces/policy
View File

@ -1,13 +1,14 @@
#
# Shorewall 1.4.8a -- Sample Policy File For Three Interfaces
# Shorewall 2.0 -- Sample Policy File For Three Interfaces
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
# don't get a match from the /etc/shorewall/rules file For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# Columns are:
#
@ -45,7 +46,14 @@
# and you may not have any rules with
# this SOURCE and DEST in the /etc/shorewall/rules
# file. If such a packet is received the result
# is undefined.
# is undefined. NONE may not be used if the
# SOURCE or DEST Columns contain the firewall
# zone ($FW) or "all".
#
# If This column contains ACCEPT, DROP or REJECT and a
# corresponding common action is defined in /etc/shorewall/actions
# (or /usr/share/shorewall/actions.std) then that action will be
# invoked before the policy named in this column is inforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no

2
Samples/three-interfaces/routestopped
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.4.8a -- Sample Routestopped File For Three Interfaces.
# Shorewall 2.0 -- Sample Routestopped File For Three Interfaces.
#
# /etc/shorewall/routestopped
#

93
Samples/three-interfaces/rules
View File

@ -1,10 +1,13 @@
#
# Shorewall version 1.4.8a -- Sample Rules File For Three Interfaces
# Shorewall version 2.0 -- Sample Rules File For Three Interfaces
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first mactch is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
@ -12,11 +15,15 @@
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# WARNING: If you masquerade or use SNAT from a local system to the internet.
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You "must" use a DNAT rule instead.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
# REDIRECT-, CONTINUE, LOG Or QUEUE.
# REDIRECT-, CONTINUE, LOG, QUEUE or an <action>.
#
# ACCEPT
# Allow the connection request.
@ -56,29 +63,16 @@
# Simply log the packet and continue.
# QUEUE
# Queue the packet to a user-space
# application such as p2pwall.
# application such as ftwall.
# (http://p2pwall.sf.net).
# <action>
# The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# You may rate-limit the rule by optionally following
# ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# Where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the largest
# burst permitted. If no <burst> is given, a value of 5
# is assumed. There may be no whitespace embedded in the
# specification.
#
# Example:
# ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed by ":"
# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
# This causes the packet to be logged at the specified level.
#
# NOTE: For those of you who prefer to place the rate limit in a separate column,
# see the RATE LIMIT column below. If you specify a value in that column you must include
# a rate limit in the action column.
# The ACTION may optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info or DNAT:debug). This causes the packet
# to be logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level. This will log to the ULOG target for routing
@ -242,61 +236,62 @@
#
# If you place a rate limit in this column, you may not place
# a similiar limit in the ACTION column.
#
# USER/GROUP
# This column may only be non-empty if the SOURCE is the firewall itself.
#
# USER SET This Column may only be non-empty if the SOURCE is the firewall
# itself and the ACTION is ACCEPT, DROP or REJECT.
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
# When this column is non-empty, the rule applies only if the program
# generating the output is running under the effective <user> and/or
# <group> specified (or is NOT running under that id if "!" is given).
#
# [<user name or number>]:[<group name or number>]
#
# When this column is non-empty, the rule applies only if the
# program generating the output is running under the effective
# <user>(s) and/or <group>(s) specified. When a user set name is
# given, a log level may not be present in the ACTION column;
# logging for such rules is controlled by user set's entry in
# /etc/shorewall/usersets.
# Examples:
# joe # program must be run by joe.
# :kids # program must be run by a member of the 'kids' group.
# !:kids # program must not be run by a member of the 'kids' group.
#
# Also by default all outbound loc -> net communications are allowed.
# You can change this behavior in the sample policy file.
#
# Example: Accept www requests to the firewall.
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# ACCEPT net fw tcp http
#
# Example: Accept SMTP requests from the Local Network to the Internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# ACCEPT loc net tcp smtp
#
# Example: Forward all ssh and http connection requests from the Internet
# to dmz system 192.168.2.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# DNAT net dmz:192.168.2.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the Internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT SET
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the Internet
#

2
Samples/three-interfaces/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4.8a -- Sample Zone File For Two Interfaces
# Shorewall 2.0 -- Sample Zone File For Two Interfaces
# /etc/shorewall/zones
#
# This file determines your network zones. Columns are:

28
Samples/two-interfaces/interfaces
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4.8a -- Sample Interface File For Two Interfaces
# Shorewall 2.0 -- Sample Interface File For Two Interfaces
#
# /etc/shorewall/interfaces
#
@ -26,7 +26,8 @@
# want to make a entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
# There is no need to defiane the loopback interface
# (lo) in this file.
#
# BROADCAST
# The broadcast address for the subnetwork to which the
@ -69,11 +70,6 @@
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# dropunclean
# Logs and drops mangled/invalid packets
# logunclean
# Logs mangled/invalid packets but does
# not drop them.
# blacklist
# Check packets arriving on this interface
# against the /etc/shorewall/blacklist
@ -124,6 +120,20 @@
# the interface can respond to ARP who-has requests
# for IP addresses on any of the firewall's interface.
# The interface must be up when shorewall is started.
# nosmurfs
# Filter packets for smurfs (Packets with a broadcast
# address as the source).
#
# Smurfs will be optionally logged based on the setting
# of SMURF_LOG_LEVEL in shorewall.conf. After logging
# the packets are dropped.
#
# detectnets
# Automatically taylors the zone named in the ZONE column
# to include only those hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
#
#
# The order in which you list the options is not
# significant but the list should have no embedded white
@ -151,6 +161,6 @@
#
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
net eth0 detect dhcp,routefilter,norfc1918,tcpflags
loc eth1 detect tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

