more samples...for 2.6..

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2533 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/three-interfaces/interfaces

@@ -1,5 +1,5 @@
 #
-#	Shorewall 2.0 -- Sample Interface File For Three Interfaces
+# Shorewall version 2.6 - Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@@ -8,25 +8,26 @@
 #
 # Columns are:
 #
-#	ZONE
+#	ZONE		Zone for this interface. Must match the short name
-#			Zone for this interface. Must match the short name
 #			of a zone defined in /etc/shorewall/zones.
 #
 #			If the interface serves multiple zones that will be
 #			defined in the /etc/shorewall/hosts file, you should
 #			place "-" in this column.
 #
-#	INTERFACE
+#	INTERFACE	Name of interface. Each interface may be listed only
-#			Name of interface. Each interface may be listed only
 #			once in this file. You may NOT specify the name of
 #			an alias (e.g., eth0:0) here; see
 #			http://www.shorewall.net/FAQ.htm#faq18
 #
+#			You may specify wildcards here. For example, if you
+#			want to make an entry that applies to all PPP
+#			interfaces, use 'ppp+'.
+#
 #			There is no need to define the loopback	interface (lo)
 #			in this file.
 #
-#	BROADCAST
+#	BROADCAST	The broadcast address for the subnetwork to which the
-#			The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
 #			column is left blank.If the interface has multiple
 #			addresses on multiple subnets then list the broadcast
@@ -36,66 +37,63 @@
 #			will detect the broadcast address for you. If you
 #			select this option, the interface must be up before
 #			the firewall is started, you must have iproute
-#			installed and the interface must only be associated
+#			installed.
-#			with a single subnet.
 #
 #			If you don't want to give a value for this column but
 #			you want to enter a value in the OPTIONS column, enter
 #			"-" in this column.
 #
-#	OPTIONS
+#	OPTIONS		A comma-separated list of options including the
-#			A comma-separated list of options including the
 #			following:
 #
-#		dhcp
+#			dhcp	     - Specify this option when any of
-#				Interface is managed by DHCP or used by
+#				       the following are true:
-#				a DHCP server running on the firewall or
+#				       1. the interface gets its IP address
-#				you have a static IP but are on a LAN
+#					  via DHCP
-#				segment with lots of Laptop DHCP clients.
+#				       2. the interface is used by
-#		norfc1918
+#					  a DHCP server running on the firewall
-#				This interface should not receive
+#				       3. you have a static IP but are on a LAN
+#					  segment with lots of Laptop DHCP
+#					  clients.
+#				       4. the interface is a bridge with
+#					  a DHCP server on one port and DHCP
+#					  clients on another port.
+#
+#			norfc1918    - This interface should not receive
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
 #				       (i.e., private or "non-routable"
-#				addresses. If packet mangling is
+#				       addresses. If packet mangling or
-#				enabled in shorewall.conf, packets
+#				       connection-tracking match is enabled in
-#				whose destination addresses are
+#				       your kernel, packets whose destination
-#				reserved by RFC 1918 are also rejected.
+#				       addresses are reserved by RFC 1918 are
-#		nobogons
+#				       also rejected.
-#				This interface should not receive
-#				any packets whose source is in one
-#				of the ranges reserved by IANA (this
-#				option does not cover those ranges
-#				reserved by RFC 1918 -- see above).
 #
-#				I PERSONALLY RECOMMEND AGAINST USING
+#			routefilter  - turn on kernel route filtering for this
-#				THE 'nobogons' OPTION.
-#		routefilter
-#				Turn on kernel route filtering for this
 #				       interface (anti-spoofing measure). This
 #				       option can also be enabled globally in
 #				       the /etc/shorewall/shorewall.conf file.
-#		blacklist
+#
-#				Check packets arriving on this interface
+#			logmartians  - turn on kernel martian logging (logging
-#				against the /etc/shorewall/blacklist
-#				file.
-#		logmartians
-#				Turn on kernel martian logging (logging
 #				       of packets with impossible source
 #				       addresses. It is suggested that if you
 #				       set routefilter on an interface that
 #				       you also set logmartians. This option
 #				       may also be enabled globally in the
 #				       /etc/shorewall/shorewall.conf file.
-#		maclist
+#
-#				Connection requests from this interface
+#			blacklist    - Check packets arriving on this interface
+#				       against the /etc/shorewall/blacklist
+#				       file.
+#
+#			maclist	     - Connection requests from this interface
 #				       are compared against the contents of
 #				       /etc/shorewall/maclist. If this option
 #				       is specified, the interface must be
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
-#		tcpflags
+#
-#				Packets arriving on this interface are
+#			tcpflags     - Packets arriving on this interface are
 #				       checked for certain illegal combinations
 #				       of TCP flags. Packets found to have
 #				       such a combination of flags are handled
@@ -103,25 +101,30 @@
 #				       TCP_FLAGS_DISPOSITION after having been
 #				       logged according to the setting of
 #				       TCP_FLAGS_LOG_LEVEL.
-#		proxyarp
+#
-#				Sets /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+#			proxyarp     -
+#				Sets
+#				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
 #				Do NOT use this option if you are
 #				employing Proxy ARP through entries in
 #				/etc/shorewall/proxyarp. This option is
 #				intended soley for use with Proxy ARP
 #				sub-networking as described at:
 #				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
-#		netnotsyn	
+#
-#				TCP packets that don't have the SYN flag set and
+#			newnotsyn    - TCP packets that don't have the SYN
-#				which are not part of an established connection
+#				       flag set and which are not part of an
-#				will be accepted from this interface, even if
+#				       established connection will be accepted
+#				       from this interface, even if
 #				       NEWNOTSYN=No has been specified in
 #				       /etc/shorewall/shorewall.conf. In other
-#				words, packets coming in on this interface
+#				       words, packets coming in on this
-#				are processed as if NEWNOTSYN=Yes had been
+#				       interface are processed as if
-#				specified in /etc/shorewall/shorewall.conf.
+#				       NEWNOTSYN=Yes had been specified in
+#					/etc/shorewall/shorewall.conf.
 #
-#				This option has no effect if NEWNOTSYN=Yes.
+#				       This option has no effect if
+#				       NEWNOTSYN=Yes.
 #
 #				       It is the opinion of the author that
 #				       NEWNOTSYN=No creates more problems than
@@ -129,63 +132,112 @@
 #				       that setting in shorewall.conf (hence
 #				       making the use of the 'newnotsyn'
 #				       interface option unnecessary).
-#		routeback
+#
-#				If specified, indicates that Shorewall
+#			routeback    - If specified, indicates that Shorewall
-#				should include rules that allow filtering
+#				       should include rules that allow
-#				traffic arriving on this interface back
+#				       filtering traffic arriving on this
-#				out that same interface.
+#				       interface back out that same interface.
-#		arp_filter
+#
-#				If specified, this interface will only respond
+#			arp_filter   - If specified, this interface will only
-#				to ARP who-has requests for IP addresses
+#				       respond to ARP who-has requests for IP
-#				configured on the interface. If not specified,
+#				       addresses configured on the interface.
-#				the interface can respond to ARP who-has requests
+#				       If not specified, the interface can
-#				for IP addresses on any of the firewall's interface.
+#				       respond to ARP who-has requests for
-#				The interface must be up when shorewall is started.
+#				       IP addresses on any of the firewall's
-#		nosmurfs
+#				       interface. The interface must be up
-#				Filter packets for smurfs (packets with a broadcast
+#				       when Shorewall is started.
+#
+#			arp_ignore[=<number>]
+#				     - If specified, this interface will
+#				       respond to arp requests based on the
+#				       value of <number>.
+#
+#				       1 - reply only if the target IP address
+#				       is local address configured on the
+#				       incoming interface
+#
+#				       2 - reply only if the target IP address
+#				       is local address configured on the
+#				       incoming interface and both with the
+#				       sender's IP address are part from same
+#				       subnet on this interface
+#
+#				       3 - do not reply for local addresses
+#				       configured with scope host, only
+#				       resolutions for global and link
+#				       addresses are replied
+#
+#				       4-7 - reserved
+#
+#				       8 - do not reply for all local
+#				       addresses
+#
+#				       If no <number> is given then the value
+#				       1 is assumed
+#
+#				       WARNING -- DO NOT SPECIFY arp_ignore
+#				       FOR ANY INTERFACE INVOLVED IN PROXY ARP.
+#
+#			nosmurfs     - Filter packets for smurfs
+#				       (packets with a broadcast
 #				       address as the source).
 #
-#				Smurfs will be optionally logged based on the setting
+#				       Smurfs will be optionally logged based
-#				of SMURF_LOG_LEVEL in shorewall.conf. After logging, 
+#				       on the setting of SMURF_LOG_LEVEL in
-#				the packets are dropped.
+#				       shorewall.conf. After logging, the
-#		detectnets
+#				       packets are dropped.
-#				Automatically taylors the zone named in the ZONE column
-#				to include only those hosts routed through the interface.
 #
-#	WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
+#			detectnets   - Automatically taylors the zone named
+#				       in the ZONE column to include only those
+#				       hosts routed through the interface.
+#
+#			upnp	     - Incoming requests from this interface
+#				       may be remapped via UPNP (upnpd).
+#			
+#			WARNING: DO NOT SET THE detectnets OPTION ON YOUR
+#				 INTERNET INTERFACE.
 #
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white
 #			space.
 #
-#	Example 1:
+#	GATEWAY		This column is only meaningful if the 'default' OPTION
-#			Suppose you have eth0 connected to a DSL modem, 
+#			is given -- it is ignored otherwise. You may specify
-#			eth1 connected to your local network and eth2
+#			the default gateway IP address for this interface here
-#			connected to your dmz. Assuming that your local
+#			and Shorewall will use that IP address rather than any
-#			subnet is 192.168.1.0/24 and your dmz subnet is
+#			that it finds in the main routing table.
-#			192.168.2.0/24 . The eth0 interface gets
+#
+#	Example 1:	Suppose you have eth0 connected to a DSL modem and
+#			eth1 connected to your local network and that your
+#			local subnet is 192.168.1.0/24. The interface gets
 #			it's IP address via DHCP from subnet
-#			206.191.149.192/27.
+#			206.191.149.192/27. You have a DMZ with subnet
+#			192.168.2.0/24 using eth2.
 #
 #			Your entries for this setup would look like:
 #
-#			#ZONE	INTERFACE	BROADCAST		OPTIONS
 #			net	eth0	206.191.149.223	dhcp
 #			local	eth1	192.168.1.255
 #			dmz	eth2	192.168.2.255
 #
-#	Example 2:
+#	Example 2:	The same configuration without specifying broadcast
-#			The same configuration without specifying broadcast
 #			addresses is:
 #
-#			#ZONE	INTERFACE	BROADCAST		OPTIONS
 #			net	eth0	detect		dhcp
 #			loc	eth1	detect
 #			dmz	eth2	detect
 #
-##############################################################################
+#	Example 3:	You have a simple dial-in system with no ethernet
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+#			connections.
-net	eth0		detect		dhcp,routefilter,norfc1918
+#
-loc	eth1		detect
+#			net	ppp0	-
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS			GATEWAY
+net     eth0            detect          tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
+loc     eth1            detect          tcpflags,detectnets,nosmurfs
 dmz     eth2            detect          
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/three-interfaces/rules

@@ -1,12 +1,12 @@
 #
-# 	Shorewall version 2.2 -- Sample Rules File For Three Interfaces
+# Shorewall version 2.6 - Rules File
 #
 # /etc/shorewall/rules
 #
 #	Rules in this file govern connection establishment. Requests and
 #	responses are automatically allowed using connection tracking. For any
 #	particular (source,dest) pair of zones, the rules are evaluated in the
-#	order in which they appear in this file and the first mactch is the one
+#	order in which they appear in this file and the first match is the one
 #	that determines the disposition of the request.
 #
 #	In most places where an IP address or subnet is allowed, you
@@ -14,75 +14,73 @@
 #	indicate that the rule matches all addresses except the address/subnet
 #	given. Notice that no white space is permitted between "!" and the
 #	address/subnet.
-#
+#------------------------------------------------------------------------------
-#	WARNING: If you masquerade or use SNAT from a local system to the internet.
+# WARNING: If you masquerade or use SNAT from a local system to the internet,
 #	   you cannot use an ACCEPT rule to allow traffic from the internet to
-#		 that system. You "must" use a DNAT rule instead.
+#	   that system. You *must* use a DNAT rule instead.
-#
+#------------------------------------------------------------------------------
 # Columns are:
 #
+#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
+#			LOG, QUEUE or an <action>.
 #
-#	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
+#				ACCEPT	 -- allow the connection request
-#				REDIRECT-, CONTINUE, LOG, QUEUE or an <action>.
+#				ACCEPT+	 -- like ACCEPT but also excludes the
-#
-#				ACCEPT
-#						Allow the connection request.
-#				ACCEPT+
-#						Like ACCEPT but also excludes the
 #					    connection from any subsequent
 #					    DNAT[-] or REDIRECT[-] rules
-#				NONAT
+#				NONAT	 -- Excludes the connection from any
-#						Excludes the connection from any
 #					    subsequent DNAT[-] or REDIRECT[-]
 #					    rules but doesn't generate a rule
 #					    to accept the traffic.
-#				DROP
+#				DROP	 -- ignore the request
-#						Ignore the request.
+#				REJECT	 -- disallow the request and return an
-#				REJECT
-#						Disallow the request and return an
 #					    icmp-unreachable or an RST packet.
-#				DNAT
+#				DNAT	 -- Forward the request to another
-#						Forward the request to another
 #					    system (and optionally another
 #					    port).
-#				DNAT-
+#				DNAT-	 -- Advanced users only.
-#						Advanced users only.
 #					    Like DNAT but only generates the
 #					    DNAT iptables rule and not
 #					    the companion ACCEPT rule.
-#				REDIRECT
+#				SAME	 -- Similar to DNAT except that the
-#						Redirect the request to a local
+#					    port may not be remapped and when
+#					    multiple server addresses are
+#					    listed, all requests from a given
+#					    remote system go to the same
+#					    server.
+#				SAME-	 -- Advanced users only.
+#					    Like SAME but only generates the
+#					    NAT iptables rule and not
+#					    the companion ACCEPT rule.
+#				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #				REDIRECT-
-#						Advanced users only.
+#					 -- Advanced users only.
-#						Like REDIRECT but only generates the
+#					    Like REDIRET but only generates the
-#						REDIRECT iptables rules and not the
+#					    REDIRECT iptables rule and not
-#						companion ACCEPT rule.
+#					    the companion ACCEPT rule.
-#				CONTINUE
+#
-#						(For experts only). Do Not Process
+#				CONTINUE -- (For experts only). Do not process
 #					    any of the following rules for this
 #					    (source zone,destination zone). If
-#						the source and/or destination IP
+#					    The source and/or destination IP
 #					    address falls into a zone defined
 #					    later in /etc/shorewall/zones, this
 #					    connection request will be passed
 #					    to the rules defined for that
-#						(those) zones(s).
+#					    (those) zone(s).
-#				LOG		
+#				LOG	 -- Simply log the packet and continue.
-#						Simply log the packet and continue.
+#				QUEUE	 -- Queue the packet to a user-space
-#				QUEUE
+#					    application such as ftwall
-#						Queue the packet to a user-space
-#						application such as ftwall.
 #					    (http://p2pwall.sf.net).
-#				<action>
+#				<action> -- The name of an action defined in
-#						The name of an action defined in
 #					    /etc/shorewall/actions or in
 #					    /usr/share/shorewall/actions.std.
 #
-#			The ACTION may optionally be followed by ":" and a syslog log
+#			The ACTION may optionally be followed
-#			level (e.g, REJECT:info or DNAT:debug). This causes the packet
+#			by ":" and a syslog log level (e.g, REJECT:info or
-#			to be logged at the specified level.
+#			DNAT:debug). This causes the packet to be
-#
+#			logged at the specified level.
 #
 #			If the ACTION names an action defined in
 #			/etc/shorewall/actions or in
@@ -100,7 +98,7 @@
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
-#			to a separate log through use of ulogd.
+#			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #			Actions specifying logging may be followed by a
@@ -114,17 +112,21 @@
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #			defined in /etc/shorewall/zones, $FW to indicate the
-#			firewall itself, or "all" If the ACTION is DNAT or
+#			firewall itself, "all", "all+" or "none" If the ACTION
-#			REDIRECT, sub-zones of the specified zone may be
+#			is DNAT	or REDIRECT, sub-zones of the specified zone
-#			excluded from the rule by following the zone name with
+#			may be excluded from the rule by following the zone
-#			"!' and a comma-separated list of sub-zone names.
+#			name with "!' and a comma-separated list of sub-zone
+#			names.
+#
+#			When "none" is used either in the SOURCE or DEST
+#			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
-#			intra-zone traffic is not affected. You must add
+#			intra-zone traffic is not affected. When "all+" is
-#			separate rules to handle that traffic.
+#			used, intra-zone traffic is affected.
 #
-#			Except when "all" is specified, clients may be further
+#			Except when "all[+]" is specified, clients may be
-#			restricted to a list of subnets and/or hosts by
+#			further restricted to a list of subnets and/or hosts by
 #			appending ":" and a comma-separated list of subnets
 #			and/or hosts. Hosts may be specified by IP or MAC
 #			address; mac addresses must begin with "~" and must use
@@ -133,22 +135,22 @@
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
+#			If you kernel and iptables have ipset match support
+#			then you may give the name of an ipset prefaced by "+".
+#			The ipset name may be optionally followed by a number
+#			from 1 to 6 enclosed in square brackets ([]) to
+#			indicate the number of levels of source bindings to be
+#			matched.
 #
-#		Some Examples:
+#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
-#			net:155.186.235.1
+#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
-#						Host 155.186.235.1 on the Internet
+#						Internet
 #
-#			loc:192.168.1.0/24
+#			loc:192.168.1.1,192.168.1.2
-#						Subnet 192.168.1.0/24 on the
+#						Hosts 192.168.1.1 and
-#						Local Network
+#						192.168.1.2 in the local zone.
-#
+#			loc:~00-A0-C9-15-39-78	Host in the local zone with
-#			net:155.186.235.1,155.186.235.2
-#						Hosts 155.186.235.1 and
-#						155.186.235.2 on the Internet.
-#
-#			loc:~00-A0-C9-15-39-78
-#						Host on the Local Network with
 #						MAC address 00:A0:C9:15:39:78.
 #
 #			net:192.0.2.11-192.0.2.17
@@ -157,17 +159,24 @@
 #
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
-#			interface name. For example, net:eth0 specifies a
+#			interface name. For example, loc:eth1 specifies a
 #			client that communicates with the firewall system
-#			through eth0. This may be optionally followed by
+#			through eth1. This may be optionally followed by
 #			another colon (":") and an IP/MAC/subnet address
-#			as described above (e.g., net:eth0:192.168.1.5).
+#			as described above (e.g., loc:eth1:192.168.1.5).
 #
 #	DEST		Location of Server. May be a zone defined in
 #			/etc/shorewall/zones, $FW to indicate the firewall
-#			itself or "all"
+#			itself, "all". "all+" or "none".
 #
-#			Except when "all" is specified, the server may be
+#			When "none" is used either in the SOURCE or DEST
+#			column, the rule is ignored.
+#
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. When "all+" is
+#			used, intra-zone traffic is affected.
+#
+#			Except when "all[+]" is specified, the server may be
 #			further restricted to a particular subnet, host or
 #			interface by appending ":" and the subnet, host or
 #			interface. See above.
@@ -181,45 +190,47 @@
 #				3. You may not specify both an interface and
 #				   an address.
 #
-#			Unlike in the SOURCE column, you may specify a range of
+#			Like in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
 #			the connections will be assigned to addresses in the
 #			range in a round-robin fashion.
 #
+#			If you kernel and iptables have ipset match support
+#			then you may give the name of an ipset prefaced by "+".
+#			The ipset name may be optionally followed by a number
+#			from 1 to 6 enclosed in square brackets ([]) to
+#			indicate the number of levels of destination bindings
+#			to be matched. Only one of the SOURCE and DEST columns
+#			may specify an ipset name.
+#
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
 #			destination port. A destination port may only be
 #			included if the ACTION is DNAT or REDIRECT.
 #
-#			Example: net:155.186.235.1:25 specifies a Internet
+#			Example: loc:192.168.1.3:3128 specifies a local
-#			server at IP address 155.186.235.1 and listening on port
+#			server at IP address 192.168.1.3 and listening on port
-#			25. The port number MUST be specified as an integer
+#			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
-#			If the ACTION is REDIRECT, this column needs only to
+#			if the ACTION is REDIRECT, this column needs only to
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
-#			a number, or "all". "ipp2p" requires ipp2p match
+#			"all".
-#			support in your kernel and iptables.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
-#			If the protocol is ipp2p, this column is interpreted
-#			as an ipp2p option without the leading "--" (example "bit"
-#			for bit-torrent). If no port is given, "ipp2p" is
-#			assumed.
-#
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following fields are supplied.
+#			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
@@ -237,8 +248,8 @@
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
-#			specify an ORIGINAL DEST in the next column, then place
+#			specify an ORIGINAL DEST in the next column, then
-#			"-" in this column.
+#			place "-" in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
@@ -248,122 +259,156 @@
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
-#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT[-] or 
+#	ORIGINAL DEST	(0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
-#			REDIRECT[-]) If included and different from the IP
+#			then if included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
 #			that address will be forwarded to the IP and port
 #			specified in the DEST column.
 #
-#			A comma separated list of addresses may also be used.
+#			A comma-separated list of addresses may also be used.
 #			This is usually most useful with the REDIRECT target
 #			where you want to redirect traffic destined for
-#			a particular set of hosts.
+#			particular set of hosts.
 #
-#			Finally, if the list of addresses begines with "!" then
+#			Finally, if the list of addresses begins with "!" then
 #			the rule will be followed only if the original
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
-#	RATE LIMIT	You may rate-limit the rule by placing a value in this column:
+#			For other actions, this column may be included and may
+#			contain one or more addresses (host or network)
+#			separated by commas. Address ranges are not allowed.
+#			When this column is supplied, rules are generated
+#			that require that the original destination address
+#			matches one of the listed addresses. This feature is
+#			most useful when you want to generate a filter rule
+#			that corresponds to a DNAT- or REDIRECT- rule. In this
+#			usage, the list of addresses should not begin with "!".
+#
+#			See http://shorewall.net/PortKnocking.html for an
+#			example of using an entry in this column with a
+#			user-defined action rule.		
+#
+#	RATE LIMIT	You may rate-limit the rule by placing a value in
+#			this colume:
 #
 #				<rate>/<interval>[:<burst>]
 #
-#			Where <rate> is the number of connections per <interval> ("sec"
+#			where <rate> is the number of connections per
-#			or "min") and <burst> is the largest burst permitted. If no
+#			<interval> ("sec" or "min") and <burst> is the
-#			<burst> is given, a value of 5 is assummed. There may be no
+#			largest burst permitted. If no <burst> is given,
-#			whitespace embedded in the specification.
+#			a value of 5 is assumed. There may be no
+#			no whitespace embedded in the specification.
 #
-#		Example:
+#				Example: 10/sec:20
-#				10/sec:20
 #
-#			If you place a rate limit in this column, you may not place
+#	USER/GROUP	This column may only be non-empty if the SOURCE is
-#			a similiar limit in the ACTION column.
+#			the firewall itself.
-#	
-#	USER/GROUP
-#			This column may only be non-empty if the SOURCE is the firewall itself.
 #			
 #			The column may contain:
 #
-#			[!][<user name or number>][:<group name or number>]
+#	[!][<user name or number>][:<group name or number>][+<program name>]
 #
-#			When this column is non-empty, the rule applies only if the program
+#			When this column is non-empty, the rule applies only
-#			generating the output is running under the effective <user> and/or
+#			if the program generating the output is running under
-#			<group> specified (or is NOT running under that id if "!" is given).
+#			the effective <user> and/or <group> specified (or is
+#			NOT running under that id if "!" is given).
 #
 #			Examples:
-#			joe	# program must be run by joe.
-#			:kids	# program must be run by a member of the 'kids' group.
-#			!:kids	# program must not be run by a member of the 'kids' group.
 #
-#	Also by default all outbound loc -> net communications are allowed.
+#				joe	#program must be run by joe
-#	You can change this behavior in the sample policy file.
+#				:kids	#program must be run by a member of
+#					#the 'kids' group
+#				!:kids	#program must not be run by a member
+#					#of the 'kids' group
+#				+upnpd	#program named 'upnpd'
 #
-#	Example:	Accept www requests to the firewall.
+#	Example: Accept SMTP requests from the DMZ to the internet
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#ACTION SOURCE	DEST PROTO	DEST	SOURCE	ORIGINAL
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#	#				PORT	PORT(S) DEST
-#	ACCEPT		net		fw		tcp	http
+#	ACCEPT	dmz	net	  tcp	smtp
 #
-#	Example:	Accept SMTP requests from the Local Network to the Internet
+#	Example: Forward all ssh and http connection requests from the
+#		 internet to local system 192.168.1.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#ACTION SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#	#					PORT	PORT(S) DEST
-#	ACCEPT		loc		net		tcp	smtp
+#	DNAT	net	loc:192.168.1.3 tcp	ssh,http
 #
-#	Example:	Forward all ssh and http connection requests from the Internet
+#	Example: Forward all http connection requests from the internet
-#			to dmz system 192.168.2.3
+#		 to local system 192.168.1.3 with a limit of 3 per second and
+#		 a maximum burst of 10
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#ACTION SOURCE DEST	       PROTO  DEST  SOURCE  ORIGINAL RATE
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#	#				      PORT  PORT(S) DEST     LIMIT
-#	DNAT		net		dmz:192.168.2.3	tcp	ssh,http
+#	DNAT	net    loc:192.168.1.3 tcp    http  -	    -	     3/sec:10
 #
 #	Example: Redirect all locally-originating www connection requests to
 #		 port 3128 on the firewall (Squid running on the firewall
 #		 system) except when the destination address is 192.168.2.2
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#ACTION	 SOURCE	DEST	  PROTO	DEST	SOURCE	ORIGINAL
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#	#				PORT	PORT(S) DEST
 #	REDIRECT loc	3128	  tcp	www	 -	!192.168.2.2
 #
-#	Example:	All http requests from the Internet to address
+#	Example: All http requests from the internet to address
 #		 130.252.100.69 are to be forwarded to 192.168.1.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#ACTION	 SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#	#					PORT	PORT(S) DEST
 #	DNAT	  net	loc:192.168.1.3 tcp	80	-	130.252.100.69
-##############################################################################
+#
+#	Example: You want to accept SSH connections to your firewall only
+#		 from internet IP addresses 130.252.100.69 and 130.252.100.70
+#
+#	#ACTION	 SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
+#	#					PORT	PORT(S) DEST
+#	ACCEPT	 net:130.252.100.69,130.252.100.70 fw \
+#					tcp	22
+#############################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
 #						PORT	PORT(S)		DEST		LIMIT		GROUP
 #
 #	Accept DNS connections from the firewall to the Internet
 #
-ACCEPT		fw		net		tcp	53
+DNS/ACCEPT	fw		net
-ACCEPT		fw		net		udp	53
 #
 #
 #	Accept SSH connections from the local network to the firewall and DMZ
 #
-ACCEPT		loc		fw		tcp	22
+SSH/ACCEPT      loc             fw
-ACCEPT		loc		dmz		tcp	22
+SSH/ACCEPT      loc             dmz
 #
 #	DMZ DNS access to the Internet
 #
-ACCEPT		dmz		net		tcp	53
+DNS/ACCEPT	dmz		net
-ACCEPT		dmz		net		udp	53
+
+
+# Reject Ping from the "bad" net zone.
+
+Ping/REJECT:none!     net               fw
+
 #
 #       Make ping work bi-directionally between the dmz, net, Firewall and local zone
 #       (assumes that the loc-> net policy is ACCEPT).
 #
-ACCEPT		net		fw		icmp	8
+
-ACCEPT		loc		fw		icmp	8
+Ping/ACCEPT     loc             fw
-ACCEPT		dmz		fw		icmp	8
+Ping/ACCEPT     dmz             fw
-ACCEPT		loc		dmz		icmp	8
+Ping/ACCEPT     loc             dmz
-ACCEPT		dmz		loc		icmp	8
+Ping/ACCEPT     dmz             loc
-ACCEPT		dmz		net		icmp	8
+Ping/ACCEPT     dmz             net
+
 ACCEPT		fw		net		icmp
 ACCEPT		fw		loc		icmp	
 ACCEPT		fw		dmz		icmp	
-ACCEPT		net		dmz		icmp	8	# Only with Proxy ARP and
+
-ACCEPT		net		loc		icmp	8 	# static NAT
+# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
+# the net zone to the dmz and loc
+
+#Ping/ACCEPT    net             dmz	
+#Ping/ACCEPT    net             loc
+
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/three-interfaces/zones

@@ -1,20 +1,79 @@
 #
-# 	Shorewall 2.2 -- Sample Zone File For Two Interfaces
+# Shorewall version 2.6 - Zones File
+#
 # /etc/shorewall/zones
 #
-# This file determines your network zones. Columns are:
+#	This file determines your network zones.
+#
+# Columns are:
 #
 #	ZONE	Short name of the zone (5 Characters or less in length).
-#	DISPLAY		Display name of the zone
+#		The names "all" and "none" are reserved and may not be
-#	COMMENTS	Comments about the zone
+#		used as zone names.
+#
+#	IPSEC	Yes --	Communication with all zone hosts is encrypted
+#	ONLY		Your kernel and iptables must include policy
+#			match support.
+#		No  --	Communication with some zone hosts may be encrypted.
+#			Encrypted hosts are designated using the 'ipsec'
+#			option in /etc/shorewall/hosts.
+#
+#	OPTIONS,	A comma-separated list of options as follows:
+#	IN OPTIONS,
+#	OUT OPTIONS	reqid=<number> where <number> is specified
+#			using setkey(8) using the 'unique:<number>
+#			option for the SPD level.
+#
+#			spi=<number> where <number> is the SPI of
+#			the SA used to encrypt/decrypt packets.
+#
+#			proto=ah|esp|ipcomp
+#
+#			mss=<number> (sets the MSS field in TCP packets)
+#
+#			mode=transport|tunnel
+#
+#			tunnel-src=<address>[/<mask>] (only
+#			available with mode=tunnel)
+#
+#			tunnel-dst=<address>[/<mask>] (only
+#			available with mode=tunnel)
+#
+#			strict	Means that packets must match all rules.
+#
+#			next	Separates rules; can only be used with
+#				strict..
+#
+#		Example:
+#			mode=transport,reqid=44
+#
+#	The options in the OPTIONS column are applied to both incoming
+#	and outgoing traffic. The IN OPTIONS are applied to incoming
+#	traffic (in addition to OPTIONS) and the OUT OPTIONS are
+#	applied to outgoing traffic.
+#
+#	If you wish to leave a column empty but need to make an entry
+#	in a following column, use "-".
 #
 # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
-# See http://www.shorewall.net/Documentation.html#Nested
+# See http://www.shorewall.net/Documentation.htm#Nested
+#------------------------------------------------------------------------------
+# Example zones:
 #
-#ZONE	DISPLAY		COMMENTS
+#	You have a three interface firewall with internet, local and DMZ
-net	Net		Internet
+#	interfaces.
-loc	Local		Local Networks
+#
-dmz	DMZ		Demilitarized Zone
+#	#ZONE	IPSEC	OPTIONS		IN			OUT	
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+#	net	
+#	loc
+#	dmz
+#
+###############################################################################
+#ZONE	IPSEC	OPTIONS			IN			OUT
+#	ONLY				OPTIONS			OPTIONS
+net
+loc
+dmz
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Samples/two-interfaces/interfaces

@@ -238,5 +238,5 @@
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS			GATEWAY
 net     eth0            detect          dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
-loc     eth1            detect          tcpflags,detectnets
+loc     eth1            detect          tcpflags,detectnets,nosmurfs
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE