holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update samples for 1.3

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@35 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-05-18 19:48:34 +00:00
parent 0dd0c4dac6
commit dc63a7960f
18 changed files with 534 additions and 322 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Samples/one-interface/common
View File

@ -1,31 +1,7 @@
############################################################################
# Shorewall 1.2 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
# Include the standard common.def file
#
# Do not modify this file -- if you wish to change these rules, copy this
# file to /etc/shorewall/common and modify that file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# accept ACKs and RSTs that aren't related to any session so that the
# protocol stack can handle them
#
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139 -j DROP
run_iptables -A common -p udp --dport 445 -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
. common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies

32
Samples/one-interface/interfaces
View File

@ -1,21 +1,26 @@
#
# Shorewall 1.2 -- Interfaces File
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Much match the short name
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# $<variable-name> is not allowed in this column.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you may
# place "-" in this column.
#
# INTERFACE Name of interface
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.
#
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
@ -29,7 +34,8 @@
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets should
# be ignored on this interface
# routestopped - When the firewall is stopped, allow
@ -39,12 +45,22 @@
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses.
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure).
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
@ -66,7 +82,7 @@
# addresses is:
#
# net eth0 detect noping,dhcp
# local eth1 detect routestopped
# loc eth1 detect routestopped
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet

30
Samples/one-interface/policy
View File

@ -1,29 +1,37 @@
#
# Shorewall 1.2 -- Policy File
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/shorewall/rules file. For each
# client/server pair, the file is processed in order until a match is
# found ("all" will match any client or server).
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# CLIENT Location of client. Must be the name of a zone defined
# in /etc/shorewall/zones, "fw" or "all".
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# SERVER Location of server. Must be the name of a zone defined
# in /etc/shorewall/zones, "fw" or "all"
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DENY", "REJECT"
# be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# If you don't want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
@ -32,8 +40,8 @@
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#CLIENT SERVER POLICY LOG LEVEL
fw net ACCEPT
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
lfw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

138
Samples/one-interface/rules
View File

@ -1,45 +1,67 @@
#
# Shorewall version 1.2 - Rules File
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# RESULT ACCEPT, DROP or REJECT
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable packet.
#
# The line may NOT start with $<variable-name>
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# REDIRECT -- Redirect the request to a local
# port on the firewall.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# SOURCE Hosts permitted to be clients. May be a zone defined
# in /etc/shorewall/zones or "fw" to indicate the
# firewall itself.
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones or $FW to indicate the
# firewall itself. If the ACTION is DNAT or REDIRECT,
# sub-zones of the specified zone may be excluded from
# the rule by following the zone name with "!' and a
# comma-separated list of sub-zone names.
#
# Clients may be further restricted to a particular
# subnet or host by appending ":" and the subnet or host.
# Clients may be further restricted to a list of subnets
# and/or hosts by appending ":" and a comma-separated
# list of subnets and/or hosts. Hosts may be specified
# by IP or MAC address; mac addresses must begin with
# "~" and must use "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" followed by the interface name. For
# example, loc:eth1 specifies a client that
# communicates with the firewall system through eth1.
#
# DESTINATION Location of Server. May be a zone defined in
# /etc/shorewall/zones or "fw" to indicate the firewall
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall
# itself.
#
# The server may be further restricted to a particular
@ -51,70 +73,82 @@
# ":". If omitted, the firewall will not modifiy the
# destination port.
#
# Example: loc:192.168.1.3:8080 specifies a local
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 8080. The port number MUST be specified as an integer
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the RESULT is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
#
# PORT(S) Destination Port. A comma-separated list of Port names
# (from /etc/services), port numbers or port ranges;
# if the protocol is "icmp", this column is interpreted as
# the destination icmp-type. If this column contains the
# value "none", the rule is ignored.
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following fields are supplied.
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable.
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# ADDRESS (0ptional) If included and different from the IP
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the SERVER column.
# specified in the DEST column.
#
# If the special value "all" is used, then requests from
# the client zone given in the CLIENT(s) column with the
# destination port given in PORT(s) will be forwarded to
# the IP address given in SERVER.
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# The address (or "all") may optionally be followed by
# a colon (":") an an IP address. This causes Shorewall
# to use the specified IP address as the source address
# in forwarded packets. See the Shorewall documentation
# for restrictions concerning this feature. If no source
# IP address is given, the original source address is not
# altered.
# Example: Accept SMTP requests from the DMZ to the internet
#
# Example: Forward all ssh and www connection requests from the internet to
# local system 192.168.1.3
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# #RESULT SOURCE DESTINATION PROTO PORT(S) CLIENT PORT(S) ADDRESS
# ACCEPT net loc:192.168.1.3 tcp ssh,www - all
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 8080 on the firewall (Squid running on the firewall
# system)
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #RESULT SOURCE DESTINATION PROTO PORTS(S) CLIENT PORT(S) ADDRESS
# ACCEPT loc fw::8080 tcp www - all
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#RESULT SOURCE DESTINATION PROTO PORT(S) CLIENT PORT(S) ADDRESS
#
# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above
#
REJECT net fw tcp 113
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

84
Samples/one-interface/shorewall.conf
View File

@ -1,15 +1,22 @@
##############################################################################
# /etc/shorewall/shorewall.conf V1.2 - Change the following variables to
#############################################################################
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999, 2000, 2001 - Tom Eastep (teastep@evergo.net)
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# Name of the firewall zone -- if not set or if set to an empty string, "fw"
# is assumed.
#
FW=fw
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/firewall. On Debian, it
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set -this to "".
#
@ -20,7 +27,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
# it is running
#
STATEDIR=/var/lib/firewall
STATEDIR=/var/lib/shorewall
#
# Set this to "yes" or "Yes" if you want to accept all connection requests
@ -47,12 +54,33 @@ MODULESDIR=""
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# If BOTH variables are set empty then the rate of logging will not be
# rate-limited.
# If BOTH variables are set empty then logging will not be rate-limited.
#
LOGRATE="10/hour"
LOGBURST=5
LOGRATE=""
LOGBURST=""
#
# This variable determines the level at which Mangled/Invalid packets are logged
# under the 'dropunclean' interface option. If you set this variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#
LOGUNCLEAN=info
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/FAQ.htm#faq6
LOGFILE="/var/log/messages"
#
# Enable nat support.
@ -60,14 +88,15 @@ LOGBURST=5
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED="No"
NAT_ENABLED="Yes"
#
# Enable mangle support.
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
# and will not initialize the mangle table when starting or stopping
# your firewall.
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED="Yes"
@ -84,7 +113,6 @@ MANGLE_ENABLED="Yes"
# enable nor disable packet forwarding.
#
IP_FORWARDING="Off"
#
# Automatically add IP Aliases
#
@ -137,6 +165,24 @@ BLACKLIST_LOGLEVEL=
# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
# This option adds a `TCPMSS' target, which allows you to alter the
# MSS value of TCP SYN packets, to control the maximum size for that
# connection (usually limiting it to your outgoing interface's MTU
# minus 40).
#
# This is used to overcome criminally braindead ISPs or servers which
# block ICMP Fragmentation Needed packets. The symptoms of this
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
@ -146,8 +192,20 @@ CLAMPMSS="No"
# Route Filtering
#
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces.
# interfaces (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
ROUTE_FILTER="No"
#
# NAT before RULES
#
# Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to "No".
#
# If this variable is not set or is set to the empty value, "Yes" is assumed.
NAT_BEFORE_RULES="Yes"
#LAST LINE -- DO NOT REMOVE

4
Samples/one-interface/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 /etc/shorewall/zones
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
@ -7,8 +7,6 @@
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# $<variable-name> is not permitted in this file.
#
#ZONE DISPLAY COMMENTS
net Net Internet
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

28
Samples/three-interfaces/common
View File

@ -1,31 +1,7 @@
############################################################################
# Shorewall 1.2 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
# Include the standard common.def file
#
# Do not modify this file -- if you wish to change these rules, copy this
# file to /etc/shorewall/common and modify that file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# accept ACKs and RSTs that aren't related to any session so that the
# protocol stack can handle them
#
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139 -j DROP
run_iptables -A common -p udp --dport 445 -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
. common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies

34
Samples/three-interfaces/interfaces
View File

@ -1,21 +1,26 @@
#
# Shorewall 1.2 -- Interfaces File
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Much match the short name
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# $<variable-name> is not allowed in this column.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you may
# place "-" in this column.
#
# INTERFACE Name of interface
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.
#
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
@ -29,7 +34,8 @@
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets should
# be ignored on this interface
# routestopped - When the firewall is stopped, allow
@ -39,12 +45,22 @@
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses.
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure).
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
@ -66,7 +82,7 @@
# addresses is:
#
# net eth0 detect noping,dhcp
# local eth1 detect routestopped
# loc eth1 detect routestopped
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
@ -74,7 +90,7 @@
#
# net ppp0 - noping
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,norfc1918,dhcp
loc eth1 detect routestopped
dmz eth2 detect routestopped

35
Samples/three-interfaces/masq
View File

@ -1,9 +1,10 @@
#
# Shorewall 1.2 - Masquerade file
# Shorewall 1.3 - Masquerade file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading)
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
#
# Columns are:
#
@ -17,6 +18,27 @@
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
@ -47,8 +69,15 @@
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176.
#
# eth0 192.168.1.0/24 206.124.146.176
#
##############################################################################
#INTERFACE SUBNET
#INTERFACE SUBNET ADDRESS
eth0 eth1
eth0 eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

32
Samples/three-interfaces/policy
View File

@ -1,31 +1,37 @@
#
# Shorewall 1.2 -- Policy File
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/seafall/rules file. For each
# client/server pair, the file is processed in order until a match is
# found ("all" will match any client or server).
#
# $<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# SOURCE Location of client. Must be the name of a zone defined
# in /etc/shorewall/zones, "fw" or "all".
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DESTINATION Location of server. Must be the name of a zone defined
# in /etc/shorewall/zones, "fw" or "all"
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DENY", "REJECT"
# be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# If you don't want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
@ -34,7 +40,7 @@
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DESTINATION POLICY LOG LEVEL
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
#
# If you want open access to the internet from your firewall, uncomment the
@ -42,4 +48,4 @@ loc net ACCEPT
#fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE

137
Samples/three-interfaces/rules
View File

@ -1,45 +1,67 @@
#
# Shorewall version 1.2 - Rules File
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# RESULT ACCEPT, DROP or REJECT
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable packet.
#
# The line may NOT start with $<variable-name>
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# REDIRECT -- Redirect the request to a local
# port on the firewall.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# SOURCE Hosts permitted to be clients. May be a zone defined
# in /etc/shorewall/zones or "fw" to indicate the
# firewall itself.
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones or $FW to indicate the
# firewall itself. If the ACTION is DNAT or REDIRECT,
# sub-zones of the specified zone may be excluded from
# the rule by following the zone name with "!' and a
# comma-separated list of sub-zone names.
#
# Clients may be further restricted to a particular
# subnet or host by appending ":" and the subnet or host.
# Clients may be further restricted to a list of subnets
# and/or hosts by appending ":" and a comma-separated
# list of subnets and/or hosts. Hosts may be specified
# by IP or MAC address; mac addresses must begin with
# "~" and must use "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" followed by the interface name. For
# example, loc:eth1 specifies a client that
# communicates with the firewall system through eth1.
#
# DESTINATION Location of Server. May be a zone defined in
# /etc/shorewall/zones or "fw" to indicate the firewall
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall
# itself.
#
# The server may be further restricted to a particular
@ -51,77 +73,90 @@
# ":". If omitted, the firewall will not modifiy the
# destination port.
#
# Example: loc:192.168.1.3:8080 specifies a local
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 8080. The port number MUST be specified as an integer
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the RESULT is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
#
# PORT(S) Destination Port. A comma-separated list of Port names
# (from /etc/services), port numbers or port ranges;
# if the protocol is "icmp", this column is interpreted as
# the destination icmp-type. If this column contains the
# value "none", the rule is ignored.
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following fields are supplied.
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable.
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# ADDRESS (0ptional) If included and different from the IP
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the SERVER column.
# specified in the DEST column.
#
# If the special value "all" is used, then requests from
# the client zone given in the CLIENT(s) column with the
# destination port given in PORT(s) will be forwarded to
# the IP address given in SERVER.
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# The address (or "all") may optionally be followed by
# a colon (":") an an IP address. This causes Shorewall
# to use the specified IP address as the source address
# in forwarded packets. See the Shorewall documentation
# for restrictions concerning this feature. If no source
# IP address is given, the original source address is not
# altered.
# Example: Accept SMTP requests from the DMZ to the internet
#
# Example: Forward all ssh and www connection requests from the internet to
# local system 192.168.1.3
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
# ACCEPT net loc:192.168.1.3 tcp ssh,www - all
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 8080 on the firewall (Squid running on the firewall
# system)
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
# ACCEPT loc fw::8080 tcp www - all
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept outgoing DNS connections from the firewall
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
# To avoid connection delays, reject AUTH
#
REJECT net fw tcp 113
#
# Accept SSH connections from the local network to the firewall and DMZ
#
ACCEPT loc fw tcp 22

2
Samples/three-interfaces/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 /etc/shorewall/zones
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#

28
Samples/two-interfaces/common
View File

@ -1,31 +1,7 @@
############################################################################
# Shorewall 1.2 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
# Include the standard common.def file
#
# Do not modify this file -- if you wish to change these rules, copy this
# file to /etc/shorewall/common and modify that file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# accept ACKs and RSTs that aren't related to any session so that the
# protocol stack can handle them
#
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139 -j DROP
run_iptables -A common -p udp --dport 445 -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
. common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies

36
Samples/two-interfaces/interfaces
View File

@ -1,27 +1,32 @@
#
# Shorewall 1.2 -- Interfaces File
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Much match the short name
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# $<variable-name> is not allowed in this column.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you may
# place "-" in this column.
#
# INTERFACE Name of interface
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.
#
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started and you must have iproute
# installed.
#
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
@ -29,7 +34,8 @@
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall.
# noping - icmp echo-request (ping) packets should
# be ignored on this interface
# routestopped - When the firewall is stopped, allow
@ -39,12 +45,22 @@
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses.
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure).
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
@ -66,7 +82,7 @@
# addresses is:
#
# net eth0 detect noping,dhcp
# local eth1 detect routestopped
# loc eth1 detect routestopped
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
@ -74,7 +90,7 @@
#
# net ppp0 - noping
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

35
Samples/two-interfaces/masq
View File

@ -1,9 +1,10 @@
#
# Shorewall 1.2 - Masquerade file
# Shorewall 1.3 - Masquerade file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading)
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
#
# Columns are:
#
@ -17,6 +18,27 @@
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
@ -47,7 +69,14 @@
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176.
#
# eth0 192.168.1.0/24 206.124.146.176
#
##############################################################################
#INTERFACE SUBNET
#INTERFACE SUBNET ADDRESS
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

32
Samples/two-interfaces/policy
View File

@ -1,31 +1,37 @@
#
# Shorewall 1.2 -- Policy File
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don't get a match from the /etc/seafall/rules file. For each
# client/server pair, the file is processed in order until a match is
# found ("all" will match any client or server).
#
# $<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
# don't get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# SOURCE Location of client. Must be the name of a zone defined
# in /etc/shorewall/zones, "fw" or "all".
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DESTINATION Location of server. Must be the name of a zone defined
# in /etc/shorewall/zones, "fw" or "all"
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DENY", "REJECT"
# be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# If you don't want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
@ -34,7 +40,7 @@
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DESTINATION POLICY LOG LEVEL
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
#
# If you want open access to the internet from your firewall, uncomment the
@ -42,4 +48,4 @@ loc net ACCEPT
#fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE

139
Samples/two-interfaces/rules
View File

@ -1,45 +1,67 @@
#
# Shorewall version 1.2 - Rules File
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# RESULT ACCEPT, DROP or REJECT
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable packet.
#
# The line may NOT start with $<variable-name>
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# REDIRECT -- Redirect the request to a local
# port on the firewall.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# CLIENT(S) Hosts permitted to be clients. May be a zone defined
# in /etc/shorewall/zones or "fw" to indicate the
# firewall itself.
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones or $FW to indicate the
# firewall itself. If the ACTION is DNAT or REDIRECT,
# sub-zones of the specified zone may be excluded from
# the rule by following the zone name with "!' and a
# comma-separated list of sub-zone names.
#
# Clients may be further restricted to a particular
# subnet or host by appending ":" and the subnet or host.
# Clients may be further restricted to a list of subnets
# and/or hosts by appending ":" and a comma-separated
# list of subnets and/or hosts. Hosts may be specified
# by IP or MAC address; mac addresses must begin with
# "~" and must use "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" followed by the interface name. For
# example, loc:eth1 specifies a client that
# communicates with the firewall system through eth1.
#
# SERVER Location of Server. May be a zone defined in
# /etc/shorewall/zones or "fw" to indicate the firewall
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones or $FW to indicate the firewall
# itself.
#
# The server may be further restricted to a particular
@ -51,73 +73,84 @@
# ":". If omitted, the firewall will not modifiy the
# destination port.
#
# Example: loc:192.168.1.3:8080 specifies a local
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 8080. The port number MUST be specified as an integer
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the RESULT is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
# "all" or "related". If "related", the remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
#
# PORT(S) Destination Port. A comma-separated list of Port names
# (from /etc/services), port numbers or port ranges;
# if the protocol is "icmp", this column is interpreted as
# the destination icmp-type. If this column contains the
# value "none", the rule is ignored.
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following fields are supplied.
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable.
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# ADDRESS (0ptional) If included and different from the IP
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the SERVER column.
# specified in the DEST column.
#
# If the special value "all" is used, then requests from
# the client zone given in the CLIENT(s) column with the
# destination port given in PORT(s) will be forwarded to
# the IP address given in SERVER.
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# The address (or "all") may optionally be followed by
# a colon (":") an an IP address. This causes Shorewall
# to use the specified IP address as the source address
# in forwarded packets. See the Shorewall documentation
# for restrictions concerning this feature. If no source
# IP address is given, the original source address is not
# altered.
# Example: Accept SMTP requests from the DMZ to the internet
#
# Example: Forward all ssh and www connection requests from the internet to
# local system 192.168.1.3
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
# ACCEPT net loc:192.168.1.3 tcp ssh,www - all
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 8080 on the firewall (Squid running on the firewall
# system)
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
# ACCEPT loc fw::8080 tcp www - all
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
#
#
# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above
#
REJECT net fw tcp 113
#
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53

2
Samples/two-interfaces/zones
View File

@ -1,5 +1,5 @@
#
# Shorewall 1.2 /etc/shorewall/zones
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#