2
Samples/two-interfaces/masq
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4.8a - Sample Masquerade file For Two Interfaces
# Shorewall 2.0 - Sample Masquerade file For Two Interfaces
#
# etc/shorewall/masq
#

20
Samples/two-interfaces/policy
View File

@ -1,13 +1,14 @@
#
# Shorewall 1.4.8a -- Sample Policy File For Two Interfaces
# Shorewall 2.0 -- Sample Policy File For Two Interfaces
#
# /etc/shorewall/policy
#
# THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
# don't get a match from the /etc/shorewall/rules file. For each
# source/destination pair, the file is processed in order until a
# match is found ("all" will match any client or server).
#
# Columns are:
#
@ -45,7 +46,14 @@
# and you may not have any rules with
# this SOURCE and DEST in the /etc/shorewall/rules
# file. If such a packet is received the result
# is undefined.
# is undefined. None may not be used if the SOURCE
# or DEST columns contain the firewall zone ($FW)
# or "all"
#
# If this column contains ACCEPT, DROP or REJECT and a
# corresponding common action is define in /etc/shorewall/actions
# (or /usr/share/shorewall/actions.std) then that column will be
# invoked before the policy named in this column is inforced.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no

2
Samples/two-interfaces/routestopped
View File

@ -1,6 +1,6 @@
##############################################################################
#
# Shorewall 1.4.8a -- Sample Routestopped file for two interfaces.
# Shorewall 2.0 -- Sample Routestopped file for two interfaces.
#
# /etc/shorewall/routestopped
#

90
Samples/two-interfaces/rules
View File

@ -1,10 +1,13 @@
#
# Shorewall version 1.4.8 - Sample Rules File For Two Interfaces
# Shorewall version 2.0 - Sample Rules File For Two Interfaces
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in the file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
@ -12,11 +15,15 @@
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# WARNING: If you masquerade or use SNAT from a local system to the internet
# you cannot use a ACCEPT rule to allow traffic from the internet to
# that system. You "must" use a DNAT rule instead.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
# REDIRECT-, CONTINUE, LOG Or QUEUE.
# REDIRECT-, CONTINUE, LOG, QUEUE or an <action>.
#
# ACCEPT
# Allow the connection request
@ -56,29 +63,16 @@
# Simply log the packet and continue.
# QUEUE
# Queue the packet to a user-space
# application such as p2pwall.
# application such as ftwall.
# (http://p2pwall.sf.net).
# <action>
# The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# You may rate-limit the rule by optionally following
# ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# Where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the largest
# burst permitted. If no <burst> is given, a value of 5
# is assumed. There may be no whitespace embedded in the
# specification.
#
# Example:
# ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed by ":"
# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
# This causes the packet to be logged at the specified level.
#
# NOTE: For those of you who prefer to place the rate limit in a separate column,
# see the RATE LIMIT column below. If you specify a value in that column you must include
# a rate limit in the action column.
# The ACTION may optionally be followed by ":" and a syslog
# log level (e.g, REJECT:info or DNAT:debug). This causes the
# packet to be logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level. This will log to the ULOG target for routing
@ -243,60 +237,60 @@
# If you place a rate limit in this column, you may not place
# a similiar limit in the ACTION column.
#
# USER SET This Column may only be non-empty if the SOURCE is the firewall
# itself and the ACTION is ACCEPT, DROP or REJECT.
# USER/GROUP This column may only be non-empty if the SOURCE is the firewall itself.
#
# The column may contain:
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
# [!][<user name or number>][:<group name or number>]
#
# [<user name or number>]:[<group name or number>]
# When this column is non-empty, the rule applies only if the program
# generating the output is running under the effective <user> and/or <group>
# specified (or is NOT running under that id if "!" is given).
#
# When this column is non-empty, the rule applies only if the
# program generating the output is running under the effective
# <user>(s) and/or <group>(s) specified. When a user set name is
# given, a log level may not be present in the ACTION column;
# logging for such rules is controlled by user set's entry in
# /etc/shorewall/usersets.
# Examples:
# joe # program must be run by joe
# :kids # program must be run by a member of the 'kids' group.
# !:kids # program must not be run by a member of the 'kids' group.
#
# Also by default all outbound loc -> net communications are allowed.
# You can change this behavior in the sample policy file.
#
# Example: Accept www requests to the firewall.
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# ACCEPT net fw tcp http
#
# Example: Accept SMTP requests from the Local Network to the Internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# ACCEPT loc net tcp smtp
#
# Example: Forward all ssh and http connection requests from the Internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the Internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# # PORT PORT(S) DEST LIMIT GROUP
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT SET
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#

2
Samples/two-interfaces/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.4.8a -- Sample Zone File For Two Interfaces
# Shorewall 2.0 -- Sample Zone File For Two Interfaces
# /etc/shorewall/zones
#
# This file determines your network zones. Columns are: