diff --git a/Samples/one-interface/common b/Samples/one-interface/common index be16fc23c..4002e3371 100644 --- a/Samples/one-interface/common +++ b/Samples/one-interface/common @@ -1,31 +1,7 @@ -############################################################################ -# Shorewall 1.2 -- /etc/shorewall/common.def # -# This file defines the rules that are applied before a policy of -# DROP or REJECT is applied. In addition to the rules defined in this file, -# the firewall will also define a DROP rule for each subnet broadcast -# address defined in /etc/shorewall/interfaces (including "detect"). +# Include the standard common.def file # -# Do not modify this file -- if you wish to change these rules, copy this -# file to /etc/shorewall/common and modify that file. -# -run_iptables -A common -p icmp -j icmpdef -############################################################################ -# accept ACKs and RSTs that aren't related to any session so that the -# protocol stack can handle them -# -run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT -run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT -############################################################################ -# NETBIOS chatter -# -run_iptables -A common -p udp --dport 137:139 -j DROP -run_iptables -A common -p udp --dport 445 -j DROP -############################################################################ -# BROADCASTS -# -run_iptables -A common -d 255.255.255.255 -j DROP -run_iptables -A common -d 224.0.0.0/4 -j DROP +. common.def # # The following rule is non-standard and compensates for tardy # DNS replies diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces index 831d61e90..99d326937 100755 --- a/Samples/one-interface/interfaces +++ b/Samples/one-interface/interfaces @@ -1,21 +1,26 @@ # -# Shorewall 1.2 -- Interfaces File +# Shorewall 1.3 -- Interfaces File # # /etc/shorewall/interfaces # +# You must add an entry in this file for each network interface on your +# firewall system. +# # Columns are: # -# ZONE Zone for this interface. Much match the short name +# ZONE Zone for this interface. Must match the short name # of a zone defined in /etc/shorewall/zones. # -# $ is not allowed in this column. -# +# If the interface serves multiple zones that will be +# defined in the /etc/shorewall/hosts file, you may +# place "-" in this column. +# # INTERFACE Name of interface # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this # column is left black. -# +# # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before @@ -29,7 +34,8 @@ # OPTIONS A comma-separated list of options including the # following: # -# dhcp - interface is managed by DHCP +# dhcp - interface is managed by DHCP or used by +# a DHCP server running on the firewall. # noping - icmp echo-request (ping) packets should # be ignored on this interface # routestopped - When the firewall is stopped, allow @@ -39,12 +45,22 @@ # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" -# addresses. +# addresses. If packet mangling is +# enabled in shorewall.conf, packets +# whose destination addresses are +# reserved by RFC 1918 are also rejected. # multi - This interface has multiple IP # addresses and you want to be able to # route between them. # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). +# dropunclean - Logs and drops mangled/invalid packets +# +# logunclean - Logs mangled/invalid packets but does +# not drop them. +# . . blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. # # Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your @@ -66,7 +82,7 @@ # addresses is: # # net eth0 detect noping,dhcp -# local eth1 detect routestopped +# loc eth1 detect routestopped # dmz eth2 detect # # Example 3: You have a simple dial-in system with no ethernet diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy index dcb2a36a9..a60b52ff3 100644 --- a/Samples/one-interface/policy +++ b/Samples/one-interface/policy @@ -1,29 +1,37 @@ # -# Shorewall 1.2 -- Policy File +# Shorewall 1.3 -- Policy File # # /etc/shorewall/policy # # This file determines what to do with a new connection request if we -# don't get a match from the /etc/shorewall/rules file. For each -# client/server pair, the file is processed in order until a match is -# found ("all" will match any client or server). +# don't get a match from the /etc/shorewall/rules file or from the +# /etc/shorewall/common[.def] file. For each source/destination pair, the +# file is processed in order until a match is found ("all" will match +# any client or server). # # Columns are: # -# CLIENT Location of client. Must be the name of a zone defined -# in /etc/shorewall/zones, "fw" or "all". +# SOURCE Source zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all". # -# SERVER Location of server. Must be the name of a zone defined -# in /etc/shorewall/zones, "fw" or "all" +# DEST Destination zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all" # # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DENY", "REJECT" +# be "ACCEPT", "DENY", "REJECT" or "CONTINUE" # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a # description of log levels. # +# If you don't want to log but need to specify the +# following column, place "_" here. +# +# LIMIT:BURST If passed, specifies the maximum TCP connection rate +# and the size of an acceptable burst. If not specified, +# TCP connections are not limited. +# # As shipped, the default policies are: # # a) All connections from the local network to the internet are allowed @@ -32,8 +40,8 @@ # d) All other connection requests are rejected and logged at level # KERNEL.INFO. ############################################################################### -#CLIENT SERVER POLICY LOG LEVEL -fw net ACCEPT +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +lfw net ACCEPT net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules index f53e77678..e46c3b7af 100755 --- a/Samples/one-interface/rules +++ b/Samples/one-interface/rules @@ -1,45 +1,67 @@ # -# Shorewall version 1.2 - Rules File +# Shorewall version 1.3 - Rules File # -# /etc/shorewall/rules +# /etc/shorewall/rules # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. # +# In most places where an IP address or subnet is allowed, you +# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to +# indicate that the rule matches all addresses except the address/subnet +# given. Notice that no white space is permitted between "!" and the +# address/subnet. +# # Columns are: # # -# RESULT ACCEPT, DROP or REJECT +# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT # -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable packet. -# -# The line may NOT start with $ +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# REDIRECT -- Redirect the request to a local +# port on the firewall. # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be # logged at the specified level. # -# SOURCE Hosts permitted to be clients. May be a zone defined -# in /etc/shorewall/zones or "fw" to indicate the -# firewall itself. +# SOURCE Source hosts to which the rule applies. May be a zone +# defined in /etc/shorewall/zones or $FW to indicate the +# firewall itself. If the ACTION is DNAT or REDIRECT, +# sub-zones of the specified zone may be excluded from +# the rule by following the zone name with "!' and a +# comma-separated list of sub-zone names. # -# Clients may be further restricted to a particular -# subnet or host by appending ":" and the subnet or host. +# Clients may be further restricted to a list of subnets +# and/or hosts by appending ":" and a comma-separated +# list of subnets and/or hosts. Hosts may be specified +# by IP or MAC address; mac addresses must begin with +# "~" and must use "-" as a separator. # # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# # net:155.186.235.0/24 Subnet 155.186.235.0/24 on the # Internet # +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. +# # Alternatively, clients may be specified by interface # by appending ":" followed by the interface name. For # example, loc:eth1 specifies a client that # communicates with the firewall system through eth1. # -# DESTINATION Location of Server. May be a zone defined in -# /etc/shorewall/zones or "fw" to indicate the firewall +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones or $FW to indicate the firewall # itself. # # The server may be further restricted to a particular @@ -51,70 +73,82 @@ # ":". If omitted, the firewall will not modifiy the # destination port. # -# Example: loc:192.168.1.3:8080 specifies a local +# Example: loc:192.168.1.3:3128 specifies a local # server at IP address 192.168.1.3 and listening on port -# 8080. The port number MUST be specified as an integer +# 3128. The port number MUST be specified as an integer # and not as a name from /etc/services. # +# if the RESULT is REDIRECT, this column needs only to +# contain the port number on the firewall that the +# request should be redirected to. +# # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # "all" or "related". If "related", the remainder of the # entry must be omitted and connection requests that are # related to existing requests will be accepted. # -# PORT(S) Destination Port. A comma-separated list of Port names -# (from /etc/services), port numbers or port ranges; -# if the protocol is "icmp", this column is interpreted as -# the destination icmp-type. If this column contains the -# value "none", the rule is ignored. +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). # # This column is ignored if PROTOCOL = all but must be -# entered if any of the following fields are supplied. +# entered if any of the following ields are supplied. # In that case, it is suggested that this field contain # "-" # # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. # # If you don't want to restrict client ports but need to # specify an ADDRESS in the next column, then place "-" # in this column. # -# ADDRESS (0ptional) If included and different from the IP +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or +# REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port -# specified in the SERVER column. +# specified in the DEST column. # -# If the special value "all" is used, then requests from -# the client zone given in the CLIENT(s) column with the -# destination port given in PORT(s) will be forwarded to -# the IP address given in SERVER. +# The address may optionally be followed by +# a colon (":") and a second IP address. This causes +# Shorewall to use the second IP address as the source +# address in forwarded packets. See the Shorewall +# documentation for restrictions concerning this feature. +# If no source IP address is given, the original source +# address is not altered. # -# The address (or "all") may optionally be followed by -# a colon (":") an an IP address. This causes Shorewall -# to use the specified IP address as the source address -# in forwarded packets. See the Shorewall documentation -# for restrictions concerning this feature. If no source -# IP address is given, the original source address is not -# altered. +# Example: Accept SMTP requests from the DMZ to the internet # -# Example: Forward all ssh and www connection requests from the internet to -# local system 192.168.1.3 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT dmz net tcp smtp # -# #RESULT SOURCE DESTINATION PROTO PORT(S) CLIENT PORT(S) ADDRESS -# ACCEPT net loc:192.168.1.3 tcp ssh,www - all +# Example: Forward all ssh and http connection requests from the internet +# to local system 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http # # Example: Redirect all locally-originating www connection requests to -# port 8080 on the firewall (Squid running on the firewall -# system) +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 # -# #RESULT SOURCE DESTINATION PROTO PORTS(S) CLIENT PORT(S) ADDRESS -# ACCEPT loc fw::8080 tcp www - all +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## -#RESULT SOURCE DESTINATION PROTO PORT(S) CLIENT PORT(S) ADDRESS -# -# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above -# -REJECT net fw tcp 113 - +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT PORT(S) DEST #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index a2b24786a..2a209bbf6 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -1,15 +1,22 @@ -############################################################################## -# /etc/shorewall/shorewall.conf V1.2 - Change the following variables to +############################################################################# +# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to # match your setup # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # This file should be placed in /etc/shorewall # -# (c) 1999, 2000, 2001 - Tom Eastep (teastep@evergo.net) +# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) ############################################################################## +# +# Name of the firewall zone -- if not set or if set to an empty string, "fw" +# is assumed. +# +FW=fw + + # Set this to the name of the lock file expected by your init scripts. For -# RedHat, this should be /var/lock/subsys/firewall. On Debian, it +# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it # should be /var/state/shorewall. If your init scripts don't use lock files, # set -this to "". # @@ -20,7 +27,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall # it is running # -STATEDIR=/var/lib/firewall +STATEDIR=/var/lib/shorewall # # Set this to "yes" or "Yes" if you want to accept all connection requests @@ -47,12 +54,33 @@ MODULESDIR="" # maximum initial burst size that will be logged. If set empty, the default # value of 5 will be used. # -# If BOTH variables are set empty then the rate of logging will not be -# rate-limited. +# If BOTH variables are set empty then logging will not be rate-limited. # -LOGRATE="10/hour" -LOGBURST=5 +LOGRATE="" +LOGBURST="" + + +# +# This variable determines the level at which Mangled/Invalid packets are logged +# under the 'dropunclean' interface option. If you set this variable to an +# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped +# silently. +# + +LOGUNCLEAN=info + +# This variable tells the /sbin/shorewall program where to look for Shorewall +# log messages. If not set or set to an empty string (e.g., LOGFILE="") then +# /var/log/messages is assumed. +# +# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to +# look for Shorewall messages.It does NOT control the destination for +# these messages. For information about how to do that, see +# +# http://www.shorewall.net/FAQ.htm#faq6 + +LOGFILE="/var/log/messages" # # Enable nat support. @@ -60,14 +88,15 @@ LOGBURST=5 # You probally want yes here. Only gateways not doing NAT in any form, like # SNAT,DNAT masquerading, port forwading etc. should say "no" here. # -NAT_ENABLED="No" +NAT_ENABLED="Yes" # # Enable mangle support. # # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file # and will not initialize the mangle table when starting or stopping -# your firewall. +# your firewall. You must enable mangling if you want Traffic Shaping +# (see TC_ENABLED below). # MANGLE_ENABLED="Yes" @@ -84,7 +113,6 @@ MANGLE_ENABLED="Yes" # enable nor disable packet forwarding. # IP_FORWARDING="Off" - # # Automatically add IP Aliases # @@ -137,6 +165,24 @@ BLACKLIST_LOGLEVEL= # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU" # option. This option is most commonly required when your internet # interface is some variant of PPP (PPTP or PPPoE). Your kernel must +# have CONFIG_IP_NF_TARGET_TCPMSS set. +# +# [From the kernel help: +# +# This option adds a `TCPMSS' target, which allows you to alter the +# MSS value of TCP SYN packets, to control the maximum size for that +# connection (usually limiting it to your outgoing interface's MTU +# minus 40). +# +# This is used to overcome criminally braindead ISPs or servers which +# block ICMP Fragmentation Needed packets. The symptoms of this +# problem are that everything works fine from your Linux +# firewall/router, but machines behind it can never exchange large +# packets: +# 1) Web browsers connect, then hang with no data received. +# 2) Small mail works fine, but large emails hang. +# 3) ssh works fine, but scp hangs after initial handshaking. +# ] # # If left blank, or set to "No" or "no", the option is not enabled. # @@ -146,8 +192,20 @@ CLAMPMSS="No" # Route Filtering # # Set this variable to "Yes" or "yes" if you want kernel route filtering on all -# interfaces. +# interfaces (anti-spoofing measure). # +# If this variable is not set or is set to the empty value, "No" is assumed. + ROUTE_FILTER="No" +# +# NAT before RULES +# +# Shorewall has traditionally processed static NAT rules before port forwarding +# rules. If you would like to reverse the order, set this variable to "No". +# +# If this variable is not set or is set to the empty value, "Yes" is assumed. + +NAT_BEFORE_RULES="Yes" + #LAST LINE -- DO NOT REMOVE diff --git a/Samples/one-interface/zones b/Samples/one-interface/zones index 7b73eca2f..fd27087f9 100644 --- a/Samples/one-interface/zones +++ b/Samples/one-interface/zones @@ -1,5 +1,5 @@ # -# Shorewall 1.2 /etc/shorewall/zones +# Shorewall 1.3 /etc/shorewall/zones # # This file determines your network zones. Columns are: # @@ -7,8 +7,6 @@ # DISPLAY Display name of the zone # COMMENTS Comments about the zone # -# $ is not permitted in this file. -# #ZONE DISPLAY COMMENTS net Net Internet #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/Samples/three-interfaces/common b/Samples/three-interfaces/common index be16fc23c..4002e3371 100644 --- a/Samples/three-interfaces/common +++ b/Samples/three-interfaces/common @@ -1,31 +1,7 @@ -############################################################################ -# Shorewall 1.2 -- /etc/shorewall/common.def # -# This file defines the rules that are applied before a policy of -# DROP or REJECT is applied. In addition to the rules defined in this file, -# the firewall will also define a DROP rule for each subnet broadcast -# address defined in /etc/shorewall/interfaces (including "detect"). +# Include the standard common.def file # -# Do not modify this file -- if you wish to change these rules, copy this -# file to /etc/shorewall/common and modify that file. -# -run_iptables -A common -p icmp -j icmpdef -############################################################################ -# accept ACKs and RSTs that aren't related to any session so that the -# protocol stack can handle them -# -run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT -run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT -############################################################################ -# NETBIOS chatter -# -run_iptables -A common -p udp --dport 137:139 -j DROP -run_iptables -A common -p udp --dport 445 -j DROP -############################################################################ -# BROADCASTS -# -run_iptables -A common -d 255.255.255.255 -j DROP -run_iptables -A common -d 224.0.0.0/4 -j DROP +. common.def # # The following rule is non-standard and compensates for tardy # DNS replies diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces index e333be514..1194fea6c 100755 --- a/Samples/three-interfaces/interfaces +++ b/Samples/three-interfaces/interfaces @@ -1,21 +1,26 @@ # -# Shorewall 1.2 -- Interfaces File +# Shorewall 1.3 -- Interfaces File # # /etc/shorewall/interfaces # +# You must add an entry in this file for each network interface on your +# firewall system. +# # Columns are: # -# ZONE Zone for this interface. Much match the short name +# ZONE Zone for this interface. Must match the short name # of a zone defined in /etc/shorewall/zones. # -# $ is not allowed in this column. -# +# If the interface serves multiple zones that will be +# defined in the /etc/shorewall/hosts file, you may +# place "-" in this column. +# # INTERFACE Name of interface # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this # column is left black. -# +# # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before @@ -29,7 +34,8 @@ # OPTIONS A comma-separated list of options including the # following: # -# dhcp - interface is managed by DHCP +# dhcp - interface is managed by DHCP or used by +# a DHCP server running on the firewall. # noping - icmp echo-request (ping) packets should # be ignored on this interface # routestopped - When the firewall is stopped, allow @@ -39,12 +45,22 @@ # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" -# addresses. +# addresses. If packet mangling is +# enabled in shorewall.conf, packets +# whose destination addresses are +# reserved by RFC 1918 are also rejected. # multi - This interface has multiple IP # addresses and you want to be able to # route between them. # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). +# dropunclean - Logs and drops mangled/invalid packets +# +# logunclean - Logs mangled/invalid packets but does +# not drop them. +# . . blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. # # Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your @@ -66,7 +82,7 @@ # addresses is: # # net eth0 detect noping,dhcp -# local eth1 detect routestopped +# loc eth1 detect routestopped # dmz eth2 detect # # Example 3: You have a simple dial-in system with no ethernet @@ -74,7 +90,7 @@ # # net ppp0 - noping ############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS +#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,norfc1918,dhcp loc eth1 detect routestopped dmz eth2 detect routestopped diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq index 37050cc44..2cc0317b1 100755 --- a/Samples/three-interfaces/masq +++ b/Samples/three-interfaces/masq @@ -1,9 +1,10 @@ # -# Shorewall 1.2 - Masquerade file +# Shorewall 1.3 - Masquerade file # # /etc/shorewall/masq # -# Use this file to define dynamic NAT (Masquerading) +# Use this file to define dynamic NAT (Masquerading) and to define Source NAT +# (SNAT). # # Columns are: # @@ -17,6 +18,27 @@ # interface, you must have iproute installed and the interface # must be up before you start the firewall. # +# In order to exclude a subset of the specified SUBNET, you +# may append "!" and a comma-separated list of IP addresses +# and/or subnets that you wish to exclude. +# +# Example: eth1!192.168.1.4,192.168.32.0/27 +# +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 +# +# ADDRESS -- (Optional). If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. +# +# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if +# the address given in this column is the primary +# IP address for the interface in the INTERFACE +# column. +# # Example 1: # # You have a simple masquerading setup where eth0 connects to @@ -47,8 +69,15 @@ # # ipsec0:10.1.1.0/24 196.168.1.0/24 # +# Example 4: +# +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176. +# +# eth0 192.168.1.0/24 206.124.146.176 +# ############################################################################## -#INTERFACE SUBNET +#INTERFACE SUBNET ADDRESS eth0 eth1 eth0 eth2 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/three-interfaces/policy b/Samples/three-interfaces/policy index c185cdf64..b121bdbfc 100644 --- a/Samples/three-interfaces/policy +++ b/Samples/three-interfaces/policy @@ -1,31 +1,37 @@ # -# Shorewall 1.2 -- Policy File +# Shorewall 1.3 -- Policy File # # /etc/shorewall/policy # # This file determines what to do with a new connection request if we -# don't get a match from the /etc/seafall/rules file. For each -# client/server pair, the file is processed in order until a match is -# found ("all" will match any client or server). -# -# $ is only permitted in the fourth colunm (LOG LEVEL). +# don't get a match from the /etc/shorewall/rules file or from the +# /etc/shorewall/common[.def] file. For each source/destination pair, the +# file is processed in order until a match is found ("all" will match +# any client or server). # # Columns are: # -# SOURCE Location of client. Must be the name of a zone defined -# in /etc/shorewall/zones, "fw" or "all". +# SOURCE Source zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all". # -# DESTINATION Location of server. Must be the name of a zone defined -# in /etc/shorewall/zones, "fw" or "all" +# DEST Destination zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all" # # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DENY", "REJECT" +# be "ACCEPT", "DENY", "REJECT" or "CONTINUE" # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a # description of log levels. # +# If you don't want to log but need to specify the +# following column, place "_" here. +# +# LIMIT:BURST If passed, specifies the maximum TCP connection rate +# and the size of an acceptable burst. If not specified, +# TCP connections are not limited. +# # As shipped, the default policies are: # # a) All connections from the local network to the internet are allowed @@ -34,7 +40,7 @@ # d) All other connection requests are rejected and logged at level # KERNEL.INFO. ############################################################################### -#SOURCE DESTINATION POLICY LOG LEVEL +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT # # If you want open access to the internet from your firewall, uncomment the @@ -42,4 +48,4 @@ loc net ACCEPT #fw net ACCEPT net all DROP info all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules index e3c0c782a..297568345 100755 --- a/Samples/three-interfaces/rules +++ b/Samples/three-interfaces/rules @@ -1,45 +1,67 @@ # -# Shorewall version 1.2 - Rules File +# Shorewall version 1.3 - Rules File # -# /etc/shorewall/rules +# /etc/shorewall/rules # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. # +# In most places where an IP address or subnet is allowed, you +# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to +# indicate that the rule matches all addresses except the address/subnet +# given. Notice that no white space is permitted between "!" and the +# address/subnet. +# # Columns are: # # -# RESULT ACCEPT, DROP or REJECT +# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT # -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable packet. -# -# The line may NOT start with $ +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# REDIRECT -- Redirect the request to a local +# port on the firewall. # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be # logged at the specified level. # -# SOURCE Hosts permitted to be clients. May be a zone defined -# in /etc/shorewall/zones or "fw" to indicate the -# firewall itself. +# SOURCE Source hosts to which the rule applies. May be a zone +# defined in /etc/shorewall/zones or $FW to indicate the +# firewall itself. If the ACTION is DNAT or REDIRECT, +# sub-zones of the specified zone may be excluded from +# the rule by following the zone name with "!' and a +# comma-separated list of sub-zone names. # -# Clients may be further restricted to a particular -# subnet or host by appending ":" and the subnet or host. +# Clients may be further restricted to a list of subnets +# and/or hosts by appending ":" and a comma-separated +# list of subnets and/or hosts. Hosts may be specified +# by IP or MAC address; mac addresses must begin with +# "~" and must use "-" as a separator. # # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# # net:155.186.235.0/24 Subnet 155.186.235.0/24 on the # Internet # +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. +# # Alternatively, clients may be specified by interface # by appending ":" followed by the interface name. For # example, loc:eth1 specifies a client that # communicates with the firewall system through eth1. # -# DESTINATION Location of Server. May be a zone defined in -# /etc/shorewall/zones or "fw" to indicate the firewall +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones or $FW to indicate the firewall # itself. # # The server may be further restricted to a particular @@ -51,77 +73,90 @@ # ":". If omitted, the firewall will not modifiy the # destination port. # -# Example: loc:192.168.1.3:8080 specifies a local +# Example: loc:192.168.1.3:3128 specifies a local # server at IP address 192.168.1.3 and listening on port -# 8080. The port number MUST be specified as an integer +# 3128. The port number MUST be specified as an integer # and not as a name from /etc/services. # +# if the RESULT is REDIRECT, this column needs only to +# contain the port number on the firewall that the +# request should be redirected to. +# # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # "all" or "related". If "related", the remainder of the # entry must be omitted and connection requests that are # related to existing requests will be accepted. # -# PORT(S) Destination Port. A comma-separated list of Port names -# (from /etc/services), port numbers or port ranges; -# if the protocol is "icmp", this column is interpreted as -# the destination icmp-type. If this column contains the -# value "none", the rule is ignored. +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). # # This column is ignored if PROTOCOL = all but must be -# entered if any of the following fields are supplied. +# entered if any of the following ields are supplied. # In that case, it is suggested that this field contain # "-" # # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. # # If you don't want to restrict client ports but need to # specify an ADDRESS in the next column, then place "-" # in this column. # -# ADDRESS (0ptional) If included and different from the IP +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or +# REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port -# specified in the SERVER column. +# specified in the DEST column. # -# If the special value "all" is used, then requests from -# the client zone given in the CLIENT(s) column with the -# destination port given in PORT(s) will be forwarded to -# the IP address given in SERVER. +# The address may optionally be followed by +# a colon (":") and a second IP address. This causes +# Shorewall to use the second IP address as the source +# address in forwarded packets. See the Shorewall +# documentation for restrictions concerning this feature. +# If no source IP address is given, the original source +# address is not altered. # -# The address (or "all") may optionally be followed by -# a colon (":") an an IP address. This causes Shorewall -# to use the specified IP address as the source address -# in forwarded packets. See the Shorewall documentation -# for restrictions concerning this feature. If no source -# IP address is given, the original source address is not -# altered. +# Example: Accept SMTP requests from the DMZ to the internet # -# Example: Forward all ssh and www connection requests from the internet to -# local system 192.168.1.3 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT dmz net tcp smtp # -# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS -# ACCEPT net loc:192.168.1.3 tcp ssh,www - all +# Example: Forward all ssh and http connection requests from the internet +# to local system 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http # # Example: Redirect all locally-originating www connection requests to -# port 8080 on the firewall (Squid running on the firewall -# system) +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 # -# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS -# ACCEPT loc fw::8080 tcp www - all +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## -#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT PORT(S) DEST # # Accept outgoing DNS connections from the firewall # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # -# To avoid connection delays, reject AUTH -# -REJECT net fw tcp 113 -# # Accept SSH connections from the local network to the firewall and DMZ # ACCEPT loc fw tcp 22 diff --git a/Samples/three-interfaces/zones b/Samples/three-interfaces/zones index b593aef5a..a12cdbba8 100644 --- a/Samples/three-interfaces/zones +++ b/Samples/three-interfaces/zones @@ -1,5 +1,5 @@ # -# Shorewall 1.2 /etc/shorewall/zones +# Shorewall 1.3 /etc/shorewall/zones # # This file determines your network zones. Columns are: # diff --git a/Samples/two-interfaces/common b/Samples/two-interfaces/common index be16fc23c..4002e3371 100644 --- a/Samples/two-interfaces/common +++ b/Samples/two-interfaces/common @@ -1,31 +1,7 @@ -############################################################################ -# Shorewall 1.2 -- /etc/shorewall/common.def # -# This file defines the rules that are applied before a policy of -# DROP or REJECT is applied. In addition to the rules defined in this file, -# the firewall will also define a DROP rule for each subnet broadcast -# address defined in /etc/shorewall/interfaces (including "detect"). +# Include the standard common.def file # -# Do not modify this file -- if you wish to change these rules, copy this -# file to /etc/shorewall/common and modify that file. -# -run_iptables -A common -p icmp -j icmpdef -############################################################################ -# accept ACKs and RSTs that aren't related to any session so that the -# protocol stack can handle them -# -run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT -run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT -############################################################################ -# NETBIOS chatter -# -run_iptables -A common -p udp --dport 137:139 -j DROP -run_iptables -A common -p udp --dport 445 -j DROP -############################################################################ -# BROADCASTS -# -run_iptables -A common -d 255.255.255.255 -j DROP -run_iptables -A common -d 224.0.0.0/4 -j DROP +. common.def # # The following rule is non-standard and compensates for tardy # DNS replies diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces index 9a1232049..2272392ee 100755 --- a/Samples/two-interfaces/interfaces +++ b/Samples/two-interfaces/interfaces @@ -1,27 +1,32 @@ # -# Shorewall 1.2 -- Interfaces File +# Shorewall 1.3 -- Interfaces File # # /etc/shorewall/interfaces # +# You must add an entry in this file for each network interface on your +# firewall system. +# # Columns are: # -# ZONE Zone for this interface. Much match the short name +# ZONE Zone for this interface. Must match the short name # of a zone defined in /etc/shorewall/zones. # -# $ is not allowed in this column. -# +# If the interface serves multiple zones that will be +# defined in the /etc/shorewall/hosts file, you may +# place "-" in this column. +# # INTERFACE Name of interface # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this # column is left black. -# +# # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before # the firewall is started and you must have iproute # installed. -# +# # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter # "-" in this column. @@ -29,7 +34,8 @@ # OPTIONS A comma-separated list of options including the # following: # -# dhcp - interface is managed by DHCP +# dhcp - interface is managed by DHCP or used by +# a DHCP server running on the firewall. # noping - icmp echo-request (ping) packets should # be ignored on this interface # routestopped - When the firewall is stopped, allow @@ -39,12 +45,22 @@ # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" -# addresses. +# addresses. If packet mangling is +# enabled in shorewall.conf, packets +# whose destination addresses are +# reserved by RFC 1918 are also rejected. # multi - This interface has multiple IP # addresses and you want to be able to # route between them. # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). +# dropunclean - Logs and drops mangled/invalid packets +# +# logunclean - Logs mangled/invalid packets but does +# not drop them. +# . . blacklist - Check packets arriving on this interface +# against the /etc/shorewall/blacklist +# file. # # Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your @@ -66,7 +82,7 @@ # addresses is: # # net eth0 detect noping,dhcp -# local eth1 detect routestopped +# loc eth1 detect routestopped # dmz eth2 detect # # Example 3: You have a simple dial-in system with no ethernet @@ -74,7 +90,7 @@ # # net ppp0 - noping ############################################################################## -#ZONE INTERFACE BROADCAST OPTIONS +#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect routestopped #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq index 2fa4e4ccd..a1e7258d6 100755 --- a/Samples/two-interfaces/masq +++ b/Samples/two-interfaces/masq @@ -1,9 +1,10 @@ # -# Shorewall 1.2 - Masquerade file +# Shorewall 1.3 - Masquerade file # # /etc/shorewall/masq # -# Use this file to define dynamic NAT (Masquerading) +# Use this file to define dynamic NAT (Masquerading) and to define Source NAT +# (SNAT). # # Columns are: # @@ -17,6 +18,27 @@ # interface, you must have iproute installed and the interface # must be up before you start the firewall. # +# In order to exclude a subset of the specified SUBNET, you +# may append "!" and a comma-separated list of IP addresses +# and/or subnets that you wish to exclude. +# +# Example: eth1!192.168.1.4,192.168.32.0/27 +# +# In that example traffic from eth1 would be masqueraded unless +# it came from 192.168.1.4 or 196.168.32.0/27 +# +# ADDRESS -- (Optional). If you specify an address here, SNAT will be +# used and this will be the source address. If +# ADD_SNAT_ALIASES is set to Yes or yes in +# /etc/shorewall/shorewall.conf then Shorewall +# will automatically add this address to the +# INTERFACE named in the first column. +# +# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if +# the address given in this column is the primary +# IP address for the interface in the INTERFACE +# column. +# # Example 1: # # You have a simple masquerading setup where eth0 connects to @@ -47,7 +69,14 @@ # # ipsec0:10.1.1.0/24 196.168.1.0/24 # +# Example 4: +# +# You want all outgoing traffic from 192.168.1.0/24 through +# eth0 to use source address 206.124.146.176. +# +# eth0 192.168.1.0/24 206.124.146.176 +# ############################################################################## -#INTERFACE SUBNET +#INTERFACE SUBNET ADDRESS eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy index c185cdf64..b121bdbfc 100644 --- a/Samples/two-interfaces/policy +++ b/Samples/two-interfaces/policy @@ -1,31 +1,37 @@ # -# Shorewall 1.2 -- Policy File +# Shorewall 1.3 -- Policy File # # /etc/shorewall/policy # # This file determines what to do with a new connection request if we -# don't get a match from the /etc/seafall/rules file. For each -# client/server pair, the file is processed in order until a match is -# found ("all" will match any client or server). -# -# $ is only permitted in the fourth colunm (LOG LEVEL). +# don't get a match from the /etc/shorewall/rules file or from the +# /etc/shorewall/common[.def] file. For each source/destination pair, the +# file is processed in order until a match is found ("all" will match +# any client or server). # # Columns are: # -# SOURCE Location of client. Must be the name of a zone defined -# in /etc/shorewall/zones, "fw" or "all". +# SOURCE Source zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all". # -# DESTINATION Location of server. Must be the name of a zone defined -# in /etc/shorewall/zones, "fw" or "all" +# DEST Destination zone. Must be the name of a zone defined +# in /etc/shorewall/zones, $FW or "all" # # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DENY", "REJECT" +# be "ACCEPT", "DENY", "REJECT" or "CONTINUE" # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no # log message is generated. See syslog.conf(5) for a # description of log levels. # +# If you don't want to log but need to specify the +# following column, place "_" here. +# +# LIMIT:BURST If passed, specifies the maximum TCP connection rate +# and the size of an acceptable burst. If not specified, +# TCP connections are not limited. +# # As shipped, the default policies are: # # a) All connections from the local network to the internet are allowed @@ -34,7 +40,7 @@ # d) All other connection requests are rejected and logged at level # KERNEL.INFO. ############################################################################### -#SOURCE DESTINATION POLICY LOG LEVEL +#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT # # If you want open access to the internet from your firewall, uncomment the @@ -42,4 +48,4 @@ loc net ACCEPT #fw net ACCEPT net all DROP info all all REJECT info -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index e619928c7..1f2a99a62 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -1,45 +1,67 @@ # -# Shorewall version 1.2 - Rules File +# Shorewall version 1.3 - Rules File # -# /etc/shorewall/rules +# /etc/shorewall/rules # # Rules in this file govern connection establishment. Requests and # responses are automatically allowed using connection tracking. # +# In most places where an IP address or subnet is allowed, you +# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to +# indicate that the rule matches all addresses except the address/subnet +# given. Notice that no white space is permitted between "!" and the +# address/subnet. +# # Columns are: # # -# RESULT ACCEPT, DROP or REJECT +# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT # -# ACCEPT -- allow the connection request -# DROP -- ignore the request -# REJECT -- disallow the request and return an -# icmp-unreachable packet. -# -# The line may NOT start with $ +# ACCEPT -- allow the connection request +# DROP -- ignore the request +# REJECT -- disallow the request and return an +# icmp-unreachable or an RST packet. +# DNAT -- Forward the request to another +# system (and optionally another +# port). +# REDIRECT -- Redirect the request to a local +# port on the firewall. # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be # logged at the specified level. # -# CLIENT(S) Hosts permitted to be clients. May be a zone defined -# in /etc/shorewall/zones or "fw" to indicate the -# firewall itself. +# SOURCE Source hosts to which the rule applies. May be a zone +# defined in /etc/shorewall/zones or $FW to indicate the +# firewall itself. If the ACTION is DNAT or REDIRECT, +# sub-zones of the specified zone may be excluded from +# the rule by following the zone name with "!' and a +# comma-separated list of sub-zone names. # -# Clients may be further restricted to a particular -# subnet or host by appending ":" and the subnet or host. +# Clients may be further restricted to a list of subnets +# and/or hosts by appending ":" and a comma-separated +# list of subnets and/or hosts. Hosts may be specified +# by IP or MAC address; mac addresses must begin with +# "~" and must use "-" as a separator. # # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ +# # net:155.186.235.0/24 Subnet 155.186.235.0/24 on the # Internet # +# loc:192.168.1.1,192.168.1.2 +# Hosts 192.168.1.1 and +# 192.168.1.2 in the local zone. +# loc:~00-A0-C9-15-39-78 Host in the local zone with +# MAC address 00:A0:C9:15:39:78. +# # Alternatively, clients may be specified by interface # by appending ":" followed by the interface name. For # example, loc:eth1 specifies a client that # communicates with the firewall system through eth1. # -# SERVER Location of Server. May be a zone defined in -# /etc/shorewall/zones or "fw" to indicate the firewall +# DEST Location of Server. May be a zone defined in +# /etc/shorewall/zones or $FW to indicate the firewall # itself. # # The server may be further restricted to a particular @@ -51,73 +73,84 @@ # ":". If omitted, the firewall will not modifiy the # destination port. # -# Example: loc:192.168.1.3:8080 specifies a local +# Example: loc:192.168.1.3:3128 specifies a local # server at IP address 192.168.1.3 and listening on port -# 8080. The port number MUST be specified as an integer +# 3128. The port number MUST be specified as an integer # and not as a name from /etc/services. # +# if the RESULT is REDIRECT, this column needs only to +# contain the port number on the firewall that the +# request should be redirected to. +# # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, # "all" or "related". If "related", the remainder of the # entry must be omitted and connection requests that are # related to existing requests will be accepted. # -# PORT(S) Destination Port. A comma-separated list of Port names -# (from /etc/services), port numbers or port ranges; -# if the protocol is "icmp", this column is interpreted as -# the destination icmp-type. If this column contains the -# value "none", the rule is ignored. +# DEST PORT(S) Destination Ports. A comma-separated list of Port +# names (from /etc/services), port numbers or port +# ranges; if the protocol is "icmp", this column is +# interpreted as the destination icmp-type(s). # # This column is ignored if PROTOCOL = all but must be -# entered if any of the following fields are supplied. +# entered if any of the following ields are supplied. # In that case, it is suggested that this field contain # "-" # # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, -# any source port is acceptable. +# any source port is acceptable. Specified as a comma- +# separated list of port names, port numbers or port +# ranges. # # If you don't want to restrict client ports but need to # specify an ADDRESS in the next column, then place "-" # in this column. # -# ADDRESS (0ptional) If included and different from the IP +# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or +# REDIRECT) If included and different from the IP # address given in the SERVER column, this is an address # on some interface on the firewall and connections to # that address will be forwarded to the IP and port -# specified in the SERVER column. +# specified in the DEST column. # -# If the special value "all" is used, then requests from -# the client zone given in the CLIENT(s) column with the -# destination port given in PORT(s) will be forwarded to -# the IP address given in SERVER. +# The address may optionally be followed by +# a colon (":") and a second IP address. This causes +# Shorewall to use the second IP address as the source +# address in forwarded packets. See the Shorewall +# documentation for restrictions concerning this feature. +# If no source IP address is given, the original source +# address is not altered. # -# The address (or "all") may optionally be followed by -# a colon (":") an an IP address. This causes Shorewall -# to use the specified IP address as the source address -# in forwarded packets. See the Shorewall documentation -# for restrictions concerning this feature. If no source -# IP address is given, the original source address is not -# altered. +# Example: Accept SMTP requests from the DMZ to the internet # -# Example: Forward all ssh and www connection requests from the internet to -# local system 192.168.1.3 +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# ACCEPT dmz net tcp smtp # -# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS -# ACCEPT net loc:192.168.1.3 tcp ssh,www - all +# Example: Forward all ssh and http connection requests from the internet +# to local system 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp ssh,http # # Example: Redirect all locally-originating www connection requests to -# port 8080 on the firewall (Squid running on the firewall -# system) +# port 3128 on the firewall (Squid running on the firewall +# system) except when the destination address is 192.168.2.2 # -# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS -# ACCEPT loc fw::8080 tcp www - all +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# REDIRECT loc 3128 tcp www - !192.168.2.2 +# +# Example: All http requests from the internet to address +# 130.252.100.69 are to be forwarded to 192.168.1.3 +# +# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# # PORT PORT(S) DEST +# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 ############################################################################## -#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS -# -# -# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above -# -REJECT net fw tcp 113 -# +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT PORT(S) DEST # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 diff --git a/Samples/two-interfaces/zones b/Samples/two-interfaces/zones index 862456ba7..64eb03eec 100644 --- a/Samples/two-interfaces/zones +++ b/Samples/two-interfaces/zones @@ -1,5 +1,5 @@ # -# Shorewall 1.2 /etc/shorewall/zones +# Shorewall 1.3 /etc/shorewall/zones # # This file determines your network zones. Columns are: #