Update samples for 1.3

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@35 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/common

@@ -1,31 +1,7 @@
-############################################################################
-# Shorewall 1.2 -- /etc/shorewall/common.def
 #
-# This file defines the rules that are applied before a policy of 
+# Include the standard common.def file
-# DROP or REJECT is applied. In addition to the rules defined in this file,
-# the firewall will also define a DROP rule for each subnet broadcast
-# address defined in /etc/shorewall/interfaces (including "detect").
 #
-# Do not modify this file -- if you wish to change these rules, copy this
+. common.def
-# file to /etc/shorewall/common and modify that file.
-#
-run_iptables -A common -p icmp -j icmpdef
-############################################################################
-# accept ACKs and RSTs that aren't related to any session so that the 
-# protocol stack can handle them
-#
-run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
-run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
-############################################################################
-# NETBIOS chatter
-#
-run_iptables -A common -p udp --dport 137:139     -j DROP
-run_iptables -A common -p udp --dport 445         -j DROP
-############################################################################
-# BROADCASTS
-#
-run_iptables -A common -d 255.255.255.255 -j DROP
-run_iptables -A common -d 224.0.0.0/4     -j DROP
 #
 # The following rule is non-standard and compensates for tardy
 # DNS replies

Samples/one-interface/interfaces

@@ -1,14 +1,19 @@
 #
-# Shorewall 1.2 -- Interfaces File
+# Shorewall 1.3 -- Interfaces File
 #
 # /etc/shorewall/interfaces
 #
+#	You must add an entry in this file for each network interface on your
+#	firewall system.
+#
 # Columns are:
 #
-#	ZONE		Zone for this interface. Much match the short name
+#	ZONE		Zone for this interface. Must match the short name
 #			of a zone defined in /etc/shorewall/zones.
 #
-#			$<variable-name> is not allowed in this column.
+#			If the interface serves multiple zones that will be
+#			defined in the /etc/shorewall/hosts file, you may
+#			place "-" in this column.
 #	
 #	INTERFACE	Name of interface
 #
@@ -29,7 +34,8 @@
 #	OPTIONS		A comma-separated list of options including the
 #			following:
 #
-#			dhcp	     - interface is managed by DHCP
+#			dhcp	     - interface is managed by DHCP or used by
+#                                      a DHCP server running on the firewall.
 #			noping	     - icmp echo-request (ping) packets should
 #				       be ignored on this interface
 #			routestopped - When the firewall is stopped, allow
@@ -39,12 +45,22 @@
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
 #				       (i.e., private or "non-routable"
-#				       addresses.
+#				       addresses. If packet mangling is
+#				       enabled in shorewall.conf, packets
+#				       whose destination addresses are
+#				       reserved by RFC 1918 are also rejected.
 #			multi	     - This interface has multiple IP
 #				       addresses and you want to be able to
 #				       route between them.
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure).
+#			dropunclean  - Logs and drops mangled/invalid packets
+#
+#			logunclean   - Logs mangled/invalid packets but does
+#				       not drop them.
+#	.	.	blacklist    - Check packets arriving on this interface
+#				       against the /etc/shorewall/blacklist
+#				       file.
 #
 #	Example 1:	Suppose you have eth0 connected to a DSL modem and
 #			eth1 connected to your local network and that your
@@ -66,7 +82,7 @@
 #			addresses is:
 #
 #			net	eth0	detect		noping,dhcp
-#			local	eth1	detect		routestopped
+#			loc	eth1	detect		routestopped
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet

Samples/one-interface/policy

@@ -1,29 +1,37 @@
 #
-# Shorewall 1.2 -- Policy File
+# Shorewall 1.3 -- Policy File
 #
 # /etc/shorewall/policy
 #
 #	This file determines what to do with a new connection request if we
-#	don't get a match from the /etc/shorewall/rules file. For each
+#	don't get a match from the /etc/shorewall/rules file or from the
-#	client/server pair, the file is processed in order until a match is
+#	/etc/shorewall/common[.def] file. For each source/destination pair, the
-#	found ("all" will match any client or server).
+#	file is processed in order until a match is found ("all" will match
+#	any client or server).
 #
 # Columns are:
 #
-#	CLIENT		Location of client. Must be the name of a zone defined
+#	SOURCE		Source zone. Must be the name of a zone defined
-#			in /etc/shorewall/zones, "fw" or "all".
+#			in /etc/shorewall/zones, $FW or "all".
 #
-#	SERVER		Location of server. Must be the name of a zone defined
+#	DEST		Destination zone. Must be the name of a zone defined
-#			in /etc/shorewall/zones, "fw" or "all"
+#			in /etc/shorewall/zones, $FW or "all"
 #
 #	POLICY		Policy if no match from the rules file is found. Must
-#			be "ACCEPT", "DENY", "REJECT"
+#			be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
 #			log message is generated. See syslog.conf(5) for a
 #			description of log levels.
 #
+#			If you don't want to log but need to specify the
+#			following column, place "_" here.
+#
+#	LIMIT:BURST	If passed, specifies the maximum TCP connection rate
+#			and the size of an acceptable burst. If not specified,
+#			TCP connections are not limited.
+#
 #	As shipped, the default policies are:
 #
 #	a) All connections from the local network to the internet are allowed
@@ -32,8 +40,8 @@
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.
 ###############################################################################
-#CLIENT		SERVER		POLICY		LOG LEVEL
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
-fw		net		ACCEPT
+lfw		net		ACCEPT
 net		all		DROP		info
 all		all		REJECT		info
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/one-interface/rules

@@ -1,45 +1,67 @@
 #
-# Shorewall version 1.2 - Rules File
+# Shorewall version 1.3 - Rules File
 #
 # /etc/shorewall/rules
 #
 #	Rules in this file govern connection establishment. Requests and
 #	responses are automatically allowed using connection tracking.
 #
+#	In most places where an IP address or subnet is allowed, you
+#	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
+#	indicate that the rule matches all addresses except the address/subnet
+#	given. Notice that no white space is permitted between "!" and the
+#	address/subnet.
+#
 # Columns are:
 #
 #
-#	RESULT		ACCEPT, DROP or REJECT
+#	ACTION		ACCEPT, DROP, REJECT, DNAT or REDIRECT
 #
 #				ACCEPT   -- allow the connection request
 #				DROP     -- ignore the request
 #				REJECT   -- disallow the request and return an
-#					  icmp-unreachable packet.
+#					    icmp-unreachable or an RST packet.
-#
+#				DNAT     -- Forward the request to another
-#			The line may NOT start with $<variable-name>
+#					    system (and optionally another
+#					    port).
+#				REDIRECT -- Redirect the request to a local
+#					    port on the firewall.
 #
 #			May optionally be followed by ":" and a syslog log
 #			level (e.g, REJECT:info). This causes the packet to be
 #			logged at the specified level.
 #
-#	SOURCE		Hosts permitted to be clients. May be a zone defined
+#	SOURCE		Source hosts to which the rule applies. May be a zone
-#			in /etc/shorewall/zones or "fw" to indicate the
+#                       defined in /etc/shorewall/zones or $FW to indicate the
-#			firewall itself.
+#			firewall itself. If the ACTION is DNAT or REDIRECT,
+#			sub-zones of the specified zone may be excluded from
+#			the rule by following the zone name with "!' and a
+#			comma-separated list of sub-zone names.
 #
-#			Clients may be further restricted to a particular
+#			Clients may be further restricted to a list of subnets
-#			subnet or host by appending ":" and the subnet or host.
+#			and/or hosts by appending ":" and a comma-separated
+#			list of subnets and/or hosts. Hosts may be specified
+#			by IP or MAC address; mac addresses must begin with
+#			"~" and must use "-" as a separator.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
+#
 #			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
 #						Internet
 #
+#			loc:192.168.1.1,192.168.1.2
+#						Hosts 192.168.1.1 and
+#						192.168.1.2 in the local zone.
+#			loc:~00-A0-C9-15-39-78  Host in the local zone with
+#                                               MAC address 00:A0:C9:15:39:78.
+#
 #			Alternatively, clients may be specified by interface
 #			by appending ":" followed by the interface name. For
 #			example, loc:eth1 specifies a client that
 #			communicates with the firewall system through eth1.
 #
-#	DESTINATION	Location of Server. May be a zone defined in
+#	DEST		Location of Server. May be a zone defined in
-#			/etc/shorewall/zones or "fw" to indicate the firewall
+#			/etc/shorewall/zones or $FW to indicate the firewall
 #			itself.
 #
 #			The server may be further restricted to a particular
@@ -51,70 +73,82 @@
 #			":". If omitted, the firewall will not modifiy the
 #			destination port.
 #
-#			Example: loc:192.168.1.3:8080 specifies a local
+#			Example: loc:192.168.1.3:3128 specifies a local
 #			server at IP address 192.168.1.3 and listening on port
-#			8080. The port number MUST be specified as an integer
+#			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
+#			if the RESULT is REDIRECT, this column needs only to
+#			contain the port number on the firewall that the
+#			request should be redirected to.
+#
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
 #			"all" or "related". If "related", the remainder of the
 #			entry must be omitted and connection requests that are
 #			related to existing requests will be accepted.
 #
-#	PORT(S)		Destination Port. A comma-separated list of Port names
+#	DEST PORT(S)    Destination Ports. A comma-separated list of Port
-#			(from /etc/services), port numbers or port ranges;
+#			names (from /etc/services), port numbers or port
-#			if the protocol is "icmp", this column is interpreted as
+#			ranges; if the protocol is "icmp", this column is
-#			the destination icmp-type. If this column contains the
+#			interpreted as the destination icmp-type(s).
-#			value "none", the rule is ignored.
 #
 #			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following fields are supplied.
+#			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
 #	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
-#			any source port is acceptable.
+#			any source port is acceptable. Specified as a comma-
+#			separated list of port names, port numbers or port
+#			ranges.
 #
 #			If you don't want to restrict client ports but need to
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
-#	ADDRESS		(0ptional) If included and different from the IP
+#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or
+#                       REDIRECT) If included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
 #			that address will be forwarded to the IP and port
-#			specified in the SERVER column.
+#			specified in the DEST column.
 #
-#			If the special value "all" is used, then requests from
+#			The address may optionally be followed by
-#			the client zone given in the CLIENT(s) column with the
+#			a colon (":") and a second IP address. This causes
-#			destination port given in PORT(s) will be forwarded to
+#			Shorewall to use the second IP address as the source
-#			the IP address given in SERVER.
+#			address in forwarded packets. See the Shorewall
+#			documentation for restrictions concerning this feature.
+#			If no source IP address is given, the original source
+#			address is not altered.
 #
-#			The address (or "all") may optionally be followed by
+#	Example: Accept SMTP requests from the DMZ to the internet
-#			a colon (":") an an IP address. This causes Shorewall
-#			to use the specified IP address as the source address
-#			in forwarded packets. See the Shorewall documentation
-#			for restrictions concerning this feature. If no source
-#			IP address is given, the original source address is not
-#			altered.
 #
-#	Example: Forward all ssh and www connection requests from the internet to
+#	#ACTION SOURCE	DEST PROTO	DEST    SOURCE	ORIGINAL
-#		 local system 192.168.1.3
+#	#                               PORT    PORT(S) DEST
+#	ACCEPT	dmz	net	  tcp	smtp
 #
-#	#RESULT SOURCE	DESTINATION	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#	Example: Forward all ssh and http connection requests from the internet
-#	ACCEPT	net	loc:192.168.1.3 tcp	ssh,www	-	       all
+#		 to local system 192.168.1.3
+#
+#	#ACTION SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL
+#	#                                       PORT    PORT(S) DEST
+#	DNAT	net	loc:192.168.1.3 tcp	ssh,http
 #
 #	Example: Redirect all locally-originating www connection requests to
-#		 port 8080 on the firewall (Squid running on the firewall
+#		 port 3128 on the firewall (Squid running on the firewall
-#		 system)
+#		 system) except when the destination address is 192.168.2.2
 #
-#	#RESULT SOURCE	DESTINATION PROTO  PORTS(S) CLIENT PORT(S)     ADDRESS
+#	#ACTION  SOURCE	DEST      PROTO	DEST    SOURCE	ORIGINAL
-#	ACCEPT	loc	fw::8080     tcp   www	 -	       all
+#	#                               PORT    PORT(S) DEST
+#	REDIRECT loc	3128      tcp	www	 -	!192.168.2.2
+#
+#	Example: All http requests from the internet to address
+#                130.252.100.69 are to be forwarded to 192.168.1.3
+#
+#	#ACTION  SOURCE	DEST      	PROTO	DEST    SOURCE	ORIGINAL
+#	#                               	PORT    PORT(S) DEST
+#	DNAT      net	loc:192.168.1.3 tcp     80      -       130.252.100.69
 ##############################################################################
-#RESULT		SOURCE 	  DESTINATION	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL
-#
+#                       	        	PORT    PORT(S)    DEST
-# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above
-#
-REJECT		net	  fw		tcp	113
-
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Samples/one-interface/shorewall.conf

@@ -1,15 +1,22 @@
-##############################################################################
+#############################################################################
-#  /etc/shorewall/shorewall.conf V1.2 - Change the following variables to
+#  /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
 #  match your setup
 #
 #  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]         
 #
 #  This file should be placed in /etc/shorewall
 #
-#  (c) 1999, 2000, 2001 - Tom Eastep (teastep@evergo.net)  
+#  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
+#
+# Name of the firewall zone -- if not set or if set to an empty string, "fw"
+# is assumed.
+#
+FW=fw
+
+
 # Set this to the name of the lock file expected by your init scripts. For
-# RedHat, this should be /var/lock/subsys/firewall. On Debian, it
+# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
 # should be /var/state/shorewall. If your init scripts don't use lock files,
 # set -this to "".
 #
@@ -20,7 +27,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
 # it is running
 #
 
-STATEDIR=/var/lib/firewall
+STATEDIR=/var/lib/shorewall
 
 #
 # Set this to "yes" or "Yes" if you want to accept all connection requests
@@ -47,12 +54,33 @@ MODULESDIR=""
 # maximum initial burst size that will be logged. If set empty, the default
 # value of 5 will be used.
 #
-# If BOTH variables are set empty then the rate of logging will not be
+# If BOTH variables are set empty then logging will not be rate-limited.
-# rate-limited.
 #
 
-LOGRATE="10/hour"
+LOGRATE=""
-LOGBURST=5
+LOGBURST=""
+
+
+#
+# This variable determines the level at which Mangled/Invalid packets are logged
+# under the 'dropunclean' interface option. If you set this variable to an
+# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
+# silently.
+#
+
+LOGUNCLEAN=info
+
+# This variable tells the /sbin/shorewall program where to look for Shorewall
+# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
+# /var/log/messages is assumed.
+#
+# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
+#          look for Shorewall messages.It does NOT control the destination for
+#          these messages. For information about how to do that, see
+#
+#              http://www.shorewall.net/FAQ.htm#faq6
+
+LOGFILE="/var/log/messages"
 
 #
 # Enable nat support.
@@ -60,14 +88,15 @@ LOGBURST=5
 # You probally want yes here. Only gateways not doing NAT in any form, like
 # SNAT,DNAT masquerading, port forwading etc. should say "no" here.
 #
-NAT_ENABLED="No"
+NAT_ENABLED="Yes"
 
 #
 # Enable mangle support.
 #
 # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
 # and will not initialize the mangle table when starting or stopping
-# your firewall.
+# your firewall. You must enable mangling if you want Traffic Shaping
+# (see TC_ENABLED below).
 #
 MANGLE_ENABLED="Yes"
 
@@ -84,7 +113,6 @@ MANGLE_ENABLED="Yes"
 # enable nor disable packet forwarding.
 #
 IP_FORWARDING="Off"
-
 #
 # Automatically add IP Aliases
 #
@@ -137,6 +165,24 @@ BLACKLIST_LOGLEVEL=
 # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
 # option. This option is most commonly required when your internet
 # interface is some variant of PPP (PPTP or PPPoE). Your kernel must
+# have CONFIG_IP_NF_TARGET_TCPMSS set.
+#
+# [From the kernel help:
+#
+#    This option adds a `TCPMSS' target, which allows you to alter the
+#    MSS value of TCP SYN packets, to control the maximum size for that
+#    connection (usually limiting it to your outgoing interface's MTU
+#    minus 40).
+#
+#    This is used to overcome criminally braindead ISPs or servers which
+#    block ICMP Fragmentation Needed packets.  The symptoms of this
+#    problem are that everything works fine from your Linux
+#    firewall/router, but machines behind it can never exchange large
+#    packets:
+#        1) Web browsers connect, then hang with no data received.
+#	 2) Small mail works fine, but large emails hang.
+#	 3) ssh works fine, but scp hangs after initial handshaking.
+# ]
 #
 # If left blank, or set to "No" or "no", the option is not enabled.
 #
@@ -146,8 +192,20 @@ CLAMPMSS="No"
 # Route Filtering
 #
 # Set this variable to "Yes" or "yes" if you want kernel route filtering on all
-# interfaces.
+# interfaces (anti-spoofing measure).
 #
+# If this variable is not set or is set to the empty value, "No" is assumed.
+
 ROUTE_FILTER="No"
 
+#
+# NAT before RULES
+#
+# Shorewall has traditionally processed static NAT rules before port forwarding
+# rules. If you would like to reverse the order, set this variable to "No".
+#
+# If this variable is not set or is set to the empty value, "Yes" is assumed.
+
+NAT_BEFORE_RULES="Yes"
+
 #LAST LINE -- DO NOT REMOVE

Samples/one-interface/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall 1.2 /etc/shorewall/zones
+# Shorewall 1.3 /etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
 #
@@ -7,8 +7,6 @@
 #	DISPLAY		Display name of the zone
 #	COMMENTS	Comments about the zone
 #
-# $<variable-name> is not permitted in this file.
-#
 #ZONE	DISPLAY		COMMENTS
 net	Net		Internet
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Samples/three-interfaces/common

@@ -1,31 +1,7 @@
-############################################################################
-# Shorewall 1.2 -- /etc/shorewall/common.def
 #
-# This file defines the rules that are applied before a policy of 
+# Include the standard common.def file
-# DROP or REJECT is applied. In addition to the rules defined in this file,
-# the firewall will also define a DROP rule for each subnet broadcast
-# address defined in /etc/shorewall/interfaces (including "detect").
 #
-# Do not modify this file -- if you wish to change these rules, copy this
+. common.def
-# file to /etc/shorewall/common and modify that file.
-#
-run_iptables -A common -p icmp -j icmpdef
-############################################################################
-# accept ACKs and RSTs that aren't related to any session so that the 
-# protocol stack can handle them
-#
-run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
-run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
-############################################################################
-# NETBIOS chatter
-#
-run_iptables -A common -p udp --dport 137:139     -j DROP
-run_iptables -A common -p udp --dport 445         -j DROP
-############################################################################
-# BROADCASTS
-#
-run_iptables -A common -d 255.255.255.255 -j DROP
-run_iptables -A common -d 224.0.0.0/4     -j DROP
 #
 # The following rule is non-standard and compensates for tardy
 # DNS replies

Samples/three-interfaces/interfaces

@@ -1,14 +1,19 @@
 #
-# Shorewall 1.2 -- Interfaces File
+# Shorewall 1.3 -- Interfaces File
 #
 # /etc/shorewall/interfaces
 #
+#	You must add an entry in this file for each network interface on your
+#	firewall system.
+#
 # Columns are:
 #
-#	ZONE		Zone for this interface. Much match the short name
+#	ZONE		Zone for this interface. Must match the short name
 #			of a zone defined in /etc/shorewall/zones.
 #
-#			$<variable-name> is not allowed in this column.
+#			If the interface serves multiple zones that will be
+#			defined in the /etc/shorewall/hosts file, you may
+#			place "-" in this column.
 #	
 #	INTERFACE	Name of interface
 #
@@ -29,7 +34,8 @@
 #	OPTIONS		A comma-separated list of options including the
 #			following:
 #
-#			dhcp	     - interface is managed by DHCP
+#			dhcp	     - interface is managed by DHCP or used by
+#                                      a DHCP server running on the firewall.
 #			noping	     - icmp echo-request (ping) packets should
 #				       be ignored on this interface
 #			routestopped - When the firewall is stopped, allow
@@ -39,12 +45,22 @@
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
 #				       (i.e., private or "non-routable"
-#				       addresses.
+#				       addresses. If packet mangling is
+#				       enabled in shorewall.conf, packets
+#				       whose destination addresses are
+#				       reserved by RFC 1918 are also rejected.
 #			multi	     - This interface has multiple IP
 #				       addresses and you want to be able to
 #				       route between them.
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure).
+#			dropunclean  - Logs and drops mangled/invalid packets
+#
+#			logunclean   - Logs mangled/invalid packets but does
+#				       not drop them.
+#	.	.	blacklist    - Check packets arriving on this interface
+#				       against the /etc/shorewall/blacklist
+#				       file.
 #
 #	Example 1:	Suppose you have eth0 connected to a DSL modem and
 #			eth1 connected to your local network and that your
@@ -66,7 +82,7 @@
 #			addresses is:
 #
 #			net	eth0	detect		noping,dhcp
-#			local	eth1	detect		routestopped
+#			loc	eth1	detect		routestopped
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet

Samples/three-interfaces/masq

@@ -1,9 +1,10 @@
 #
-# Shorewall 1.2 - Masquerade file
+# Shorewall 1.3 - Masquerade file
 #
 # /etc/shorewall/masq
 #
-# Use this file to define dynamic NAT (Masquerading)
+# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
+# (SNAT).
 #
 # Columns are:
 #
@@ -17,6 +18,27 @@
 #		  interface, you must have iproute installed and the interface
 #		  must be up before you start the firewall.
 #
+#		  In order to exclude a subset of the specified SUBNET, you
+#		  may append "!" and a comma-separated list of IP addresses
+#		  and/or subnets that you wish to exclude.
+#
+#		  Example: eth1!192.168.1.4,192.168.32.0/27
+#
+#		  In that example traffic from eth1 would be masqueraded unless
+#		  it came from 192.168.1.4 or 196.168.32.0/27
+#
+#	ADDRESS -- (Optional).  If you specify an address here, SNAT will be
+#				used and this will be the source address. If
+#				ADD_SNAT_ALIASES is set to Yes or yes in
+#				/etc/shorewall/shorewall.conf then Shorewall
+#				will automatically add this address to the
+#				INTERFACE named in the first column.
+#
+#				WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
+#				the address given in this column is the primary
+#				IP address for the interface in the INTERFACE
+#				column.
+#
 #	Example 1:
 #
 #		  You have a simple masquerading setup where eth0 connects to
@@ -47,8 +69,15 @@
 #
 #                       ipsec0:10.1.1.0/24      196.168.1.0/24
 #
+#	Example 4:
+#
+#		  You want all outgoing traffic from 192.168.1.0/24 through
+#		  eth0 to use source address 206.124.146.176.
+#
+#			eth0	192.168.1.0/24	206.124.146.176
+#
 ##############################################################################
-#INTERFACE	        SUBNET
+#INTERFACE	        SUBNET		ADDRESS
 eth0			eth1
 eth0			eth2
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/three-interfaces/policy

@@ -1,31 +1,37 @@
 #
-# Shorewall 1.2 -- Policy File
+# Shorewall 1.3 -- Policy File
 #
 # /etc/shorewall/policy
 #
 #	This file determines what to do with a new connection request if we
-#	don't get a match from the /etc/seafall/rules file. For each
+#	don't get a match from the /etc/shorewall/rules file or from the
-#	client/server pair, the file is processed in order until a match is
+#	/etc/shorewall/common[.def] file. For each source/destination pair, the
-#	found ("all" will match any client or server).
+#	file is processed in order until a match is found ("all" will match
-#
+#	any client or server).
-#	$<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
 #
 # Columns are:
 #
-#	SOURCE		Location of client. Must be the name of a zone defined
+#	SOURCE		Source zone. Must be the name of a zone defined
-#			in /etc/shorewall/zones, "fw" or "all".
+#			in /etc/shorewall/zones, $FW or "all".
 #
-#	DESTINATION	Location of server. Must be the name of a zone defined
+#	DEST		Destination zone. Must be the name of a zone defined
-#			in /etc/shorewall/zones, "fw" or "all"
+#			in /etc/shorewall/zones, $FW or "all"
 #
 #	POLICY		Policy if no match from the rules file is found. Must
-#			be "ACCEPT", "DENY", "REJECT"
+#			be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
 #			log message is generated. See syslog.conf(5) for a
 #			description of log levels.
 #
+#			If you don't want to log but need to specify the
+#			following column, place "_" here.
+#
+#	LIMIT:BURST	If passed, specifies the maximum TCP connection rate
+#			and the size of an acceptable burst. If not specified,
+#			TCP connections are not limited.
+#
 #	As shipped, the default policies are:
 #
 #	a) All connections from the local network to the internet are allowed
@@ -34,7 +40,7 @@
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.
 ###############################################################################
-#SOURCE		DESTINATION	POLICY		LOG LEVEL
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 loc		net		ACCEPT
 #
 # If you want open access to the internet from your firewall, uncomment the

Samples/three-interfaces/rules

@@ -1,45 +1,67 @@
 #
-# Shorewall version 1.2 - Rules File
+# Shorewall version 1.3 - Rules File
 #
 # /etc/shorewall/rules
 #
 #	Rules in this file govern connection establishment. Requests and
 #	responses are automatically allowed using connection tracking.
 #
+#	In most places where an IP address or subnet is allowed, you
+#	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
+#	indicate that the rule matches all addresses except the address/subnet
+#	given. Notice that no white space is permitted between "!" and the
+#	address/subnet.
+#
 # Columns are:
 #
 #
-#	RESULT		ACCEPT, DROP or REJECT
+#	ACTION		ACCEPT, DROP, REJECT, DNAT or REDIRECT
 #
 #				ACCEPT   -- allow the connection request
 #				DROP     -- ignore the request
 #				REJECT   -- disallow the request and return an
-#					  icmp-unreachable packet.
+#					    icmp-unreachable or an RST packet.
-#
+#				DNAT     -- Forward the request to another
-#			The line may NOT start with $<variable-name>
+#					    system (and optionally another
+#					    port).
+#				REDIRECT -- Redirect the request to a local
+#					    port on the firewall.
 #
 #			May optionally be followed by ":" and a syslog log
 #			level (e.g, REJECT:info). This causes the packet to be
 #			logged at the specified level.
 #
-#	SOURCE		Hosts permitted to be clients. May be a zone defined
+#	SOURCE		Source hosts to which the rule applies. May be a zone
-#			in /etc/shorewall/zones or "fw" to indicate the
+#                       defined in /etc/shorewall/zones or $FW to indicate the
-#			firewall itself.
+#			firewall itself. If the ACTION is DNAT or REDIRECT,
+#			sub-zones of the specified zone may be excluded from
+#			the rule by following the zone name with "!' and a
+#			comma-separated list of sub-zone names.
 #
-#			Clients may be further restricted to a particular
+#			Clients may be further restricted to a list of subnets
-#			subnet or host by appending ":" and the subnet or host.
+#			and/or hosts by appending ":" and a comma-separated
+#			list of subnets and/or hosts. Hosts may be specified
+#			by IP or MAC address; mac addresses must begin with
+#			"~" and must use "-" as a separator.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
+#
 #			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
 #						Internet
 #
+#			loc:192.168.1.1,192.168.1.2
+#						Hosts 192.168.1.1 and
+#						192.168.1.2 in the local zone.
+#			loc:~00-A0-C9-15-39-78  Host in the local zone with
+#                                               MAC address 00:A0:C9:15:39:78.
+#
 #			Alternatively, clients may be specified by interface
 #			by appending ":" followed by the interface name. For
 #			example, loc:eth1 specifies a client that
 #			communicates with the firewall system through eth1.
 #
-#	DESTINATION	Location of Server. May be a zone defined in
+#	DEST		Location of Server. May be a zone defined in
-#			/etc/shorewall/zones or "fw" to indicate the firewall
+#			/etc/shorewall/zones or $FW to indicate the firewall
 #			itself.
 #
 #			The server may be further restricted to a particular
@@ -51,77 +73,90 @@
 #			":". If omitted, the firewall will not modifiy the
 #			destination port.
 #
-#			Example: loc:192.168.1.3:8080 specifies a local
+#			Example: loc:192.168.1.3:3128 specifies a local
 #			server at IP address 192.168.1.3 and listening on port
-#			8080. The port number MUST be specified as an integer
+#			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
+#			if the RESULT is REDIRECT, this column needs only to
+#			contain the port number on the firewall that the
+#			request should be redirected to.
+#
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
 #			"all" or "related". If "related", the remainder of the
 #			entry must be omitted and connection requests that are
 #			related to existing requests will be accepted.
 #
-#	PORT(S)		Destination Port. A comma-separated list of Port names
+#	DEST PORT(S)    Destination Ports. A comma-separated list of Port
-#			(from /etc/services), port numbers or port ranges;
+#			names (from /etc/services), port numbers or port
-#			if the protocol is "icmp", this column is interpreted as
+#			ranges; if the protocol is "icmp", this column is
-#			the destination icmp-type. If this column contains the
+#			interpreted as the destination icmp-type(s).
-#			value "none", the rule is ignored.
 #
 #			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following fields are supplied.
+#			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
 #	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
-#			any source port is acceptable.
+#			any source port is acceptable. Specified as a comma-
+#			separated list of port names, port numbers or port
+#			ranges.
 #
 #			If you don't want to restrict client ports but need to
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
-#	ADDRESS		(0ptional) If included and different from the IP
+#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or
+#                       REDIRECT) If included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
 #			that address will be forwarded to the IP and port
-#			specified in the SERVER column.
+#			specified in the DEST column.
 #
-#			If the special value "all" is used, then requests from
+#			The address may optionally be followed by
-#			the client zone given in the CLIENT(s) column with the
+#			a colon (":") and a second IP address. This causes
-#			destination port given in PORT(s) will be forwarded to
+#			Shorewall to use the second IP address as the source
-#			the IP address given in SERVER.
+#			address in forwarded packets. See the Shorewall
+#			documentation for restrictions concerning this feature.
+#			If no source IP address is given, the original source
+#			address is not altered.
 #
-#			The address (or "all") may optionally be followed by
+#	Example: Accept SMTP requests from the DMZ to the internet
-#			a colon (":") an an IP address. This causes Shorewall
-#			to use the specified IP address as the source address
-#			in forwarded packets. See the Shorewall documentation
-#			for restrictions concerning this feature. If no source
-#			IP address is given, the original source address is not
-#			altered.
 #
-#	Example: Forward all ssh and www connection requests from the internet to
+#	#ACTION SOURCE	DEST PROTO	DEST    SOURCE	ORIGINAL
-#		 local system 192.168.1.3
+#	#                               PORT    PORT(S) DEST
+#	ACCEPT	dmz	net	  tcp	smtp
 #
-#	#RESULT CLIENTS	SERVER(S)	  PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#	Example: Forward all ssh and http connection requests from the internet
-#	ACCEPT	net	loc:192.168.1.3 tcp	ssh,www	-	       all
+#		 to local system 192.168.1.3
+#
+#	#ACTION SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL
+#	#                                       PORT    PORT(S) DEST
+#	DNAT	net	loc:192.168.1.3 tcp	ssh,http
 #
 #	Example: Redirect all locally-originating www connection requests to
-#		 port 8080 on the firewall (Squid running on the firewall
+#		 port 3128 on the firewall (Squid running on the firewall
-#		 system)
+#		 system) except when the destination address is 192.168.2.2
 #
-#	#RESULT CLIENTS	SERVER(S) PROTO	PORTS(S) CLIENT PORT(S)	ADDRESS
+#	#ACTION  SOURCE	DEST      PROTO	DEST    SOURCE	ORIGINAL
-#	ACCEPT	loc	fw::8080  tcp	www	 -		all
+#	#                               PORT    PORT(S) DEST
+#	REDIRECT loc	3128      tcp	www	 -	!192.168.2.2
+#
+#	Example: All http requests from the internet to address
+#                130.252.100.69 are to be forwarded to 192.168.1.3
+#
+#	#ACTION  SOURCE	DEST      	PROTO	DEST    SOURCE	ORIGINAL
+#	#                               	PORT    PORT(S) DEST
+#	DNAT      net	loc:192.168.1.3 tcp     80      -       130.252.100.69
 ##############################################################################
-#RESULT	CLIENT(S) SERVER(S)		PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL
+#                       	        	PORT    PORT(S)    DEST
 #
 # Accept outgoing DNS connections from the firewall
 #
 ACCEPT	fw	  net			tcp	53
 ACCEPT	fw	  net			udp	53
 #
-# To avoid connection delays, reject AUTH
-#
-REJECT		net	  fw		tcp	113
-#
 # Accept SSH connections from the local network to the firewall and DMZ
 #
 ACCEPT	loc	  fw			tcp	22

Samples/three-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall 1.2 /etc/shorewall/zones
+# Shorewall 1.3 /etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
 #

Samples/two-interfaces/common

@@ -1,31 +1,7 @@
-############################################################################
-# Shorewall 1.2 -- /etc/shorewall/common.def
 #
-# This file defines the rules that are applied before a policy of 
+# Include the standard common.def file
-# DROP or REJECT is applied. In addition to the rules defined in this file,
-# the firewall will also define a DROP rule for each subnet broadcast
-# address defined in /etc/shorewall/interfaces (including "detect").
 #
-# Do not modify this file -- if you wish to change these rules, copy this
+. common.def
-# file to /etc/shorewall/common and modify that file.
-#
-run_iptables -A common -p icmp -j icmpdef
-############################################################################
-# accept ACKs and RSTs that aren't related to any session so that the 
-# protocol stack can handle them
-#
-run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
-run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
-############################################################################
-# NETBIOS chatter
-#
-run_iptables -A common -p udp --dport 137:139     -j DROP
-run_iptables -A common -p udp --dport 445         -j DROP
-############################################################################
-# BROADCASTS
-#
-run_iptables -A common -d 255.255.255.255 -j DROP
-run_iptables -A common -d 224.0.0.0/4     -j DROP
 #
 # The following rule is non-standard and compensates for tardy
 # DNS replies

Samples/two-interfaces/interfaces

@@ -1,14 +1,19 @@
 #
-# Shorewall 1.2 -- Interfaces File
+# Shorewall 1.3 -- Interfaces File
 #
 # /etc/shorewall/interfaces
 #
+#	You must add an entry in this file for each network interface on your
+#	firewall system.
+#
 # Columns are:
 #
-#	ZONE		Zone for this interface. Much match the short name
+#	ZONE		Zone for this interface. Must match the short name
 #			of a zone defined in /etc/shorewall/zones.
 #
-#			$<variable-name> is not allowed in this column.
+#			If the interface serves multiple zones that will be
+#			defined in the /etc/shorewall/hosts file, you may
+#			place "-" in this column.
 #	
 #	INTERFACE	Name of interface
 #
@@ -29,7 +34,8 @@
 #	OPTIONS		A comma-separated list of options including the
 #			following:
 #
-#			dhcp	     - interface is managed by DHCP
+#			dhcp	     - interface is managed by DHCP or used by
+#                                      a DHCP server running on the firewall.
 #			noping	     - icmp echo-request (ping) packets should
 #				       be ignored on this interface
 #			routestopped - When the firewall is stopped, allow
@@ -39,12 +45,22 @@
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
 #				       (i.e., private or "non-routable"
-#				       addresses.
+#				       addresses. If packet mangling is
+#				       enabled in shorewall.conf, packets
+#				       whose destination addresses are
+#				       reserved by RFC 1918 are also rejected.
 #			multi	     - This interface has multiple IP
 #				       addresses and you want to be able to
 #				       route between them.
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure).
+#			dropunclean  - Logs and drops mangled/invalid packets
+#
+#			logunclean   - Logs mangled/invalid packets but does
+#				       not drop them.
+#	.	.	blacklist    - Check packets arriving on this interface
+#				       against the /etc/shorewall/blacklist
+#				       file.
 #
 #	Example 1:	Suppose you have eth0 connected to a DSL modem and
 #			eth1 connected to your local network and that your
@@ -66,7 +82,7 @@
 #			addresses is:
 #
 #			net	eth0	detect		noping,dhcp
-#			local	eth1	detect		routestopped
+#			loc	eth1	detect		routestopped
 #			dmz	eth2	detect
 #
 #	Example 3:	You have a simple dial-in system with no ethernet

Samples/two-interfaces/masq

@@ -1,9 +1,10 @@
 #
-# Shorewall 1.2 - Masquerade file
+# Shorewall 1.3 - Masquerade file
 #
 # /etc/shorewall/masq
 #
-# Use this file to define dynamic NAT (Masquerading)
+# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
+# (SNAT).
 #
 # Columns are:
 #
@@ -17,6 +18,27 @@
 #		  interface, you must have iproute installed and the interface
 #		  must be up before you start the firewall.
 #
+#		  In order to exclude a subset of the specified SUBNET, you
+#		  may append "!" and a comma-separated list of IP addresses
+#		  and/or subnets that you wish to exclude.
+#
+#		  Example: eth1!192.168.1.4,192.168.32.0/27
+#
+#		  In that example traffic from eth1 would be masqueraded unless
+#		  it came from 192.168.1.4 or 196.168.32.0/27
+#
+#	ADDRESS -- (Optional).  If you specify an address here, SNAT will be
+#				used and this will be the source address. If
+#				ADD_SNAT_ALIASES is set to Yes or yes in
+#				/etc/shorewall/shorewall.conf then Shorewall
+#				will automatically add this address to the
+#				INTERFACE named in the first column.
+#
+#				WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
+#				the address given in this column is the primary
+#				IP address for the interface in the INTERFACE
+#				column.
+#
 #	Example 1:
 #
 #		  You have a simple masquerading setup where eth0 connects to
@@ -47,7 +69,14 @@
 #
 #                       ipsec0:10.1.1.0/24      196.168.1.0/24
 #
+#	Example 4:
+#
+#		  You want all outgoing traffic from 192.168.1.0/24 through
+#		  eth0 to use source address 206.124.146.176.
+#
+#			eth0	192.168.1.0/24	206.124.146.176
+#
 ##############################################################################
-#INTERFACE	        SUBNET
+#INTERFACE	        SUBNET		ADDRESS
 eth0			eth1
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Samples/two-interfaces/policy

@@ -1,31 +1,37 @@
 #
-# Shorewall 1.2 -- Policy File
+# Shorewall 1.3 -- Policy File
 #
 # /etc/shorewall/policy
 #
 #	This file determines what to do with a new connection request if we
-#	don't get a match from the /etc/seafall/rules file. For each
+#	don't get a match from the /etc/shorewall/rules file or from the
-#	client/server pair, the file is processed in order until a match is
+#	/etc/shorewall/common[.def] file. For each source/destination pair, the
-#	found ("all" will match any client or server).
+#	file is processed in order until a match is found ("all" will match
-#
+#	any client or server).
-#	$<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
 #
 # Columns are:
 #
-#	SOURCE		Location of client. Must be the name of a zone defined
+#	SOURCE		Source zone. Must be the name of a zone defined
-#			in /etc/shorewall/zones, "fw" or "all".
+#			in /etc/shorewall/zones, $FW or "all".
 #
-#	DESTINATION	Location of server. Must be the name of a zone defined
+#	DEST		Destination zone. Must be the name of a zone defined
-#			in /etc/shorewall/zones, "fw" or "all"
+#			in /etc/shorewall/zones, $FW or "all"
 #
 #	POLICY		Policy if no match from the rules file is found. Must
-#			be "ACCEPT", "DENY", "REJECT"
+#			be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
 #			log message is generated. See syslog.conf(5) for a
 #			description of log levels.
 #
+#			If you don't want to log but need to specify the
+#			following column, place "_" here.
+#
+#	LIMIT:BURST	If passed, specifies the maximum TCP connection rate
+#			and the size of an acceptable burst. If not specified,
+#			TCP connections are not limited.
+#
 #	As shipped, the default policies are:
 #
 #	a) All connections from the local network to the internet are allowed
@@ -34,7 +40,7 @@
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.
 ###############################################################################
-#SOURCE		DESTINATION	POLICY		LOG LEVEL
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 loc		net		ACCEPT
 #
 # If you want open access to the internet from your firewall, uncomment the

Samples/two-interfaces/rules

@@ -1,45 +1,67 @@
 #
-# Shorewall version 1.2 - Rules File
+# Shorewall version 1.3 - Rules File
 #
 # /etc/shorewall/rules
 #
 #	Rules in this file govern connection establishment. Requests and
 #	responses are automatically allowed using connection tracking.
 #
+#	In most places where an IP address or subnet is allowed, you
+#	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
+#	indicate that the rule matches all addresses except the address/subnet
+#	given. Notice that no white space is permitted between "!" and the
+#	address/subnet.
+#
 # Columns are:
 #
 #
-#	RESULT		ACCEPT, DROP or REJECT
+#	ACTION		ACCEPT, DROP, REJECT, DNAT or REDIRECT
 #
 #				ACCEPT   -- allow the connection request
 #				DROP     -- ignore the request
 #				REJECT   -- disallow the request and return an
-#					  icmp-unreachable packet.
+#					    icmp-unreachable or an RST packet.
-#
+#				DNAT     -- Forward the request to another
-#			The line may NOT start with $<variable-name>
+#					    system (and optionally another
+#					    port).
+#				REDIRECT -- Redirect the request to a local
+#					    port on the firewall.
 #
 #			May optionally be followed by ":" and a syslog log
 #			level (e.g, REJECT:info). This causes the packet to be
 #			logged at the specified level.
 #
-#	CLIENT(S)	Hosts permitted to be clients. May be a zone defined
+#	SOURCE		Source hosts to which the rule applies. May be a zone
-#			in /etc/shorewall/zones or "fw" to indicate the
+#                       defined in /etc/shorewall/zones or $FW to indicate the
-#			firewall itself.
+#			firewall itself. If the ACTION is DNAT or REDIRECT,
+#			sub-zones of the specified zone may be excluded from
+#			the rule by following the zone name with "!' and a
+#			comma-separated list of sub-zone names.
 #
-#			Clients may be further restricted to a particular
+#			Clients may be further restricted to a list of subnets
-#			subnet or host by appending ":" and the subnet or host.
+#			and/or hosts by appending ":" and a comma-separated
+#			list of subnets and/or hosts. Hosts may be specified
+#			by IP or MAC address; mac addresses must begin with
+#			"~" and must use "-" as a separator.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
+#
 #			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
 #						Internet
 #
+#			loc:192.168.1.1,192.168.1.2
+#						Hosts 192.168.1.1 and
+#						192.168.1.2 in the local zone.
+#			loc:~00-A0-C9-15-39-78  Host in the local zone with
+#                                               MAC address 00:A0:C9:15:39:78.
+#
 #			Alternatively, clients may be specified by interface
 #			by appending ":" followed by the interface name. For
 #			example, loc:eth1 specifies a client that
 #			communicates with the firewall system through eth1.
 #
-#	SERVER		Location of Server. May be a zone defined in
+#	DEST		Location of Server. May be a zone defined in
-#			/etc/shorewall/zones or "fw" to indicate the firewall
+#			/etc/shorewall/zones or $FW to indicate the firewall
 #			itself.
 #
 #			The server may be further restricted to a particular
@@ -51,73 +73,84 @@
 #			":". If omitted, the firewall will not modifiy the
 #			destination port.
 #
-#			Example: loc:192.168.1.3:8080 specifies a local
+#			Example: loc:192.168.1.3:3128 specifies a local
 #			server at IP address 192.168.1.3 and listening on port
-#			8080. The port number MUST be specified as an integer
+#			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
+#			if the RESULT is REDIRECT, this column needs only to
+#			contain the port number on the firewall that the
+#			request should be redirected to.
+#
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
 #			"all" or "related". If "related", the remainder of the
 #			entry must be omitted and connection requests that are
 #			related to existing requests will be accepted.
 #
-#	PORT(S)		Destination Port. A comma-separated list of Port names
+#	DEST PORT(S)    Destination Ports. A comma-separated list of Port
-#			(from /etc/services), port numbers or port ranges;
+#			names (from /etc/services), port numbers or port
-#			if the protocol is "icmp", this column is interpreted as
+#			ranges; if the protocol is "icmp", this column is
-#			the destination icmp-type. If this column contains the
+#			interpreted as the destination icmp-type(s).
-#			value "none", the rule is ignored.
 #
 #			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following fields are supplied.
+#			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
 #	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
-#			any source port is acceptable.
+#			any source port is acceptable. Specified as a comma-
+#			separated list of port names, port numbers or port
+#			ranges.
 #
 #			If you don't want to restrict client ports but need to
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
-#	ADDRESS		(0ptional) If included and different from the IP
+#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or
+#                       REDIRECT) If included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
 #			that address will be forwarded to the IP and port
-#			specified in the SERVER column.
+#			specified in the DEST column.
 #
-#			If the special value "all" is used, then requests from
+#			The address may optionally be followed by
-#			the client zone given in the CLIENT(s) column with the
+#			a colon (":") and a second IP address. This causes
-#			destination port given in PORT(s) will be forwarded to
+#			Shorewall to use the second IP address as the source
-#			the IP address given in SERVER.
+#			address in forwarded packets. See the Shorewall
+#			documentation for restrictions concerning this feature.
+#			If no source IP address is given, the original source
+#			address is not altered.
 #
-#			The address (or "all") may optionally be followed by
+#	Example: Accept SMTP requests from the DMZ to the internet
-#			a colon (":") an an IP address. This causes Shorewall
-#			to use the specified IP address as the source address
-#			in forwarded packets. See the Shorewall documentation
-#			for restrictions concerning this feature. If no source
-#			IP address is given, the original source address is not
-#			altered.
 #
-#	Example: Forward all ssh and www connection requests from the internet to
+#	#ACTION SOURCE	DEST PROTO	DEST    SOURCE	ORIGINAL
-#		 local system 192.168.1.3
+#	#                               PORT    PORT(S) DEST
+#	ACCEPT	dmz	net	  tcp	smtp
 #
-#	#RESULT CLIENTS	SERVER(S)	  PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#	Example: Forward all ssh and http connection requests from the internet
-#	ACCEPT	net	loc:192.168.1.3 tcp	ssh,www	-	       all
+#		 to local system 192.168.1.3
+#
+#	#ACTION SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL
+#	#                                       PORT    PORT(S) DEST
+#	DNAT	net	loc:192.168.1.3 tcp	ssh,http
 #
 #	Example: Redirect all locally-originating www connection requests to
-#		 port 8080 on the firewall (Squid running on the firewall
+#		 port 3128 on the firewall (Squid running on the firewall
-#		 system)
+#		 system) except when the destination address is 192.168.2.2
 #
-#	#RESULT CLIENTS	SERVER(S) PROTO	PORTS(S) CLIENT PORT(S)	ADDRESS
+#	#ACTION  SOURCE	DEST      PROTO	DEST    SOURCE	ORIGINAL
-#	ACCEPT	loc	fw::8080  tcp	www	 -		all
+#	#                               PORT    PORT(S) DEST
+#	REDIRECT loc	3128      tcp	www	 -	!192.168.2.2
+#
+#	Example: All http requests from the internet to address
+#                130.252.100.69 are to be forwarded to 192.168.1.3
+#
+#	#ACTION  SOURCE	DEST      	PROTO	DEST    SOURCE	ORIGINAL
+#	#                               	PORT    PORT(S) DEST
+#	DNAT      net	loc:192.168.1.3 tcp     80      -       130.252.100.69
 ##############################################################################
-#RESULT		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL
-#
+#                       	        	PORT    PORT(S)    DEST
-#
-# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED it above
-#
-REJECT		net	  fw		tcp	113
-#
 # Accept DNS connections from the firewall to the network
 #
 ACCEPT		fw	  net		tcp	53

Samples/two-interfaces/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall 1.2 /etc/shorewall/zones
+# Shorewall 1.3 /etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
 #