Changes for 1.3.6

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@180 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2002-08-06 20:45:44 +00:00 · 2002-08-06 20:45:44 +00:00 · ede4e38db2
commit ede4e38db2
parent f8832018d2
9 changed files with 92 additions and 32 deletions
--- a/Samples/one-interface/interfaces
+++ b/Samples/one-interface/interfaces
@ -35,7 +35,9 @@
 #			following:
 #
 #			dhcp	     - interface is managed by DHCP or used by
-#                                      a DHCP server running on the firewall.
+#                                      a DHCP server running on the firewall or
+#				       you have a static IP but are on a LAN
+#				       segment with lots of Laptop DHCP clients.
 #			noping	     - icmp echo-request (ping) packets
 #				       addressed to the firewall should
 #				       be ignored on this interface
@ -65,7 +67,9 @@
 #				       addresses and you want to be able to
 #				       route between them.
 #			routefilter  - turn on kernel route filtering for this
-#				       interface (anti-spoofing measure).
+#				       interface (anti-spoofing measure). This
+#                                      option can also be enabled globally in
+#				       the /etc/shorewall/shorewall.conf file.
 #			dropunclean  - Logs and drops mangled/invalid packets
 #
 #			logunclean   - Logs mangled/invalid packets but does
--- a/Samples/one-interface/policy
+++ b/Samples/one-interface/policy
@ -35,7 +35,7 @@
 #	As shipped, the default policies are:
 #
 #	a) All connections from the local network to the internet are allowed
-#	b) All connections from the network are ignored but logged at syslog
+#	b) All connections from the internet are ignored but logged at syslog
 #	   level KERNEL.INFO.
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@ -9,26 +9,35 @@
 #  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
 ##############################################################################
 #
+# NAME OF THE FIREWALL ZONE
+#
 # Name of the firewall zone -- if not set or if set to an empty string, "fw"
 # is assumed.
 #
 FW=fw

-
+#
+# SUBSYSTEM LOCK FILE
+#
 # Set this to the name of the lock file expected by your init scripts. For
 # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
 # should be /var/state/shorewall. If your init scripts don't use lock files,
-# set -this to "".
+# set this to "".
 #

 SUBSYSLOCK=/var/lock/subsys/shorewall

+#
+# SHOREWALL TEMPORARY STATE DIRECTORY
+#
 # This is the directory where the firewall maintains state information while
 # it is running
 #

 STATEDIR=/var/lib/shorewall

+#
+# ALLOW RELATED CONNECTIONS
 #
 # Set this to "yes" or "Yes" if you want to accept all connection requests
 # that are related to already established connections. For example, you want
@ -39,6 +48,8 @@ STATEDIR=/var/lib/shorewall

 ALLOWRELATED=yes

+#
+# KERNEL MODULE DIRECTORY
 #
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
@ -46,6 +57,8 @@ ALLOWRELATED=yes

 MODULESDIR=

+#
+# LOG RATE LIMITING
 #
 # The next two variables can be used to control the amount of log output
 # generated. LOGRATE is expressed as a number followed by an optional
@ -54,22 +67,35 @@ MODULESDIR=
 # maximum initial burst size that will be logged. If set empty, the default
 # value of 5 will be used.
 #
+# Example:
+#
+#	LOGRATE=10/minute
+#	LOGBURST=5
+#
 # If BOTH variables are set empty then logging will not be rate-limited.
 #

 LOGRATE=
 LOGBURST=

-
+#
+# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
 #
 # This variable determines the level at which Mangled/Invalid packets are logged
 # under the 'dropunclean' interface option. If you set this variable to an
 # empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
 # silently.
 #
+# The value of this variable also determines the level at which Mangled/Invalid
+# packets are logged under the 'logunclean' interface option. If the variable
+# is empty, these packets will still be logged at the 'info' level.
+#

 LOGUNCLEAN=info

+#
+# LOG FILE LOCATION
+#
 # This variable tells the /sbin/shorewall program where to look for Shorewall
 # log messages. If not set or set to an empty string (e.g., LOGFILE="") then
 # /var/log/messages is assumed.
@ -83,7 +109,7 @@ LOGUNCLEAN=info
 LOGFILE=/var/log/messages

 #
-# Enable nat support.
+# ENABLE NAT SUPPORT
 #
 # You probally want yes here. Only gateways not doing NAT in any form, like
 # SNAT,DNAT masquerading, port forwading etc. should say "no" here.
@ -91,7 +117,7 @@ LOGFILE=/var/log/messages
 NAT_ENABLED=Yes

 #
-# Enable mangle support.
+# ENABLE MANGLE SUPPORT
 #
 # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
 # and will not initialize the mangle table when starting or stopping
@ -101,7 +127,7 @@ NAT_ENABLED=Yes
 MANGLE_ENABLED=Yes

 #
-# Enable IP Forwarding
+# ENABLE IP FORWARDING
 #
 # If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
 # say "Off" or "off", packet forwarding will be disabled. You would only want
@ -113,26 +139,27 @@ MANGLE_ENABLED=Yes
 # enable nor disable packet forwarding.
 #
 IP_FORWARDING=Off
+
 #
-# Automatically add IP Aliases
+# AUTOMATICALLY ADD NAT IP ADDRESSES
 #
-# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
 # for each NAT external address that you give in /etc/shorewall/nat. If you say
 # "No" or "no", you must add these aliases youself.
 #
 ADD_IP_ALIASES=Yes

 #
-# Automatically add SNAT Aliases
+# AUTOMATICALLY ADD SNAT IP ADDRESSES
 #
-# If you say "Yes" or "yes" here, Shorewall will automatically add IP aliases
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
 # for each SNAT external address that you give in /etc/shorewall/masq. If you say
 # "No" or "no", you must add these aliases youself.
 #
 ADD_SNAT_ALIASES=No

 #
-# Enable Traffic Shaping
+# ENABLE TRAFFIC SHAPING
 #
 # If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
 # you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
@ -142,7 +169,7 @@ ADD_SNAT_ALIASES=No
 TC_ENABLED=No

 #
-# Blacklisting
+# BLACKLIST DISPOSITION
 #
 # Set this variable to the action that you want to perform on packets from
 # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
@ -151,7 +178,7 @@ TC_ENABLED=No
 BLACKLIST_DISPOSITION=DROP

 #
-# Blacklist Logging
+# BLACKLIST LOG LEVEL
 #
 # Set this variable to the syslogd level that you want blacklist packets logged
 # (beward of DOS attacks resulting from such logging). If not set, no logging
@ -160,7 +187,7 @@ BLACKLIST_DISPOSITION=DROP
 BLACKLIST_LOGLEVEL=

 #
-# MSS Clamping
+# MSS CLAMPING
 #
 # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
 # option. This option is most commonly required when your internet
@ -189,17 +216,19 @@ BLACKLIST_LOGLEVEL=
 CLAMPMSS=No

 #
-# Route Filtering
+# ROUTE FILTERING
 #
 # Set this variable to "Yes" or "yes" if you want kernel route filtering on all
 # interfaces (anti-spoofing measure).
 #
 # If this variable is not set or is set to the empty value, "No" is assumed.
+# In that case, you can still enable route filtering on individual interfaces
+# in the /etc/shorewall/interfaces file.

 ROUTE_FILTER=No

 #
-# NAT before RULES
+# NAT BEFORE RULES
 #
 # Shorewall has traditionally processed static NAT rules before port forwarding
 # rules. If you would like to reverse the order, set this variable to "No".
@ -208,7 +237,7 @@ ROUTE_FILTER=No

 NAT_BEFORE_RULES=Yes

-# MULTIPORT
+# MULTIPORT support
 #
 # If your kernel includes the multiport match option
 # (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
@ -228,7 +257,7 @@ NAT_BEFORE_RULES=Yes

 MULTIPORT=No

-# DNAT IP Address Detection
+# DNAT IP ADDRESS DETECTION
 #
 # Normally when Shorewall encounters the following rule:
 #
@ -259,7 +288,8 @@ MULTIPORT=No

 DETECT_DNAT_IPADDRS=No

-# Merge Hosts File
+#
+# MERGE HOSTS FILE
 #
 # The traditional behavior of the /etc/shorewall/hosts file has been that
 # if that file has ANY entry for a zone then the zone must be defined 
@ -292,7 +322,7 @@ DETECT_DNAT_IPADDRS=No
 MERGE_HOSTS=Yes

 #
-# Mutex Timeout
+# MUTEX TIMEOUT
 #
 # The value of this variable determines the number of seconds that programs
 # will wait for exclusive access to the Shorewall lock file. After the number
@ -306,4 +336,17 @@ MERGE_HOSTS=Yes

 MUTEX_TIMEOUT=60

+#
+# LOGGING 'New not SYN' rejects
+#
+# When a TCP packet that does not have the SYN flag set and the ACK and RST
+# flags clear then unless the packet is part of an established connection,
+# it will be rejected by the firewall. If you want these rejects logged, 
+# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
+#
+# Example: LOGNEWNOTSYN=debug
+
+
+LOGNEWNOTSYN=
+
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/three-interfaces/interfaces
+++ b/Samples/three-interfaces/interfaces
@ -35,7 +35,9 @@
 #			following:
 #
 #			dhcp	     - interface is managed by DHCP or used by
-#                                      a DHCP server running on the firewall.
+#                                      a DHCP server running on the firewall or
+#				       you have a static IP but are on a LAN
+#				       segment with lots of Laptop DHCP clients.
 #			noping	     - icmp echo-request (ping) packets
 #				       addressed to the firewall should
 #				       be ignored on this interface
@ -65,7 +67,9 @@
 #				       addresses and you want to be able to
 #				       route between them.
 #			routefilter  - turn on kernel route filtering for this
-#				       interface (anti-spoofing measure).
+#				       interface (anti-spoofing measure). This
+#                                      option can also be enabled globally in
+#				       the /etc/shorewall/shorewall.conf file.
 #			dropunclean  - Logs and drops mangled/invalid packets
 #
 #			logunclean   - Logs mangled/invalid packets but does
--- a/Samples/three-interfaces/masq
+++ b/Samples/three-interfaces/masq
@ -57,7 +57,7 @@
 #
 #		  You add a router to your local network to connect subnet
 #		  192.168.1.0/24 which you also want to masquerade. You then
-#		  add the following entry to this file:
+#		  add a second entry for eth0 to this file:
 #
 #			eth0	192.168.1.0/24
 #
@ -76,6 +76,9 @@
 #
 #			eth0	192.168.1.0/24	206.124.146.176
 #
+#		  This would normally be done when you have a static external
+#		  IP address since it makes the processing of outgoing 
+#		  packets somewhat faster.
 ##############################################################################
 #INTERFACE	        SUBNET		ADDRESS
 eth0			eth1
--- a/Samples/three-interfaces/policy
+++ b/Samples/three-interfaces/policy
@ -35,7 +35,7 @@
 #	As shipped, the default policies are:
 #
 #	a) All connections from the local network to the internet are allowed
-#	b) All connections from the network are ignored but logged at syslog
+#	b) All connections from the internet are ignored but logged at syslog
 #	   level KERNEL.INFO.
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.
--- a/Samples/two-interfaces/interfaces
+++ b/Samples/two-interfaces/interfaces
@ -35,7 +35,9 @@
 #			following:
 #
 #			dhcp	     - interface is managed by DHCP or used by
-#                                      a DHCP server running on the firewall.
+#                                      a DHCP server running on the firewall or
+#				       you have a static IP but are on a LAN
+#				       segment with lots of Laptop DHCP clients.
 #			noping	     - icmp echo-request (ping) packets
 #				       addressed to the firewall should
 #				       be ignored on this interface
@ -65,7 +67,9 @@
 #				       addresses and you want to be able to
 #				       route between them.
 #			routefilter  - turn on kernel route filtering for this
-#				       interface (anti-spoofing measure).
+#				       interface (anti-spoofing measure). This
+#                                      option can also be enabled globally in
+#				       the /etc/shorewall/shorewall.conf file.
 #			dropunclean  - Logs and drops mangled/invalid packets
 #
 #			logunclean   - Logs mangled/invalid packets but does
@ -116,6 +120,5 @@
 #			net	ppp0	-		noping
 ##############################################################################
 #ZONE	 INTERFACE	BROADCAST	OPTIONS
-net     eth0		detect		dhcp,routefilter,norfc1918
 loc	eth1		detect		routestopped
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Samples/two-interfaces/masq
+++ b/Samples/two-interfaces/masq
@ -57,7 +57,7 @@
 #
 #		  You add a router to your local network to connect subnet
 #		  192.168.1.0/24 which you also want to masquerade. You then
-#		  add the following entry to this file:
+#		  add a second entry for eth0 to this file:
 #
 #			eth0	192.168.1.0/24
 #
@ -76,6 +76,9 @@
 #
 #			eth0	192.168.1.0/24	206.124.146.176
 #
+#		  This would normally be done when you have a static external
+#		  IP address since it makes the processing of outgoing 
+#		  packets somewhat faster.
 ##############################################################################
 #INTERFACE	        SUBNET		ADDRESS
 eth0			eth1
--- a/Samples/two-interfaces/policy
+++ b/Samples/two-interfaces/policy
@ -35,7 +35,7 @@
 #	As shipped, the default policies are:
 #
 #	a) All connections from the local network to the internet are allowed
-#	b) All connections from the network are ignored but logged at syslog
+#	b) All connections from the internet are ignored but logged at syslog
 #	   level KERNEL.INFO.
 #	d) All other connection requests are rejected and logged at level
 #	   KERNEL.INFO.