From db26ed00d2e3ec1e895bbf2249f33d3d8216af36 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 14 May 2002 19:39:11 +0000
Subject: [PATCH] Initial revision

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@21 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Lrp/etc/shorewall/masq     | 81 ++++++++++++++++++++++++++++++++++++++
 Lrp/etc/shorewall/modules  | 14 +++++++
 Lrp/etc/shorewall/nat      | 30 ++++++++++++++
 Lrp/etc/shorewall/params   | 43 ++++++++++++++++++++
 Lrp/etc/shorewall/proxyarp | 30 ++++++++++++++
 Lrp/etc/shorewall/tcrules  | 47 ++++++++++++++++++++++
 Lrp/etc/shorewall/tos      | 52 ++++++++++++++++++++++++
 Lrp/etc/shorewall/tunnels  | 51 ++++++++++++++++++++++++
 8 files changed, 348 insertions(+)
 create mode 100644 Lrp/etc/shorewall/masq
 create mode 100644 Lrp/etc/shorewall/modules
 create mode 100644 Lrp/etc/shorewall/nat
 create mode 100644 Lrp/etc/shorewall/params
 create mode 100644 Lrp/etc/shorewall/proxyarp
 create mode 100644 Lrp/etc/shorewall/tcrules
 create mode 100644 Lrp/etc/shorewall/tos
 create mode 100644 Lrp/etc/shorewall/tunnels

diff --git a/Lrp/etc/shorewall/masq b/Lrp/etc/shorewall/masq
new file mode 100644
index 000000000..b6cb59c64
--- /dev/null
+++ b/Lrp/etc/shorewall/masq
@@ -0,0 +1,81 @@
+#
+# Shorewall 1.3 - Masquerade file
+#
+# /etc/shorewall/masq
+#
+# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
+# (SNAT).
+#
+# Columns are:
+#
+#	INTERFACE -- Outgoing interface. This is usually your internet
+#		     interface. This may be qualified by adding the character
+#                    ":" followed by a destination host or subnet.
+#
+#
+#	SUBNET -- Subnet that you wish to masquerade. You can specify this as
+#		  a subnet or as an interface. If you give the name of an
+#		  interface, you must have iproute installed and the interface
+#		  must be up before you start the firewall.
+#
+#		  In order to exclude a subset of the specified SUBNET, you
+#		  may append "!" and a comma-separated list of IP addresses
+#		  and/or subnets that you wish to exclude.
+#
+#		  Example: eth1!192.168.1.4,192.168.32.0/27
+#
+#		  In that example traffic from eth1 would be masqueraded unless
+#		  it came from 192.168.1.4 or 196.168.32.0/27
+#
+#	ADDRESS -- (Optional).  If you specify an address here, SNAT will be
+#				used and this will be the source address. If
+#				ADD_SNAT_ALIASES is set to Yes or yes in 
+#				/etc/shorewall/shorewall.conf then Shorewall
+#				will automatically add this address to the
+#				INTERFACE named in the first column. 
+#
+#				WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
+#				the address given in this column is the primary
+#				IP address for the interface in the INTERFACE
+#				column. 
+#
+#	Example 1:
+#
+#		  You have a simple masquerading setup where eth0 connects to
+#		  a DSL or cable modem and eth1 connects to your local network
+#		  with subnet 192.168.0.0/24.
+#
+#		  Your entry in the file can be either:
+#
+#			eth0	eth1
+#
+#		  or
+#
+#			eth0	192.168.0.0/24
+#
+#	Example 2:
+#
+#		  You add a router to your local network to connect subnet
+#		  192.168.1.0/24 which you also want to masquerade. You then
+#		  add the following entry to this file:
+#
+#			eth0	192.168.1.0/24
+#
+#       Example 3:
+#
+#                 You have an IPSEC tunnel through ipsec0 and you want to
+#                 masquerade packets coming from 192.168.1.0/24 but only if
+#                 these packets are destined for hosts in 10.1.1.0/24:
+#
+#                       ipsec0:10.1.1.0/24      196.168.1.0/24
+#
+#	Example 4:
+#
+#		  You want all outgoing traffic from 192.168.1.0/24 through
+#		  eth0 to use source address 206.124.146.176.
+#
+#			eth0	192.168.1.0/24	206.124.146.176
+#
+##############################################################################
+#INTERFACE	        SUBNET		ADDRESS
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/Lrp/etc/shorewall/modules b/Lrp/etc/shorewall/modules
new file mode 100644
index 000000000..5bc6278dd
--- /dev/null
+++ b/Lrp/etc/shorewall/modules
@@ -0,0 +1,14 @@
+##############################################################################
+# Shorewall 1.3 /etc/shorewall/modules
+#
+# This file loads the modules needed by the firewall.
+
+    loadmodule ip_tables
+    loadmodule iptable_filter
+    loadmodule ip_conntrack
+    loadmodule ip_conntrack_ftp
+    loadmodule ip_conntrack_irc
+    loadmodule iptable_nat
+    loadmodule ip_nat_ftp
+    loadmodule ip_nat_irc
+
diff --git a/Lrp/etc/shorewall/nat b/Lrp/etc/shorewall/nat
new file mode 100644
index 000000000..db85e4114
--- /dev/null
+++ b/Lrp/etc/shorewall/nat
@@ -0,0 +1,30 @@
+##############################################################################
+#
+# Shorewall 1.3  -- Network Address Translation Table
+#
+# /etc/shorewall/nat
+#
+#	This file is used to define static Network Address Translation (NAT).
+#
+# WARNING: If all you want to do is simple port forwarding, do NOT use this
+#          file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
+#	   cases, Proxy ARP is a better solution that static NAT.
+#
+# Columns must be separated by white space and are:
+#
+#	EXTERNAL	External IP Address - this should NOT be the primary
+#			IP address of the interface named in the next
+#			column.
+#	INTERFACE	Interface that we want to EXTERNAL address to appear
+#                       on
+#	INTERNAL	Internal Address
+#       ALL INTERFACES  If Yes or yes (or left empty), NAT will be effective
+#                       from all hosts. If No or no then NAT will be effective
+#                       only through the interface named in the INTERFACE
+#                       column
+#       LOCAL           If Yes or yes and the ALL INTERFACES column contains
+#                       Yes or yes, NAT will be effective from the firewall
+#                       system
+##############################################################################
+#EXTERNAL	INTERFACE	INTERNAL        ALL INTERFACES          LOCAL
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
diff --git a/Lrp/etc/shorewall/params b/Lrp/etc/shorewall/params
new file mode 100644
index 000000000..fbea82388
--- /dev/null
+++ b/Lrp/etc/shorewall/params
@@ -0,0 +1,43 @@
+#
+# Shorewall 1.3 /etc/shorewall/params
+#
+# Assign any variables that you need here.
+#
+# It is suggested that variable names begin with an upper case letter
+# to distinguish them from variables used internally within the
+# Shorewall programs
+#
+# Example:
+#
+#	NET_IF=eth0
+#	NET_BCAST=130.252.100.255
+#	NET_OPTIONS=noping,norfc1918
+#
+# Example (/etc/shorewall/interfaces record):
+#
+#	net	$NET_IF		$NET_BCAST	$NET_OPTIONS
+#
+# The result will be the same as if the record had been written
+#
+#	net	eth0		130.252.100.255	noping,norfc1918
+#
+# Variables can be used in the following places in the other configuration
+# files:
+#
+# /etc/shorewall/interfaces:
+# /etc/shorewall/hosts
+#
+# 	All except the first column.
+#
+# /etc/shorewall/rules
+#
+#	First column after ":".
+#	All remaining columns
+#
+# /etc/shorewall/tunnels
+# /etc/shorewall/proxyarp
+# /etc/shorewall/nat
+#
+#	All columns
+##############################################################################
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
diff --git a/Lrp/etc/shorewall/proxyarp b/Lrp/etc/shorewall/proxyarp
new file mode 100644
index 000000000..f7261543a
--- /dev/null
+++ b/Lrp/etc/shorewall/proxyarp
@@ -0,0 +1,30 @@
+##############################################################################
+#
+# Shorewall 1.3 -- Proxy ARP
+#
+# /etc/shorewall/proxyarp
+#
+#	This file is used to define Proxy ARP. 
+#
+# Columns must be separated by white space and are:
+#
+#	ADDRESS		IP Address
+#	INTERFACE	Local interface where system is connected. If the
+#			local interface is obvious from the subnetting,
+#			you may enter "-" in this column.
+#	EXTERNAL	External Interface to be used to access this system
+#
+#	HAVEROUTE	If there is already a route from the firewall to
+#			the host whose address is given, enter "Yes" or "yes"
+#			in this column. Otherwise, entry "no", "No" or leave
+#			the column empty.
+#
+#			Example: Host with IP 155.186.235.6 is connected to
+#			interface eth1 and we want hosts attached via eth0
+#			to be able to access it using that address.
+#
+#			#ADDRESS	INTERFACE	EXTERNAL   HAVEROUTE
+#			155.186.235.6	eth1		eth0       No
+##############################################################################
+#ADDRESS		INTERFACE	EXTERNAL        HAVEROUTE
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Lrp/etc/shorewall/tcrules b/Lrp/etc/shorewall/tcrules
new file mode 100644
index 000000000..b36d01091
--- /dev/null
+++ b/Lrp/etc/shorewall/tcrules
@@ -0,0 +1,47 @@
+#
+# Shorewall version 1.3 - Traffic Control Rules File
+#
+# /etc/shorewall/tcrules
+#
+#	Entries in this file cause packets to be marked as a means of
+#	classifying them for traffic control.
+#
+# Columns are:
+#
+#
+#	MARK		The mark value which is an
+#			integer in the range 1-255
+#
+#	SOURCE 		Source of the packet. A comma-separated list of
+#			interface names, IP addresses, MAC addresses 
+#			and/or subnets. Use $FW if the packet originates on
+#			the firewall.
+#
+#			MAC addresses must be prefixed with "~" and use
+#			"-" as a separator.
+#
+#			Example: ~00-A0-C9-15-39-78
+#
+#	DEST		Destination of the packet. Comma separated list of
+#			IP addresses and/or subnets.
+#
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#			or "all".
+#
+#	PORT(S)		Destination Ports. A comma-separated list of Port
+#			names (from /etc/services), port numbers or port
+#			ranges; if the protocol is "icmp", this column is
+#			interpreted as the destination icmp-type(s).
+#
+#			This column is ignored if PROTOCOL = all but must be
+#			entered if any of the following field is supplied.
+#			In that case, it is suggested that this field contain
+#			 "-"
+#
+#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#			any source port is acceptable. Specified as a comma-
+#			separated list of port names, port numbers or port
+#			ranges.
+##############################################################################
+#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT PORT(S)
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Lrp/etc/shorewall/tos b/Lrp/etc/shorewall/tos
new file mode 100644
index 000000000..0254fcdff
--- /dev/null
+++ b/Lrp/etc/shorewall/tos
@@ -0,0 +1,52 @@
+#
+# Shorewall 1.3 -- /etc/shorewall/tos
+#
+#	This file defines rules for setting Type Of Service (TOS)
+#
+# Columns are:
+#
+#	SOURCE		Name of a zone declared in /etc/shorewall/zones, "all"
+#			or $FW.
+#
+#			If not "all" or $FW, may optionally be followed by
+#			":" and an IP address, a MAC address, a subnet
+#                       specification or the name of an interface.
+#
+#			Example: loc:192.168.2.3
+#
+#			MAC addresses must be prefixed with "~" and use
+#			"-" as a separator.
+#
+#			Example: ~00-A0-C9-15-39-78
+#
+#	DEST		Name of a zone declared in /etc/shorewall/zones, "all"
+#			or $FW.
+#
+#			If not "all" or $FW, may optionally be followed by
+#			":" and an IP address or a subnet specification
+#
+#			Example: loc:192.168.2.3
+#
+#	PROTOCOL	Protocol.
+#
+#	SOURCE PORTS	Source port or port range. If all ports, use "-".
+#
+#	DEST PORTS	Destination port or port range. If all ports, use "-"
+#
+#	TOS		Type of service. Must be one of the following:
+#
+#				Minimize-Delay (16)
+#				Maximize-Throughput (8)
+#				Maximize-Reliability (4)
+#				Minimize-Cost (2)
+#				Normal-Service (0)
+#
+##############################################################################
+#SOURCE DEST		PROTOCOL	SOURCE PORTS	DEST PORTS	TOS
+all	all		tcp		-		ssh		16
+all	all		tcp		ssh		-		16
+all	all		tcp		-		ftp		16
+all	all		tcp		ftp		-		16
+all	all		tcp		ftp-data	-		8
+all	all		tcp		-		ftp-data	8
+#LAST LINE -- Add your entries above -- DO NOT REMOVE
diff --git a/Lrp/etc/shorewall/tunnels b/Lrp/etc/shorewall/tunnels
new file mode 100644
index 000000000..1e841e814
--- /dev/null
+++ b/Lrp/etc/shorewall/tunnels
@@ -0,0 +1,51 @@
+#
+# Shorewall 1.3 - /etc/shorewall/tunnels
+#
+#	This file defines IPSEC, GRE and IPIP tunnels.
+#
+#	IPIP and GRE tunnels must be configured on the firewall/gateway itself.
+#	IPSEC endpoints may be defined on the firewall/gateway or on an
+#	internal system.
+#
+#	The columns are:
+#
+#	TYPE	    --	must start in column 1 and be "ipsec", "ip" or "gre"
+#
+#	ZONE	    --	The zone of the physical interface through which
+#			tunnel traffic passes. This is normally your internet
+#			zone.
+#
+#	GATEWAY	    --	The IP address of the remote tunnel gateway. If the
+#			remote getway has no fixed address (Road Warrior)
+#			then specify the gateway as 0.0.0.0/0.
+#
+#	GATEWAY ZONE--	Optional. If the gateway system specified in the third
+#			column is a standalone host then this column should
+#			contain the name of the zone that the host is in. This
+#			column only applies to IPSEC tunnels.
+#
+#		Example 1:
+#
+#			IPSec tunnel. The remote gateway is 4.33.99.124 and
+#			the remote subnet is 192.168.9.0/24
+#
+#			ipsec	net	4.33.99.124
+#
+#		Example 2:
+#
+#			Road Warrior (LapTop that may connect from anywhere)
+#			where the "gw" zone is used to represent the remote
+#			LapTop.
+#
+#			ipsec	net	0.0.0.0/0	gw
+#
+#		Example 3:
+#
+#			Host 4.33.99.124 is a standalone system connected
+#			via an ipsec tunnel to the firewall system. The host
+#			is in zone gw.
+#
+#			ipsec	net	4.33.99.124	gw
+#
+# TYPE		ZONE	GATEWAY		GATEWAY ZONE
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE