more samples...for 2.6..

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2533 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-08-22 03:34:26 +00:00 · 2005-08-22 03:34:26 +00:00 · c6b6864834
commit c6b6864834
parent 756f156166
4 changed files with 495 additions and 339 deletions
--- a/Samples/three-interfaces/interfaces
+++ b/Samples/three-interfaces/interfaces
@ -1,32 +1,33 @@
 #	
 #	Shorewall 2.0 -- Sample Interface File For Three Interfaces
 #
-# 	/etc/shorewall/interfaces
+# Shorewall version 2.6 - Interfaces File
 #
 # /etc/shorewall/interfaces
 #
 #	You must add an entry in this file for each network interface on your
 #	firewall system.
 #
 # Columns are:
 #
-#	ZONE
+#	ZONE		Zone for this interface. Must match the short name
 #			Zone for this interface. Must match the short name
 #			of a zone defined in /etc/shorewall/zones.
 #
 #			If the interface serves multiple zones that will be
 #			defined in the /etc/shorewall/hosts file, you should
 #			place "-" in this column.
 #
-#	INTERFACE
+#	INTERFACE	Name of interface. Each interface may be listed only
 #			Name of interface. Each interface may be listed only
 #			once in this file. You may NOT specify the name of
 #			an alias (e.g., eth0:0) here; see
 #			http://www.shorewall.net/FAQ.htm#faq18
 #
-#			There is no need to define the loopback interface (lo)
+#			You may specify wildcards here. For example, if you
 #			want to make an entry that applies to all PPP
 #			interfaces, use 'ppp+'.
 #
 #			There is no need to define the loopback	interface (lo)
 #			in this file.
 #
-#	BROADCAST
+#	BROADCAST	The broadcast address for the subnetwork to which the
 #			The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
 #			column is left blank.If the interface has multiple
 #			addresses on multiple subnets then list the broadcast
@ -36,156 +37,207 @@
 #			will detect the broadcast address for you. If you
 #			select this option, the interface must be up before
 #			the firewall is started, you must have iproute
-#			installed and the interface must only be associated
+#			installed.
-#			with a single subnet.
+#
 #			
 #			If you don't want to give a value for this column but
 #			you want to enter a value in the OPTIONS column, enter
 #			"-" in this column.
 #
-#	OPTIONS
+#	OPTIONS		A comma-separated list of options including the
 #			A comma-separated list of options including the
 #			following:
 #
-#		dhcp
+#			dhcp	     - Specify this option when any of
-#				Interface is managed by DHCP or used by
+#				       the following are true:
-#				a DHCP server running on the firewall or
+#				       1. the interface gets its IP address
-#				you have a static IP but are on a LAN
+#					  via DHCP
-#				segment with lots of Laptop DHCP clients.
+#				       2. the interface is used by
-#		norfc1918
+#					  a DHCP server running on the firewall
-#				This interface should not receive
+#				       3. you have a static IP but are on a LAN
-#				any packets whose source is in one
+#					  segment with lots of Laptop DHCP
-#				of the ranges reserved by RFC 1918
+#					  clients.
-#				(i.e., private or "non-routable"
+#				       4. the interface is a bridge with
-#				addresses. If packet mangling is
+#					  a DHCP server on one port and DHCP
-#				enabled in shorewall.conf, packets
+#					  clients on another port.
 #				whose destination addresses are
 #				reserved by RFC 1918 are also rejected.
 #		nobogons
 #				This interface should not receive
 #				any packets whose source is in one
 #				of the ranges reserved by IANA (this
 #				option does not cover those ranges
 #				reserved by RFC 1918 -- see above).
 #
-#				I PERSONALLY RECOMMEND AGAINST USING
+#			norfc1918    - This interface should not receive
-#				THE 'nobogons' OPTION.
+#				       any packets whose source is in one
-#		routefilter
+#				       of the ranges reserved by RFC 1918
-#				Turn on kernel route filtering for this
+#				       (i.e., private or "non-routable"
-#				interface (anti-spoofing measure). This
+#				       addresses. If packet mangling or
-#				option can also be enabled globally in
+#				       connection-tracking match is enabled in
-#				the /etc/shorewall/shorewall.conf file.
+#				       your kernel, packets whose destination
-#		blacklist
+#				       addresses are reserved by RFC 1918 are
-#				Check packets arriving on this interface
+#				       also rejected.
-#				against the /etc/shorewall/blacklist
+#
-#				file.
+#			routefilter  - turn on kernel route filtering for this
-#		logmartians
+#				       interface (anti-spoofing measure). This
-#				Turn on kernel martian logging (logging
+#				       option can also be enabled globally in
-#				of packets with impossible source
+#				       the /etc/shorewall/shorewall.conf file.
-#				addresses. It is suggested that if you
+#
-#				set routefilter on an interface that
+#			logmartians  - turn on kernel martian logging (logging
-#				you also set logmartians. This option
+#				       of packets with impossible source
-#				may also be enabled globally in the
+#				       addresses. It is suggested that if you
-#				/etc/shorewall/shorewall.conf file.
+#				       set routefilter on an interface that
-#		maclist
+#				       you also set logmartians. This option
-#				Connection requests from this interface
+#				       may also be enabled globally in the
-#				are compared against the contents of
+#				       /etc/shorewall/shorewall.conf file.
-#				/etc/shorewall/maclist. If this option
+#
-#				is specified, the interface must be
+#			blacklist    - Check packets arriving on this interface
-#				an ethernet NIC and must be up before
+#				       against the /etc/shorewall/blacklist
-#				Shorewall is started.
+#				       file.
-#		tcpflags
+#
-#				Packets arriving on this interface are
+#			maclist	     - Connection requests from this interface
-#				checked for certain illegal combinations
+#				       are compared against the contents of
-#				of TCP flags. Packets found to have
+#				       /etc/shorewall/maclist. If this option
-#				such a combination of flags are handled
+#				       is specified, the interface must be
-#				according to the setting of
+#				       an ethernet NIC and must be up before
-#				TCP_FLAGS_DISPOSITION after having been
+#				       Shorewall is started.
-#				logged according to the setting of
+#
-#				TCP_FLAGS_LOG_LEVEL.
+#			tcpflags     - Packets arriving on this interface are
-#		proxyarp
+#				       checked for certain illegal combinations
-#				Sets /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
+#				       of TCP flags. Packets found to have
 #				       such a combination of flags are handled
 #				       according to the setting of
 #				       TCP_FLAGS_DISPOSITION after having been
 #				       logged according to the setting of
 #				       TCP_FLAGS_LOG_LEVEL.
 #
 #			proxyarp     -
 #				Sets
 #				/proc/sys/net/ipv4/conf/<interface>/proxy_arp.
 #				Do NOT use this option if you are
 #				employing Proxy ARP through entries in
 #				/etc/shorewall/proxyarp. This option is
 #				intended soley for use with Proxy ARP
 #				sub-networking as described at:
 #				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
 #		netnotsyn	
 #				TCP packets that don't have the SYN flag set and
 #				which are not part of an established connection
 #				will be accepted from this interface, even if
 #				NEWNOTSYN=No has been specified in 
 #				/etc/shorewall/shorewall.conf. In other
 #				words, packets coming in on this interface
 #				are processed as if NEWNOTSYN=Yes had been
 #				specified in /etc/shorewall/shorewall.conf.
 #
-#				This option has no effect if NEWNOTSYN=Yes.
+#			newnotsyn    - TCP packets that don't have the SYN
 #				       flag set and which are not part of an
 #				       established connection will be accepted
 #				       from this interface, even if
 #				       NEWNOTSYN=No has been specified in
 #				       /etc/shorewall/shorewall.conf. In other
 #				       words, packets coming in on this
 #				       interface are processed as if
 #				       NEWNOTSYN=Yes had been specified in
 #					/etc/shorewall/shorewall.conf.
 #
-#				It is the opinion of the author that
+#				       This option has no effect if
-#				NEWNOTSYN=No creates more problems than
+#				       NEWNOTSYN=Yes.
 #				it solves and I recommend against using
 #				that setting in shorewall.conf (hence
 #				making the use of the 'newnotsyn'
 #				interface option unnecessary).
 #		routeback
 #				If specified, indicates that Shorewall
 #				should include rules that allow filtering
 #				traffic arriving on this interface back
 #				out that same interface.
 #		arp_filter
 #				If specified, this interface will only respond
 #				to ARP who-has requests for IP addresses
 #				configured on the interface. If not specified,
 #				the interface can respond to ARP who-has requests
 #				for IP addresses on any of the firewall's interface.
 #				The interface must be up when shorewall is started.
 #		nosmurfs
 #				Filter packets for smurfs (packets with a broadcast
 #				address as the source).
 #
-#				Smurfs will be optionally logged based on the setting
+#				       It is the opinion of the author that
-#				of SMURF_LOG_LEVEL in shorewall.conf. After logging, 
+#				       NEWNOTSYN=No creates more problems than
-#				the packets are dropped.
+#				       it solves and I recommend against using
-#		detectnets
+#				       that setting in shorewall.conf (hence
-#				Automatically taylors the zone named in the ZONE column
+#				       making the use of the 'newnotsyn'
-#				to include only those hosts routed through the interface.
+#				       interface option unnecessary).
 #
-#	WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
+#			routeback    - If specified, indicates that Shorewall
 #				       should include rules that allow
 #				       filtering traffic arriving on this
 #				       interface back out that same interface.
 #
-#		The order in which you list the options is not
+#			arp_filter   - If specified, this interface will only
-#		significant but the list should have no embedded white
+#				       respond to ARP who-has requests for IP
-#		space.
+#				       addresses configured on the interface.
 #				       If not specified, the interface can
 #				       respond to ARP who-has requests for
 #				       IP addresses on any of the firewall's
 #				       interface. The interface must be up
 #				       when Shorewall is started.
 #
-#	Example 1:
+#			arp_ignore[=<number>]
-#			Suppose you have eth0 connected to a DSL modem, 
+#				     - If specified, this interface will
-#			eth1 connected to your local network and eth2
+#				       respond to arp requests based on the
-#			connected to your dmz. Assuming that your local
+#				       value of <number>.
-#			subnet is 192.168.1.0/24 and your dmz subnet is
+#
-#			192.168.2.0/24 . The eth0 interface gets
+#				       1 - reply only if the target IP address
 #				       is local address configured on the
 #				       incoming interface
 #
 #				       2 - reply only if the target IP address
 #				       is local address configured on the
 #				       incoming interface and both with the
 #				       sender's IP address are part from same
 #				       subnet on this interface
 #
 #				       3 - do not reply for local addresses
 #				       configured with scope host, only
 #				       resolutions for global and link
 #				       addresses are replied
 #
 #				       4-7 - reserved
 #
 #				       8 - do not reply for all local
 #				       addresses
 #
 #				       If no <number> is given then the value
 #				       1 is assumed
 #
 #				       WARNING -- DO NOT SPECIFY arp_ignore
 #				       FOR ANY INTERFACE INVOLVED IN PROXY ARP.
 #
 #			nosmurfs     - Filter packets for smurfs
 #				       (packets with a broadcast
 #				       address as the source).
 #
 #				       Smurfs will be optionally logged based
 #				       on the setting of SMURF_LOG_LEVEL in
 #				       shorewall.conf. After logging, the
 #				       packets are dropped.
 #
 #			detectnets   - Automatically taylors the zone named
 #				       in the ZONE column to include only those
 #				       hosts routed through the interface.
 #
 #			upnp	     - Incoming requests from this interface
 #				       may be remapped via UPNP (upnpd).
 #			
 #			WARNING: DO NOT SET THE detectnets OPTION ON YOUR
 #				 INTERNET INTERFACE.
 #
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white
 #			space.
 #
 #	GATEWAY		This column is only meaningful if the 'default' OPTION
 #			is given -- it is ignored otherwise. You may specify
 #			the default gateway IP address for this interface here
 #			and Shorewall will use that IP address rather than any
 #			that it finds in the main routing table.
 #
 #	Example 1:	Suppose you have eth0 connected to a DSL modem and
 #			eth1 connected to your local network and that your
 #			local subnet is 192.168.1.0/24. The interface gets
 #			it's IP address via DHCP from subnet
-#			206.191.149.192/27.
+#			206.191.149.192/27. You have a DMZ with subnet
 #			192.168.2.0/24 using eth2.
 #
 #			Your entries for this setup would look like:
 #
-#			#ZONE	INTERFACE	BROADCAST		OPTIONS
+#			net	eth0	206.191.149.223	dhcp
-#			net	eth0		206.191.149.223		dhcp
+#			local	eth1	192.168.1.255
-#			local	eth1		192.168.1.255						
+#			dmz	eth2	192.168.2.255
 #			dmz	eth2		192.168.2.255		
 #
-#	Example 2:
+#	Example 2:	The same configuration without specifying broadcast
 #			The same configuration without specifying broadcast
 #			addresses is:
 #
-#			#ZONE	INTERFACE	BROADCAST		OPTIONS
+#			net	eth0	detect		dhcp
-#			net	eth0		detect			dhcp
+#			loc	eth1	detect
-#			loc	eth1		detect			
+#			dmz	eth2	detect
 #			dmz	eth2		detect
 #
-##############################################################################
+#	Example 3:	You have a simple dial-in system with no ethernet
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+#			connections.
-net	eth0		detect		dhcp,routefilter,norfc1918
+#
-loc	eth1		detect
+#			net	ppp0	-
-dmz	eth2		detect
+#
 # For additional information, see
 # http://shorewall.net/Documentation.htm#Interfaces
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS			GATEWAY
 net     eth0            detect          tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
 loc     eth1            detect          tcpflags,detectnets,nosmurfs
 dmz     eth2            detect          
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@ -1,12 +1,12 @@
 #	
 # 	Shorewall version 2.2 -- Sample Rules File For Three Interfaces
 #
-# 	/etc/shorewall/rules
+# Shorewall version 2.6 - Rules File
 #
 # /etc/shorewall/rules
 #
 #	Rules in this file govern connection establishment. Requests and
 #	responses are automatically allowed using connection tracking. For any
 #	particular (source,dest) pair of zones, the rules are evaluated in the
-#	order in which they appear in this file and the first mactch is the one
+#	order in which they appear in this file and the first match is the one
 #	that determines the disposition of the request.
 #
 #	In most places where an IP address or subnet is allowed, you
@ -14,75 +14,73 @@
 #	indicate that the rule matches all addresses except the address/subnet
 #	given. Notice that no white space is permitted between "!" and the
 #	address/subnet.
-#
+#------------------------------------------------------------------------------
-#	WARNING: If you masquerade or use SNAT from a local system to the internet.
+# WARNING: If you masquerade or use SNAT from a local system to the internet,
-#		 you cannot use an ACCEPT rule to allow traffic from the internet to
+#	   you cannot use an ACCEPT rule to allow traffic from the internet to
-#		 that system. You "must" use a DNAT rule instead.
+#	   that system. You *must* use a DNAT rule instead.
-#
+#------------------------------------------------------------------------------
 # Columns are:
 #
 #	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
 #			LOG, QUEUE or an <action>.
 #
-#	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
+#				ACCEPT	 -- allow the connection request
-#				REDIRECT-, CONTINUE, LOG, QUEUE or an <action>.
+#				ACCEPT+	 -- like ACCEPT but also excludes the
-#
+#					    connection from any subsequent
-#				ACCEPT
+#					    DNAT[-] or REDIRECT[-] rules
-#						Allow the connection request.
+#				NONAT	 -- Excludes the connection from any
-#				ACCEPT+
+#					    subsequent DNAT[-] or REDIRECT[-]
-#						Like ACCEPT but also excludes the
+#					    rules but doesn't generate a rule
-#						connection from any subsequent
+#					    to accept the traffic.
-#						DNAT[-] or REDIRECT[-] rules
+#				DROP	 -- ignore the request
-#				NONAT
+#				REJECT	 -- disallow the request and return an
-#						Excludes the connection from any
+#					    icmp-unreachable or an RST packet.
-#						subsequent DNAT[-] or REDIRECT[-]
+#				DNAT	 -- Forward the request to another
-#						rules but doesn't generate a rule
+#					    system (and optionally another
-#						to accept the traffic.
+#					    port).
-#				DROP
+#				DNAT-	 -- Advanced users only.
-#						Ignore the request.
+#					    Like DNAT but only generates the
-#				REJECT
+#					    DNAT iptables rule and not
-#						Disallow the request and return an
+#					    the companion ACCEPT rule.
-#						icmp-unreachable or an RST packet.
+#				SAME	 -- Similar to DNAT except that the
-#				DNAT
+#					    port may not be remapped and when
-#						Forward the request to another
+#					    multiple server addresses are
-#						system (and optionally another
+#					    listed, all requests from a given
-#						port).
+#					    remote system go to the same
-#				DNAT-
+#					    server.
-#						Advanced users only.
+#				SAME-	 -- Advanced users only.
-#						Like DNAT but only generates the
+#					    Like SAME but only generates the
-#						DNAT iptables rule and not
+#					    NAT iptables rule and not
-#						the companion ACCEPT rule.
+#					    the companion ACCEPT rule.
-#				REDIRECT
+#				REDIRECT -- Redirect the request to a local
-#						Redirect the request to a local
+#					    port on the firewall.
 #					    	port on the firewall.
 #				REDIRECT-
-#						Advanced users only.
+#					 -- Advanced users only.
-#						Like REDIRECT but only generates the
+#					    Like REDIRET but only generates the
-#						REDIRECT iptables rules and not the
+#					    REDIRECT iptables rule and not
-#						companion ACCEPT rule.
+#					    the companion ACCEPT rule.
 #				CONTINUE
 #						(For experts only). Do Not Process
 #						any of the following rules for this
 #						(source zone,destination zone). If
 #						the source and/or destination IP
 #						address falls into a zone defined
 #						later in /etc/shorewall/zones, this
 #						connection request will be passed
 #						to the rules defined for that
 #						(those) zones(s).
 #				LOG		
 #						Simply log the packet and continue.
 #				QUEUE
 #						Queue the packet to a user-space
 #						application such as ftwall.
 #						(http://p2pwall.sf.net).
 #				<action>
 #						The name of an action defined in
 #						/etc/shorewall/actions or in
 #						/usr/share/shorewall/actions.std.
 #
-#			The ACTION may optionally be followed by ":" and a syslog log
+#				CONTINUE -- (For experts only). Do not process
-#			level (e.g, REJECT:info or DNAT:debug). This causes the packet
+#					    any of the following rules for this
-#			to be logged at the specified level.
+#					    (source zone,destination zone). If
 #					    The source and/or destination IP
 #					    address falls into a zone defined
 #					    later in /etc/shorewall/zones, this
 #					    connection request will be passed
 #					    to the rules defined for that
 #					    (those) zone(s).
 #				LOG	 -- Simply log the packet and continue.
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as ftwall
 #					    (http://p2pwall.sf.net).
 #				<action> -- The name of an action defined in
 #					    /etc/shorewall/actions or in
 #					    /usr/share/shorewall/actions.std.
 #
 #			The ACTION may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
 #			DNAT:debug). This causes the packet to be
 #			logged at the specified level.
 #
 #			If the ACTION names an action defined in
 #			/etc/shorewall/actions or in
@ -98,9 +96,9 @@
 #			- The special log level 'none!' suppresses logging
 #			  by the action.
 #
-#			You may also specify ULOG (must be in upper case) as a 
+#			You may also specify ULOG (must be in upper case) as a
-#			log level. This will log to the ULOG target for routing
+#			log level.This will log to the ULOG target for routing
-#			to a separate log through use of ulogd.
+#			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #			Actions specifying logging may be followed by a
@ -114,17 +112,21 @@
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #			defined in /etc/shorewall/zones, $FW to indicate the
-#			firewall itself, or "all" If the ACTION is DNAT or
+#			firewall itself, "all", "all+" or "none" If the ACTION
-#			REDIRECT, sub-zones of the specified zone may be
+#			is DNAT	or REDIRECT, sub-zones of the specified zone
-#			excluded from the rule by following the zone name with
+#			may be excluded from the rule by following the zone
-#			"!' and a comma-separated list of sub-zone names.
+#			name with "!' and a comma-separated list of sub-zone
 #			names.
 #
 #			When "none" is used either in the SOURCE or DEST
 #			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
-#			intra-zone traffic is not affected. You must add
+#			intra-zone traffic is not affected. When "all+" is
-#			separate rules to handle that traffic.
+#			used, intra-zone traffic is affected.
 #
-#			Except when "all" is specified, clients may be further
+#			Except when "all[+]" is specified, clients may be
-#			restricted to a list of subnets and/or hosts by
+#			further restricted to a list of subnets and/or hosts by
 #			appending ":" and a comma-separated list of subnets
 #			and/or hosts. Hosts may be specified by IP or MAC
 #			address; mac addresses must begin with "~" and must use
@ -133,22 +135,22 @@
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
 #			If you kernel and iptables have ipset match support
 #			then you may give the name of an ipset prefaced by "+".
 #			The ipset name may be optionally followed by a number
 #			from 1 to 6 enclosed in square brackets ([]) to
 #			indicate the number of levels of source bindings to be
 #			matched.
 #
-#		Some Examples:
+#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
-#			net:155.186.235.1
+#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
-#						Host 155.186.235.1 on the Internet
+#						Internet
 #
-#			loc:192.168.1.0/24
+#			loc:192.168.1.1,192.168.1.2
-#						Subnet 192.168.1.0/24 on the
+#						Hosts 192.168.1.1 and
-#						Local Network
+#						192.168.1.2 in the local zone.
-#
+#			loc:~00-A0-C9-15-39-78	Host in the local zone with
 #			net:155.186.235.1,155.186.235.2
 #						Hosts 155.186.235.1 and
 #						155.186.235.2 on the Internet.
 #
 #			loc:~00-A0-C9-15-39-78
 #						Host on the Local Network with
 #						MAC address 00:A0:C9:15:39:78.
 #
 #			net:192.0.2.11-192.0.2.17
@ -157,69 +159,78 @@
 #
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
-#			interface name. For example, net:eth0 specifies a
+#			interface name. For example, loc:eth1 specifies a
 #			client that communicates with the firewall system
-#			through eth0. This may be optionally followed by
+#			through eth1. This may be optionally followed by
 #			another colon (":") and an IP/MAC/subnet address
-#			as described above (e.g., net:eth0:192.168.1.5).
+#			as described above (e.g., loc:eth1:192.168.1.5).
 #
 #	DEST		Location of Server. May be a zone defined in
 #			/etc/shorewall/zones, $FW to indicate the firewall
-#			itself or "all"
+#			itself, "all". "all+" or "none".
 #
-#			Except when "all" is specified, the server may be
+#			When "none" is used either in the SOURCE or DEST
 #			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. When "all+" is
 #			used, intra-zone traffic is affected.
 #
 #			Except when "all[+]" is specified, the server may be
 #			further restricted to a particular subnet, host or
 #			interface by appending ":" and the subnet, host or
 #			interface. See above.
 #
-#		Restrictions:
+#				Restrictions:
 #
-#			1.	MAC addresses are not allowed.
+#				1. MAC addresses are not allowed.
-#			2. 	In DNAT rules, only IP addresses are
+#				2. In DNAT rules, only IP addresses are
-#				allowed; no FQDNs or subnet addresses
+#				   allowed; no FQDNs or subnet addresses
-#				are permitted.
+#				   are permitted.
-#			3.	You may not specify both an interface and
+#				3. You may not specify both an interface and
-#				an address.
+#				   an address.
 #
-#			Unlike in the SOURCE column, you may specify a range of
+#			Like in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
 #			the connections will be assigned to addresses in the
 #			range in a round-robin fashion.
 #
 #			If you kernel and iptables have ipset match support
 #			then you may give the name of an ipset prefaced by "+".
 #			The ipset name may be optionally followed by a number
 #			from 1 to 6 enclosed in square brackets ([]) to
 #			indicate the number of levels of destination bindings
 #			to be matched. Only one of the SOURCE and DEST columns
 #			may specify an ipset name.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
 #			destination port. A destination port may only be
 #			included if the ACTION is DNAT or REDIRECT.
 #
-#			Example: net:155.186.235.1:25 specifies a Internet
+#			Example: loc:192.168.1.3:3128 specifies a local
-#			server at IP address 155.186.235.1 and listening on port
+#			server at IP address 192.168.1.3 and listening on port
-#			25. The port number MUST be specified as an integer
+#			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
-#			If the ACTION is REDIRECT, this column needs only to
+#			if the ACTION is REDIRECT, this column needs only to
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
-#			a number, or "all". "ipp2p" requires ipp2p match
+#			"all".
 #			support in your kernel and iptables.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			If the protocol is ipp2p, this column is interpreted
 #			as an ipp2p option without the leading "--" (example "bit"
 #			for bit-torrent). If no port is given, "ipp2p" is
 #			assumed.
 #
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following fields are supplied.
+#			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
@ -237,8 +248,8 @@
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
-#			specify an ORIGINAL DEST in the next column, then place
+#			specify an ORIGINAL DEST in the next column, then
-#			"-" in this column.
+#			place "-" in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
@ -248,122 +259,156 @@
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
-#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT[-] or 
+#	ORIGINAL DEST	(0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
-#			REDIRECT[-]) If included and different from the IP
+#			then if included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
 #			that address will be forwarded to the IP and port
 #			specified in the DEST column.
 #
-#			A comma separated list of addresses may also be used.
+#			A comma-separated list of addresses may also be used.
 #			This is usually most useful with the REDIRECT target
 #			where you want to redirect traffic destined for
-#			a particular set of hosts.
+#			particular set of hosts.
 #
-#			Finally, if the list of addresses begines with "!" then
+#			Finally, if the list of addresses begins with "!" then
 #			the rule will be followed only if the original
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
-#	RATE LIMIT	You may rate-limit the rule by placing a value in this column:
+#			For other actions, this column may be included and may
 #			contain one or more addresses (host or network)
 #			separated by commas. Address ranges are not allowed.
 #			When this column is supplied, rules are generated
 #			that require that the original destination address
 #			matches one of the listed addresses. This feature is
 #			most useful when you want to generate a filter rule
 #			that corresponds to a DNAT- or REDIRECT- rule. In this
 #			usage, the list of addresses should not begin with "!".
 #
 #			See http://shorewall.net/PortKnocking.html for an
 #			example of using an entry in this column with a
 #			user-defined action rule.		
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
 #			this colume:
 #
 #				<rate>/<interval>[:<burst>]
 #
-#			Where <rate> is the number of connections per <interval> ("sec"
+#			where <rate> is the number of connections per
-#			or "min") and <burst> is the largest burst permitted. If no
+#			<interval> ("sec" or "min") and <burst> is the
-#			<burst> is given, a value of 5 is assummed. There may be no
+#			largest burst permitted. If no <burst> is given,
-#			whitespace embedded in the specification.
+#			a value of 5 is assumed. There may be no
 #			no whitespace embedded in the specification.
 #
-#		Example:
+#				Example: 10/sec:20
 #				10/sec:20
 #
 #			If you place a rate limit in this column, you may not place
 #			a similiar limit in the ACTION column.
 #	
 #	USER/GROUP
 #			This column may only be non-empty if the SOURCE is the firewall itself.
 #
 #	USER/GROUP	This column may only be non-empty if the SOURCE is
 #			the firewall itself.
 #			
 #			The column may contain:
 #	
 #			[!][<user name or number>][:<group name or number>]
 #
-#			When this column is non-empty, the rule applies only if the program
+#	[!][<user name or number>][:<group name or number>][+<program name>]
 #			generating the output is running under the effective <user> and/or
 #			<group> specified (or is NOT running under that id if "!" is given).
 #
-#		Examples:
+#			When this column is non-empty, the rule applies only
-#			joe	# program must be run by joe.
+#			if the program generating the output is running under
-#			:kids	# program must be run by a member of the 'kids' group.
+#			the effective <user> and/or <group> specified (or is
-#			!:kids	# program must not be run by a member of the 'kids' group.
+#			NOT running under that id if "!" is given).
 #
-#	Also by default all outbound loc -> net communications are allowed.
+#			Examples:
 #	You can change this behavior in the sample policy file.
 #
-#	Example:	Accept www requests to the firewall.
+#				joe	#program must be run by joe
 #				:kids	#program must be run by a member of
 #					#the 'kids' group
 #				!:kids	#program must not be run by a member
 #					#of the 'kids' group
 #				+upnpd	#program named 'upnpd'
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	Example: Accept SMTP requests from the DMZ to the internet
 #	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	ACCEPT		net		fw		tcp	http
 #
-#	Example:	Accept SMTP requests from the Local Network to the Internet
+#	#ACTION SOURCE	DEST PROTO	DEST	SOURCE	ORIGINAL
 #	#				PORT	PORT(S) DEST
 #	ACCEPT	dmz	net	  tcp	smtp
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	Example: Forward all ssh and http connection requests from the
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#		 internet to local system 192.168.1.3
 #	ACCEPT		loc		net		tcp	smtp
 #
-#	Example:	Forward all ssh and http connection requests from the Internet
+#	#ACTION SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
-#			to dmz system 192.168.2.3
+#	#					PORT	PORT(S) DEST
 #	DNAT	net	loc:192.168.1.3 tcp	ssh,http
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	Example: Forward all http connection requests from the internet
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#		 to local system 192.168.1.3 with a limit of 3 per second and
-#	DNAT		net		dmz:192.168.2.3	tcp	ssh,http
+#		 a maximum burst of 10
 #
-#	Example:	Redirect all locally-originating www connection requests to
+#	#ACTION SOURCE DEST	       PROTO  DEST  SOURCE  ORIGINAL RATE
-#			port 3128 on the firewall (Squid running on the firewall
+#	#				      PORT  PORT(S) DEST     LIMIT
-#			system) except when the destination address is 192.168.2.2
+#	DNAT	net    loc:192.168.1.3 tcp    http  -	    -	     3/sec:10
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	Example: Redirect all locally-originating www connection requests to
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#		 port 3128 on the firewall (Squid running on the firewall
-#	REDIRECT	loc		3128		tcp	www	-	!192.168.2.2
+#		 system) except when the destination address is 192.168.2.2
 #
-#	Example:	All http requests from the Internet to address
+#	#ACTION	 SOURCE	DEST	  PROTO	DEST	SOURCE	ORIGINAL
-#			130.252.100.69 are to be forwarded to 192.168.1.3
+#	#				PORT	PORT(S) DEST
 #	REDIRECT loc	3128	  tcp	www	 -	!192.168.2.2
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	Example: All http requests from the internet to address
-#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#		 130.252.100.69 are to be forwarded to 192.168.1.3
-#	DNAT		net		loc:192.168.1.3	tcp	80	-	130.252.100.69
+#
-##############################################################################
+#	#ACTION	 SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#					PORT	PORT(S) DEST
-#							PORT	PORT(S)	DEST		LIMIT	GROUP
+#	DNAT	  net	loc:192.168.1.3 tcp	80	-	130.252.100.69
 #
 #	Example: You want to accept SSH connections to your firewall only
 #		 from internet IP addresses 130.252.100.69 and 130.252.100.70
 #
 #	#ACTION	 SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
 #	#					PORT	PORT(S) DEST
 #	ACCEPT	 net:130.252.100.69,130.252.100.70 fw \
 #					tcp	22
 #############################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
 #						PORT	PORT(S)		DEST		LIMIT		GROUP
 #
 #	Accept DNS connections from the firewall to the Internet
 #
-ACCEPT		fw		net		tcp	53
+DNS/ACCEPT	fw		net
 ACCEPT		fw		net		udp	53
 #
 #
 #	Accept SSH connections from the local network to the firewall and DMZ
 #
-ACCEPT		loc		fw		tcp	22
+SSH/ACCEPT      loc             fw
-ACCEPT		loc		dmz		tcp	22
+SSH/ACCEPT      loc             dmz
 #
 #	DMZ DNS access to the Internet
 #
-ACCEPT		dmz		net		tcp	53
+DNS/ACCEPT	dmz		net
-ACCEPT		dmz		net		udp	53
+
 # Reject Ping from the "bad" net zone.
 Ping/REJECT:none!     net               fw
 #
-#	Make ping work bi-directionally between the dmz, net, Firewall and local zone
+#       Make ping work bi-directionally between the dmz, net, Firewall and local zone
-#	(assumes that the loc-> net policy is ACCEPT).
+#       (assumes that the loc-> net policy is ACCEPT).
 #
-ACCEPT		net		fw		icmp	8
+
-ACCEPT		loc		fw		icmp	8
+Ping/ACCEPT     loc             fw
-ACCEPT		dmz		fw		icmp	8
+Ping/ACCEPT     dmz             fw
-ACCEPT		loc		dmz		icmp	8
+Ping/ACCEPT     loc             dmz
-ACCEPT		dmz		loc		icmp	8
+Ping/ACCEPT     dmz             loc
-ACCEPT		dmz		net		icmp	8
+Ping/ACCEPT     dmz             net
 ACCEPT		fw		net		icmp
 ACCEPT		fw		loc		icmp	
 ACCEPT		fw		dmz		icmp	
-ACCEPT		net		dmz		icmp	8	# Only with Proxy ARP and
+
-ACCEPT		net		loc		icmp	8 	# static NAT
+# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
 # the net zone to the dmz and loc
 #Ping/ACCEPT    net             dmz	
 #Ping/ACCEPT    net             loc
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Samples/three-interfaces/zones
+++ b/Samples/three-interfaces/zones
@ -1,20 +1,79 @@
 #
-# 	Shorewall 2.2 -- Sample Zone File For Two Interfaces
+# Shorewall version 2.6 - Zones File
 # 	/etc/shorewall/zones
 #
-# This file determines your network zones. Columns are:
+# /etc/shorewall/zones
 #
-#	ZONE		Short name of the zone (5 Characters or less in length).
+#	This file determines your network zones.
-#	DISPLAY		Display name of the zone
+#
-#	COMMENTS	Comments about the zone
+# Columns are:
 #
 #	ZONE	Short name of the zone (5 Characters or less in length).
 #		The names "all" and "none" are reserved and may not be
 #		used as zone names.
 #
 #	IPSEC	Yes --	Communication with all zone hosts is encrypted
 #	ONLY		Your kernel and iptables must include policy
 #			match support.
 #		No  --	Communication with some zone hosts may be encrypted.
 #			Encrypted hosts are designated using the 'ipsec'
 #			option in /etc/shorewall/hosts.
 #
 #	OPTIONS,	A comma-separated list of options as follows:
 #	IN OPTIONS,
 #	OUT OPTIONS	reqid=<number> where <number> is specified
 #			using setkey(8) using the 'unique:<number>
 #			option for the SPD level.
 #
 #			spi=<number> where <number> is the SPI of
 #			the SA used to encrypt/decrypt packets.
 #
 #			proto=ah|esp|ipcomp
 #
 #			mss=<number> (sets the MSS field in TCP packets)
 #
 #			mode=transport|tunnel
 #
 #			tunnel-src=<address>[/<mask>] (only
 #			available with mode=tunnel)
 #
 #			tunnel-dst=<address>[/<mask>] (only
 #			available with mode=tunnel)
 #
 #			strict	Means that packets must match all rules.
 #
 #			next	Separates rules; can only be used with
 #				strict..
 #
 #		Example:
 #			mode=transport,reqid=44
 #
 #	The options in the OPTIONS column are applied to both incoming
 #	and outgoing traffic. The IN OPTIONS are applied to incoming
 #	traffic (in addition to OPTIONS) and the OUT OPTIONS are
 #	applied to outgoing traffic.
 #
 #	If you wish to leave a column empty but need to make an entry
 #	in a following column, use "-".
 #
 # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
-# See http://www.shorewall.net/Documentation.html#Nested
+# See http://www.shorewall.net/Documentation.htm#Nested
 #------------------------------------------------------------------------------
 # Example zones:
 #
-#ZONE	DISPLAY		COMMENTS
+#	You have a three interface firewall with internet, local and DMZ
-net	Net		Internet
+#	interfaces.
-loc	Local		Local Networks
+#
-dmz	DMZ		Demilitarized Zone
+#	#ZONE	IPSEC	OPTIONS		IN			OUT	
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+#	net	
 #	loc
 #	dmz
 #
 ###############################################################################
 #ZONE	IPSEC	OPTIONS			IN			OUT
 #	ONLY				OPTIONS			OPTIONS
 net
 loc
 dmz
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
--- a/Samples/two-interfaces/interfaces
+++ b/Samples/two-interfaces/interfaces
@ -238,5 +238,5 @@
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS			GATEWAY
 net     eth0            detect          dhcp,tcpflags,norfc1918,routefilter,nosmurfs,logmartians
-loc     eth1            detect          tcpflags,detectnets
+loc     eth1            detect          tcpflags,detectnets,nosmurfs
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE