holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Changes for 1.3.7

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@208 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
2002-08-22 21:33:54 +00:00
parent 72f67478b2
commit f158c11a41
97 changed files with 6516 additions and 5133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
STABLE/documentation/configuration_file_basics.htm
View File

@ -6,55 +6,60 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Configuration Files<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Configuration Files</font></h1>
</td>
</tr>
</table>
<p><b><font color="#FF0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a href="http://www.megaloman.com/~hany/software/hd2u/">
dos2unix</a> before you use them with Shorewall.</b></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Files<!--mstheme--></font></h2>
<h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/shorewall.conf - used to set several firewall
parameters.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/policy - establishes firewall high-level policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/interfaces - describes the interfaces on the
firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/masq - directs the firewall where to use many-to-one
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) Network Address Translation (a.k.a. Masquerading) and Source
Network Address Translation (SNAT).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/modules - directs the firewall to load kernel modules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/nat - defines static NAT rules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/proxyarp - defines use of Proxy ARP.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping or policy routing.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on
the firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Comments<!--mstheme--></font></h2>
Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
@ -65,8 +70,8 @@
<p>Examples:</p>
<!--mstheme--></font><pre># This is a comment</pre><!--mstheme--><font face="arial, Arial, Helvetica"><!--mstheme--></font><pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Line Continuation<!--mstheme--></font></h2>
<pre># This is a comment</pre><pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash (&quot;\&quot;) followed
@ -76,41 +81,41 @@
<p>Example:</p>
<!--mstheme--></font><pre>ACCEPT net fw tcp \
smtp,www,pop3,imap #Services running on the firewall</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Complementing an Address or Subnet<!--mstheme--></font></h2>
<pre>ACCEPT net fw tcp \
smtp,www,pop3,imap #Services running on the firewall</pre>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with &quot;!&quot; to specify the complement of the item. For
example, !192.168.1.4 means &quot;any host but 192.168.1.4&quot;.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Comma-separated Lists<!--mstheme--></font></h2>
<h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Must not have any embedded white space.<br>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,&nbsp;&nbsp;&nbsp;&nbsp; dhcp,&nbsp;&nbsp;&nbsp;&nbsp;
norfc1818<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you use line continuation to break a comma-separated list, the
norfc1818</li>
<li>If you use line continuation to break a comma-separated list, the
continuation line(s) must begin in column 1 (or there would be embedded
white space)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Entries in a comma-separated list may appear in any order.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Numbers/Service Names<!--mstheme--></font></h2>
<h2>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Ranges<!--mstheme--></font></h2>
<h2>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Using Shell Variables<!--mstheme--></font></h2>
<h2>Using Shell Variables</h2>
<p>You may use the file /etc/shorewall/params
file to set shell variables that you can then use in some of the other
@ -123,9 +128,9 @@ Shorewall programs</p>
<p>Example:</p>
<blockquote>
<p>NET_IF=eth0<br>
NET_BCAST=130.252.100.255<br>
NET_OPTIONS=noping,norfc1918</p>
<pre>NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
<p><br>
@ -134,7 +139,7 @@ Shorewall programs</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<p><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></p>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
@ -144,7 +149,7 @@ Shorewall programs</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<p>net eth0 130.252.100.255 noping,norfc1918</p>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
@ -152,7 +157,7 @@ Shorewall programs</p>
<p>Variables may be used anywhere in the
other configuration files.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Using MAC Addresses<!--mstheme--></font></h2>
<h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC)
addresses can be used to specify packet source in several of the
@ -184,7 +189,7 @@ Shorewall programs</p>
hyphens. In Shorewall, the MAC address in the example above would be
written &quot;~02-00-08-E3-FA-55&quot;.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Configurations<!--mstheme--></font></h2>
<h2>Shorewall Configurations</h2>
<p>
Shorewall allows you to have configuration
directories other than /etc/shorewall. The <a href="#Starting">shorewall start
@ -223,6 +228,6 @@ Eastep</a>
<!--mstheme--></font></body>
</body>
</html>