forked from extern/shorewall_code
Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
7e87a0138b |
@@ -17,3 +17,4 @@
|
||||
###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,tcpflags,logmartians,nosmurfs
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -16,6 +16,8 @@
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW net ACCEPT
|
||||
net $FW DROP info
|
||||
net all DROP info
|
||||
# The FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
#
|
||||
L#
|
||||
# Shorewall version 4.0 - Sample Rules File for one-interface configuration.
|
||||
# Copyright (C) 2006 by the Shorewall Team
|
||||
#
|
||||
@@ -19,8 +19,10 @@
|
||||
|
||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||
|
||||
Ping(DROP) net $FW
|
||||
Ping/DROP net $FW
|
||||
|
||||
# Permit all ICMP traffic FROM the firewall TO the net zone
|
||||
|
||||
ACCEPT $FW net icmp
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
###############################################################################
|
||||
#
|
||||
# Shorewall version 4.0 - Sample shorewall.conf for one-interface
|
||||
# configuration.
|
||||
# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
|
||||
# Copyright (C) 2006 by the Shorewall Team
|
||||
#
|
||||
# This library is free software; you can redistribute it and/or
|
||||
@@ -15,7 +14,6 @@
|
||||
#
|
||||
# The manpage is also online at
|
||||
# http://shorewall.net/manpages/shorewall.conf.html
|
||||
#
|
||||
###############################################################################
|
||||
# S T A R T U P E N A B L E D
|
||||
###############################################################################
|
||||
@@ -28,6 +26,13 @@ STARTUP_ENABLED=No
|
||||
|
||||
VERBOSITY=1
|
||||
|
||||
###############################################################################
|
||||
# C O M P I L E R
|
||||
# (setting this to 'perl' requires installation of Shorewall-perl)
|
||||
###############################################################################
|
||||
|
||||
SHOREWALL_COMPILER=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
@@ -54,6 +59,8 @@ MACLIST_LOG_LEVEL=info
|
||||
|
||||
TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
SMURF_LOG_LEVEL=info
|
||||
|
||||
LOG_MARTIANS=Yes
|
||||
@@ -64,12 +71,6 @@ LOG_MARTIANS=Yes
|
||||
|
||||
IPTABLES=
|
||||
|
||||
IP=
|
||||
|
||||
TC=
|
||||
|
||||
IPSET=
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
@@ -107,7 +108,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
|
||||
# F I R E W A L L O P T I O N S
|
||||
###############################################################################
|
||||
|
||||
IP_FORWARDING=Off
|
||||
IP_FORWARDING=On
|
||||
|
||||
ADD_IP_ALIASES=Yes
|
||||
|
||||
@@ -139,7 +140,7 @@ DELAYBLACKLISTLOAD=No
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
DISABLE_IPV6=No
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
@@ -147,7 +148,7 @@ DYNAMIC_ZONES=No
|
||||
|
||||
PKTTYPE=Yes
|
||||
|
||||
NULL_ROUTE_RFC1918=No
|
||||
RFC1918_STRICT=No
|
||||
|
||||
MACLIST_TABLE=filter
|
||||
|
||||
@@ -169,7 +170,7 @@ OPTIMIZE=1
|
||||
|
||||
EXPORTPARAMS=No
|
||||
|
||||
EXPAND_POLICIES=Yes
|
||||
EXPAND_POLICIES=No
|
||||
|
||||
KEEP_RT_TABLES=No
|
||||
|
||||
@@ -183,14 +184,8 @@ AUTO_COMMENT=Yes
|
||||
|
||||
MANGLE_ENABLED=Yes
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
RESTORE_DEFAULT_ROUTE=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
WIDE_TC_MARKS=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
||||
@@ -18,3 +18,4 @@
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
||||
@@ -19,3 +19,4 @@
|
||||
net eth0 detect tcpflags,dhcp,nosmurfs,routefilter,logmartians
|
||||
loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians
|
||||
dmz eth2 detect tcpflags,nosmurfs,routefilter,logmartians
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -15,7 +15,6 @@
|
||||
#
|
||||
##############################################################################
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
|
||||
eth0 10.0.0.0/8,\
|
||||
169.254.0.0/16,\
|
||||
172.16.0.0/12,\
|
||||
192.168.0.0/16
|
||||
eth0 eth1
|
||||
eth0 eth2
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -16,7 +16,67 @@
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
|
||||
#
|
||||
# Note about policies and logging:
|
||||
# This file contains an explicit policy for every combination of
|
||||
# zones defined in this sample. This is solely for the purpose of
|
||||
# providing more specific messages in the logs. This is not
|
||||
# necessary for correct operation of the firewall, but greatly
|
||||
# assists in diagnosing problems. The policies below are logically
|
||||
# equivalent to:
|
||||
#
|
||||
# loc net ACCEPT
|
||||
# net all DROP info
|
||||
# all all REJECT info
|
||||
#
|
||||
# The Shorewall-perl compiler will generate the individual policies
|
||||
# below from the above general policies if you set
|
||||
# EXPAND_POLICIES=Yes in shorewall.conf.
|
||||
#
|
||||
|
||||
#
|
||||
# Policies for traffic originating from the local LAN (loc)
|
||||
#
|
||||
# If you want to force clients to access the Internet via a proxy server
|
||||
# in your DMZ, change the following policy to REJECT info.
|
||||
loc net ACCEPT
|
||||
# If you want open access to DMZ from loc, change the following policy
|
||||
# to ACCEPT. (If you chose not to do this, you will need to add a rule
|
||||
# for each service in the rules file.)
|
||||
loc dmz REJECT info
|
||||
loc $FW REJECT info
|
||||
loc all REJECT info
|
||||
|
||||
#
|
||||
# Policies for traffic originating from the firewall ($FW)
|
||||
#
|
||||
# If you want open access to the Internet from your firewall, change the
|
||||
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
|
||||
$FW net REJECT info
|
||||
$FW dmz REJECT info
|
||||
$FW loc REJECT info
|
||||
$FW all REJECT info
|
||||
|
||||
#
|
||||
# Policies for traffic originating from the De-Militarized Zone (dmz)
|
||||
#
|
||||
# If you want open access from DMZ to the Internet change the following
|
||||
# policy to ACCEPT. This may be useful if you run a proxy server in
|
||||
# your DMZ.
|
||||
dmz net REJECT info
|
||||
dmz $FW REJECT info
|
||||
dmz loc REJECT info
|
||||
dmz all REJECT info
|
||||
|
||||
#
|
||||
# Policies for traffic originating from the Internet zone (net)
|
||||
#
|
||||
net dmz DROP info
|
||||
net $FW DROP info
|
||||
net loc DROP info
|
||||
net all DROP info
|
||||
|
||||
# THE FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -19,3 +19,4 @@
|
||||
#INTERFACE HOST(S)
|
||||
eth1 -
|
||||
eth2 -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -19,33 +19,33 @@
|
||||
#
|
||||
# Accept DNS connections from the firewall to the Internet
|
||||
#
|
||||
DNS(ACCEPT) $FW net
|
||||
DNS/ACCEPT $FW net
|
||||
#
|
||||
#
|
||||
# Accept SSH connections from the local network to the firewall and DMZ
|
||||
#
|
||||
SSH(ACCEPT) loc $FW
|
||||
SSH(ACCEPT) loc dmz
|
||||
SSH/ACCEPT loc $FW
|
||||
SSH/ACCEPT loc dmz
|
||||
#
|
||||
# DMZ DNS access to the Internet
|
||||
#
|
||||
DNS(ACCEPT) dmz net
|
||||
DNS/ACCEPT dmz net
|
||||
|
||||
|
||||
# Drop Ping from the "bad" net zone.
|
||||
|
||||
Ping(DROP) net $FW
|
||||
Ping/DROP net $FW
|
||||
|
||||
#
|
||||
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
|
||||
# (assumes that the loc-> net policy is ACCEPT).
|
||||
#
|
||||
|
||||
Ping(ACCEPT) loc $FW
|
||||
Ping(ACCEPT) dmz $FW
|
||||
Ping(ACCEPT) loc dmz
|
||||
Ping(ACCEPT) dmz loc
|
||||
Ping(ACCEPT) dmz net
|
||||
Ping/ACCEPT loc $FW
|
||||
Ping/ACCEPT dmz $FW
|
||||
Ping/ACCEPT loc dmz
|
||||
Ping/ACCEPT dmz loc
|
||||
Ping/ACCEPT dmz net
|
||||
|
||||
ACCEPT $FW net icmp
|
||||
ACCEPT $FW loc icmp
|
||||
@@ -54,5 +54,7 @@ ACCEPT $FW dmz icmp
|
||||
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
|
||||
# the net zone to the dmz and loc
|
||||
|
||||
#Ping(ACCEPT) net dmz
|
||||
#Ping(ACCEPT) net loc
|
||||
#Ping/ACCEPT net dmz
|
||||
#Ping/ACCEPT net loc
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
###############################################################################
|
||||
s###############################################################################
|
||||
#
|
||||
# Shorewall version 4.0 - Sample shorewall.conf for three-interface
|
||||
# configuration.
|
||||
@@ -28,6 +28,13 @@ STARTUP_ENABLED=No
|
||||
|
||||
VERBOSITY=1
|
||||
|
||||
###############################################################################
|
||||
# C O M P I L E R
|
||||
# (setting this to 'perl' requires installation of Shorewall-perl)
|
||||
###############################################################################
|
||||
|
||||
SHOREWALL_COMPILER=
|
||||
|
||||
###############################################################################
|
||||
# L O G G I N G
|
||||
###############################################################################
|
||||
@@ -54,6 +61,8 @@ MACLIST_LOG_LEVEL=info
|
||||
|
||||
TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
SMURF_LOG_LEVEL=info
|
||||
|
||||
LOG_MARTIANS=Yes
|
||||
@@ -64,12 +73,6 @@ LOG_MARTIANS=Yes
|
||||
|
||||
IPTABLES=
|
||||
|
||||
IP=
|
||||
|
||||
TC=
|
||||
|
||||
IPSET=
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
@@ -139,7 +142,7 @@ DELAYBLACKLISTLOAD=No
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
DISABLE_IPV6=No
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
@@ -147,7 +150,7 @@ DYNAMIC_ZONES=No
|
||||
|
||||
PKTTYPE=Yes
|
||||
|
||||
NULL_ROUTE_RFC1918=No
|
||||
RFC1918_STRICT=No
|
||||
|
||||
MACLIST_TABLE=filter
|
||||
|
||||
@@ -169,7 +172,7 @@ OPTIMIZE=1
|
||||
|
||||
EXPORTPARAMS=No
|
||||
|
||||
EXPAND_POLICIES=Yes
|
||||
EXPAND_POLICIES=No
|
||||
|
||||
KEEP_RT_TABLES=No
|
||||
|
||||
@@ -183,14 +186,8 @@ AUTO_COMMENT=Yes
|
||||
|
||||
MANGLE_ENABLED=Yes
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
RESTORE_DEFAULT_ROUTE=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
WIDE_TC_MARKS=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
||||
@@ -20,3 +20,4 @@ fw firewall
|
||||
net ipv4
|
||||
loc ipv4
|
||||
dmz ipv4
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
||||
@@ -18,3 +18,4 @@
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
|
||||
loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -15,7 +15,5 @@
|
||||
#
|
||||
###############################################################################
|
||||
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
|
||||
eth0 10.0.0.0/8,\
|
||||
169.254.0.0/16,\
|
||||
172.16.0.0/12,\
|
||||
192.168.0.0/16
|
||||
eth0 eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -16,8 +16,50 @@
|
||||
###############################################################################
|
||||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
|
||||
#
|
||||
# Note about policies and logging:
|
||||
# This file contains an explicit policy for every combination of
|
||||
# zones defined in this sample. This is solely for the purpose of
|
||||
# providing more specific messages in the logs. This is not
|
||||
# necessary for correct operation of the firewall, but greatly
|
||||
# assists in diagnosing problems. The policies below are logically
|
||||
# equivalent to:
|
||||
#
|
||||
# loc net ACCEPT
|
||||
# net all DROP info
|
||||
# all all REJECT info
|
||||
#
|
||||
# The Shorewall-perl compiler will generate the individual policies
|
||||
# below from the above general policies if you set
|
||||
# EXPAND_POLICIES=Yes in shorewall.conf.
|
||||
#
|
||||
|
||||
# Policies for traffic originating from the local LAN (loc)
|
||||
#
|
||||
# If you want to force clients to access the Internet via a proxy server
|
||||
# on your firewall, change the loc to net policy to REJECT info.
|
||||
loc net ACCEPT
|
||||
loc $FW REJECT info
|
||||
loc all REJECT info
|
||||
|
||||
#
|
||||
# Policies for traffic originating from the firewall ($FW)
|
||||
#
|
||||
# If you want open access to the Internet from your firewall, change the
|
||||
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
|
||||
# This may be useful if you run a proxy server on the firewall.
|
||||
$FW net REJECT info
|
||||
$FW loc REJECT info
|
||||
$FW all REJECT info
|
||||
|
||||
#
|
||||
# Policies for traffic originating from the Internet zone (net)
|
||||
#
|
||||
net $FW DROP info
|
||||
net loc DROP info
|
||||
net all DROP info
|
||||
|
||||
# THE FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -18,3 +18,4 @@
|
||||
##############################################################################
|
||||
#INTERFACE HOST(S) OPTIONS
|
||||
eth1 -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -19,22 +19,24 @@
|
||||
#
|
||||
# Accept DNS connections from the firewall to the network
|
||||
#
|
||||
DNS(ACCEPT) $FW net
|
||||
DNS/ACCEPT $FW net
|
||||
#
|
||||
# Accept SSH connections from the local network for administration
|
||||
#
|
||||
SSH(ACCEPT) loc $FW
|
||||
SSH/ACCEPT loc $FW
|
||||
#
|
||||
# Allow Ping from the local network
|
||||
#
|
||||
Ping(ACCEPT) loc $FW
|
||||
Ping/ACCEPT loc $FW
|
||||
|
||||
#
|
||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||
#
|
||||
|
||||
Ping(DROP) net $FW
|
||||
Ping/DROP net $FW
|
||||
|
||||
ACCEPT $FW loc icmp
|
||||
ACCEPT $FW net icmp
|
||||
#
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
###############################################################################
|
||||
#
|
||||
# Shorewall version 4.0 - Sample shorewall.conf for two-interface
|
||||
# configuration.
|
||||
# Shorewall version 4.0 - Sample shorewall.conf for two-interface configuration.
|
||||
# Copyright (C) 2006,2007 by the Shorewall Team
|
||||
#
|
||||
# This library is free software; you can redistribute it and/or
|
||||
@@ -15,7 +14,6 @@
|
||||
#
|
||||
# The manpage is also online at
|
||||
# http://shorewall.net/manpages/shorewall.conf.html
|
||||
#
|
||||
###############################################################################
|
||||
# S T A R T U P E N A B L E D
|
||||
###############################################################################
|
||||
@@ -61,6 +59,8 @@ MACLIST_LOG_LEVEL=info
|
||||
|
||||
TCP_FLAGS_LOG_LEVEL=info
|
||||
|
||||
RFC1918_LOG_LEVEL=info
|
||||
|
||||
SMURF_LOG_LEVEL=info
|
||||
|
||||
LOG_MARTIANS=Yes
|
||||
@@ -71,12 +71,6 @@ LOG_MARTIANS=Yes
|
||||
|
||||
IPTABLES=
|
||||
|
||||
IP=
|
||||
|
||||
TC=
|
||||
|
||||
IPSET=
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
@@ -146,7 +140,7 @@ DELAYBLACKLISTLOAD=No
|
||||
|
||||
MODULE_SUFFIX=
|
||||
|
||||
DISABLE_IPV6=No
|
||||
DISABLE_IPV6=Yes
|
||||
|
||||
BRIDGING=No
|
||||
|
||||
@@ -154,7 +148,7 @@ DYNAMIC_ZONES=No
|
||||
|
||||
PKTTYPE=Yes
|
||||
|
||||
NULL_ROUTE_RFC1918=No
|
||||
RFC1918_STRICT=No
|
||||
|
||||
MACLIST_TABLE=filter
|
||||
|
||||
@@ -176,6 +170,8 @@ OPTIMIZE=1
|
||||
|
||||
EXPORTPARAMS=No
|
||||
|
||||
EXPAND_POLICIES=No
|
||||
|
||||
EXPAND_POLICIES=Yes
|
||||
|
||||
KEEP_RT_TABLES=No
|
||||
@@ -190,14 +186,8 @@ AUTO_COMMENT=Yes
|
||||
|
||||
MANGLE_ENABLED=Yes
|
||||
|
||||
USE_DEFAULT_RT=No
|
||||
|
||||
RESTORE_DEFAULT_ROUTE=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
WIDE_TC_MARKS=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
||||
@@ -19,3 +19,5 @@
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
||||
@@ -13,3 +13,4 @@
|
||||
###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect tcpflags
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -18,3 +18,4 @@ net $FW DROP info
|
||||
net all DROP info
|
||||
# The FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -16,9 +16,10 @@
|
||||
|
||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||
|
||||
Ping(DROP) net $FW
|
||||
Ping/DROP net $FW
|
||||
|
||||
# Permit all ICMP traffic FROM the firewall TO the net zone
|
||||
|
||||
ACCEPT $FW net ipv6-icmp
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -62,7 +62,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
|
||||
SUBSYSLOCK=
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
@@ -137,8 +137,6 @@ MANGLE_ENABLED=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
WIDE_TC_MARKS=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
||||
@@ -15,3 +15,4 @@
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv6
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
||||
@@ -15,3 +15,4 @@
|
||||
net eth0 detect tcpflags
|
||||
loc eth1 detect tcpflags
|
||||
dmz eth2 detect
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -17,3 +17,4 @@ loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -18,3 +18,4 @@
|
||||
#INTERFACE HOST(S)
|
||||
eth1 -
|
||||
eth2 -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -16,33 +16,33 @@
|
||||
#
|
||||
# Accept DNS connections from the firewall to the Internet
|
||||
#
|
||||
DNS(ACCEPT) $FW net
|
||||
DNS/ACCEPT $FW net
|
||||
#
|
||||
#
|
||||
# Accept SSH connections from the local network to the firewall and DMZ
|
||||
#
|
||||
SSH(ACCEPT) loc $FW
|
||||
SSH(ACCEPT) loc dmz
|
||||
SSH/ACCEPT loc $FW
|
||||
SSH/ACCEPT loc dmz
|
||||
#
|
||||
# DMZ DNS access to the Internet
|
||||
#
|
||||
DNS(ACCEPT) dmz net
|
||||
DNS/ACCEPT dmz net
|
||||
|
||||
|
||||
# Drop Ping from the "bad" net zone.
|
||||
|
||||
Ping(DROP) net $FW
|
||||
Ping/DROP net $FW
|
||||
|
||||
#
|
||||
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
|
||||
# (assumes that the loc-> net policy is ACCEPT).
|
||||
#
|
||||
|
||||
Ping(ACCEPT) loc $FW
|
||||
Ping(ACCEPT) dmz $FW
|
||||
Ping(ACCEPT) loc dmz
|
||||
Ping(ACCEPT) dmz loc
|
||||
Ping(ACCEPT) dmz net
|
||||
Ping/ACCEPT loc $FW
|
||||
Ping/ACCEPT dmz $FW
|
||||
Ping/ACCEPT loc dmz
|
||||
Ping/ACCEPT dmz loc
|
||||
Ping/ACCEPT dmz net
|
||||
|
||||
ACCEPT $FW net ipv6-icmp
|
||||
ACCEPT $FW loc ipv6-icmp
|
||||
@@ -51,6 +51,7 @@ ACCEPT $FW dmz ipv6-icmp
|
||||
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
|
||||
# the net zone to the dmz and loc
|
||||
|
||||
#Ping(ACCEPT) net dmz
|
||||
#Ping(ACCEPT) net loc
|
||||
#Ping/ACCEPT net dmz
|
||||
#Ping/ACCEPT net loc
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -62,7 +62,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
|
||||
SUBSYSLOCK=
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
@@ -137,8 +137,6 @@ MANGLE_ENABLED=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
WIDE_TC_MARKS=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
||||
@@ -18,3 +18,4 @@ fw firewall
|
||||
net ipv4
|
||||
loc ipv4
|
||||
dmz ipv4
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
||||
@@ -14,3 +14,4 @@
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect tcpflags
|
||||
loc eth1 detect tcpflags
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -17,3 +17,4 @@ loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
@@ -17,3 +17,4 @@
|
||||
##############################################################################
|
||||
#INTERFACE HOST(S) OPTIONS
|
||||
eth1 -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -16,22 +16,24 @@
|
||||
#
|
||||
# Accept DNS connections from the firewall to the network
|
||||
#
|
||||
DNS(ACCEPT) $FW net
|
||||
DNS/ACCEPT $FW net
|
||||
#
|
||||
# Accept SSH connections from the local network for administration
|
||||
#
|
||||
SSH(ACCEPT) loc $FW
|
||||
SSH/ACCEPT loc $FW
|
||||
#
|
||||
# Allow Ping from the local network
|
||||
#
|
||||
Ping(ACCEPT) loc $FW
|
||||
Ping/ACCEPT loc $FW
|
||||
|
||||
#
|
||||
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
|
||||
#
|
||||
|
||||
Ping(DROP) net $FW
|
||||
Ping/DROP net $FW
|
||||
|
||||
ACCEPT $FW loc ipv6-icmp
|
||||
ACCEPT $FW net ipv6-icmp
|
||||
#
|
||||
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -62,11 +62,11 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
SHOREWALL_SHELL=/bin/sh
|
||||
|
||||
SUBSYSLOCK=
|
||||
SUBSYSLOCK=/var/lock/subsys/shorewall
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall/
|
||||
CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shoreall/
|
||||
|
||||
RESTOREFILE=
|
||||
|
||||
@@ -137,8 +137,6 @@ MANGLE_ENABLED=Yes
|
||||
|
||||
AUTOMAKE=No
|
||||
|
||||
WIDE_TC_MARKS=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
||||
@@ -17,3 +17,4 @@ fw firewall
|
||||
net ipv6
|
||||
loc ipv6
|
||||
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
||||
|
||||
@@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=4.4.2.2
|
||||
VERSION=4.3.8
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
@@ -19,10 +19,6 @@ SRWL_OPTS="-tvv"
|
||||
# keep logs of the firewall (not recommended)
|
||||
INITLOG=/var/log/shorewall-lite-init.log
|
||||
|
||||
[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
|
||||
|
||||
export SHOREWALL_INIT_SCRIPT
|
||||
|
||||
test -x $SRWL || exit 0
|
||||
test -x $WAIT_FOR_IFUP || exit 0
|
||||
test -n $INITLOG || {
|
||||
|
||||
@@ -67,8 +67,6 @@ elif [ -f /etc/default/shorewall ] ; then
|
||||
. /etc/default/shorewall
|
||||
fi
|
||||
|
||||
SHOREWALL_INIT_SCRIPT=1
|
||||
|
||||
################################################################################
|
||||
# E X E C U T I O N B E G I N S H E R E #
|
||||
################################################################################
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
|
||||
VERSION=4.4.2.2
|
||||
VERSION=4.3.8
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
@@ -30,6 +30,7 @@ usage() # $1 = exit status
|
||||
echo "usage: $ME"
|
||||
echo " $ME -v"
|
||||
echo " $ME -h"
|
||||
echo " $ME -n"
|
||||
exit $1
|
||||
}
|
||||
|
||||
@@ -107,6 +108,14 @@ if [ -z "$RUNLEVELS" ] ; then
|
||||
RUNLEVELS=""
|
||||
fi
|
||||
|
||||
if [ -z "$OWNER" ] ; then
|
||||
OWNER=root
|
||||
fi
|
||||
|
||||
if [ -z "$GROUP" ] ; then
|
||||
GROUP=root
|
||||
fi
|
||||
|
||||
while [ $# -gt 0 ] ; do
|
||||
case "$1" in
|
||||
-h|help|?)
|
||||
@@ -130,34 +139,17 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
# Determine where to install the firewall script
|
||||
#
|
||||
DEBIAN=
|
||||
CYGWIN=
|
||||
|
||||
case $(uname) in
|
||||
CYGWIN*)
|
||||
if [ -z "$PREFIX" ]; then
|
||||
DEST=
|
||||
INIT=
|
||||
fi
|
||||
|
||||
OWNER=$(id -un)
|
||||
GROUP=$(id -gn)
|
||||
;;
|
||||
*)
|
||||
[ -z "$OWNER" ] && OWNER=root
|
||||
[ -z "$GROUP" ] && GROUP=root
|
||||
;;
|
||||
esac
|
||||
|
||||
OWNERSHIP="-o $OWNER -g $GROUP"
|
||||
|
||||
if [ -n "$PREFIX" ]; then
|
||||
if [ `id -u` != 0 ] ; then
|
||||
echo "Not setting file owner/group permissions, not running as root."
|
||||
OWNERSHIP=""
|
||||
fi
|
||||
|
||||
install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
|
||||
install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
|
||||
if [ `id -u` != 0 ] ; then
|
||||
echo "Not setting file owner/group permissions, not running as root."
|
||||
OWNERSHIP=""
|
||||
fi
|
||||
|
||||
install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
|
||||
install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
|
||||
elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
|
||||
DEBIAN=yes
|
||||
elif [ -f /etc/slackware-version ] ; then
|
||||
|
||||
@@ -515,7 +515,6 @@ if [ $# -eq 0 ]; then
|
||||
fi
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
export PATH
|
||||
MUTEX_TIMEOUT=
|
||||
|
||||
SHAREDIR=/usr/share/shorewall-lite
|
||||
@@ -625,7 +624,6 @@ case "$COMMAND" in
|
||||
;;
|
||||
status)
|
||||
[ $# -eq 1 ] || usage 1
|
||||
[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
|
||||
echo "Shorewall Lite $version Status at $HOSTNAME - $(date)"
|
||||
echo
|
||||
if shorewall_is_started ; then
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
%define name shorewall-lite
|
||||
%define version 4.4.2
|
||||
%define release 2
|
||||
%define version 4.3.8
|
||||
%define release 0base
|
||||
|
||||
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
|
||||
Name: %{name}
|
||||
@@ -98,40 +98,6 @@ fi
|
||||
%doc COPYING changelog.txt releasenotes.txt
|
||||
|
||||
%changelog
|
||||
* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.2-2
|
||||
* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.2-1
|
||||
* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.2-0base
|
||||
* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.2-0base
|
||||
* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.1-0base
|
||||
* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.0-0base
|
||||
* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.0-0RC2
|
||||
* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.0-0RC1
|
||||
* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.0-0Beta4
|
||||
* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.0-0Beta3
|
||||
* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.0-0Beta2
|
||||
* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.4.0-0Beta1
|
||||
* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.13-0base
|
||||
* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.12-0base
|
||||
* Sun May 10 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.11-0base
|
||||
* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.10-0base
|
||||
* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.9-0base
|
||||
* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
|
||||
- Updated to 4.3.8-0base
|
||||
* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Shorewall Firewall
|
||||
|
||||
VERSION=4.4.2.2
|
||||
VERSION=4.3.8
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
||||
17
Shorewall/Contrib/isusable
Normal file
17
Shorewall/Contrib/isusable
Normal file
@@ -0,0 +1,17 @@
|
||||
#
|
||||
# Shorewall version 4 - 'isusable' sample script
|
||||
#
|
||||
# /etc/shorewall/isusable
|
||||
#
|
||||
# This script is a companion to the 'swping' script described at
|
||||
# http://www.shorewall.net/MultiISP.html#swping.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
local status=0
|
||||
|
||||
[ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status)
|
||||
|
||||
return $status
|
||||
@@ -39,33 +39,26 @@ if [ $FAMILY -eq 4 ]; then
|
||||
. /usr/share/shorewall-lite/lib.base
|
||||
[ -f /etc/shorewall-lite/params ] && . /etc/shorewall-lite/params
|
||||
[ -n "${COMMAND:="/sbin/shorewall-lite restart; /sbin/ip -4 route ls"}" ]
|
||||
CONFDIR=/etc/shorewall-lite
|
||||
VARDIR=/var/lib/shorewall-lite
|
||||
STATEDIR=/etc/shorewall-lite
|
||||
elif [ -f /usr/share/shorewall/lib.base ]; then
|
||||
. /usr/share/shorewall/lib.base
|
||||
[ -f /etc/shorewall/params ] && . /etc/shorewall/params
|
||||
[ -n "${COMMAND:="/sbin/shorewall restart -f; /sbin/ip -4 route ls"}" ]
|
||||
CONFDIR=/etc/shorewall
|
||||
VARDIR=/var/lib/shorewall
|
||||
STATEDIR=/etc/shorewall
|
||||
fi
|
||||
else
|
||||
if [ -f /usr/share/shorewall6-lite/lib.base ]; then
|
||||
. /usr/share/shorewall6-lite/lib.base
|
||||
[ -f /etc/shorewall6-lite/params ] && . /etc/shorewall6-lite/params
|
||||
[ -n "${COMMAND:="/sbin/shorewall6-lite restart; /sbin/ip -4 route ls"}" ]
|
||||
CONFDIR=/etc/shorewall6-lite
|
||||
VARDIR=/var/lib/shorewall6-lite
|
||||
STATEDIR=/etc/shorewall6-lite
|
||||
elif [ -f /usr/share/shorewall6/lib.base ]; then
|
||||
. /usr/share/shorewal6l/lib.base
|
||||
[ -f /etc/shorewall6/params ] && . /etc/shorewall6/params
|
||||
[ -n "${COMMAND:="/sbin/shorewall6 restart -f; /sbin/ip -4 route ls"}" ]
|
||||
CONFDIR=/etc/shorewall6
|
||||
VARDIR=/var/lib/shorewall6
|
||||
STATEDIR=/etc/shorewall6
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
|
||||
|
||||
#
|
||||
# Interfaces to monitor -- you may use shell variables from your params file
|
||||
#
|
||||
@@ -131,8 +124,8 @@ get_target() {
|
||||
#
|
||||
# Script starts here
|
||||
#
|
||||
rm -f $VARDIR/${IF1}.status
|
||||
rm -f $VARDIR/${IF2}.status
|
||||
rm -f $STATEDIR/${IF1}.status
|
||||
rm -f $STATEDIR/${IF2}.status
|
||||
|
||||
while : ; do
|
||||
target=$TARGET1
|
||||
@@ -223,8 +216,8 @@ while : ; do
|
||||
#
|
||||
# One of the interfaces changed state -- restart Shorewall
|
||||
#
|
||||
echo $if1_state > $VARDIR/${IF1}.status
|
||||
echo $if2_state > $VARDIR/${IF2}.status
|
||||
echo $if1_state > $STATEDIR/${IF1}.status
|
||||
echo $if2_state > $STATEDIR/${IF2}.status
|
||||
eval $COMMAND
|
||||
state_changed=
|
||||
fi
|
||||
|
||||
@@ -13,3 +13,4 @@ COMMENT Needed ICMP types
|
||||
|
||||
ACCEPT - - icmp fragmentation-needed
|
||||
ACCEPT - - icmp time-exceeded
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -18,3 +18,4 @@ PARAM - - udp 10080
|
||||
# systems which need to pass AMANDA traffic through netfilter.
|
||||
#PARAM - - tcp 50000:50100
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 113
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
#
|
||||
# Shorewall version 4 - BGP Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.BGP
|
||||
#
|
||||
# This macro handles BGP4 traffic.
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 179 # BGP4
|
||||
@@ -16,3 +16,4 @@ PARAM - - tcp 6881:6889
|
||||
#
|
||||
PARAM - - udp 6881
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -14,3 +14,4 @@ PARAM - - tcp 6881:6999
|
||||
#
|
||||
PARAM - - udp 6881
|
||||
#
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 2401
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -1,13 +0,0 @@
|
||||
#
|
||||
# Shorewall version 4 - Citrix/ICA Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.Citrix
|
||||
#
|
||||
# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
|
||||
#
|
||||
####################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 1494 # ICA
|
||||
PARAM - - udp 1604 # ICA Browser
|
||||
PARAM - - tcp 2598 # CGP Session Reliabilty
|
||||
@@ -11,3 +11,4 @@
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 3689
|
||||
PARAM - - udp 3689
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 6277
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - udp 53
|
||||
PARAM - - tcp 53
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 3632
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -50,3 +50,4 @@ dropNotSyn
|
||||
# the log.
|
||||
#
|
||||
DROP - - udp - 53
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -12,3 +12,4 @@
|
||||
COMMENT Late DNS Replies
|
||||
|
||||
DROP - - udp - 53
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -12,3 +12,4 @@
|
||||
COMMENT UPnP
|
||||
|
||||
DROP - - udp 1900
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -32,3 +32,4 @@
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 4662
|
||||
PARAM - - udp 4665
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 21
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 79
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -12,3 +12,4 @@ PARAM - - tcp 2086
|
||||
PARAM - - udp 2086
|
||||
PARAM - - tcp 1080
|
||||
PARAM - - udp 1080
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -11,3 +11,4 @@
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - 47 # GRE
|
||||
PARAM DEST SOURCE 47 # GRE
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 9418
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 6346
|
||||
PARAM - - udp 6346
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 80
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 443
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 5190
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 143
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 993
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - 94 # IPIP
|
||||
PARAM DEST SOURCE 94 # IPIP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 631
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -1,12 +0,0 @@
|
||||
#
|
||||
# Shorewall version 4 - IPP Broadcast Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.IPPbrd
|
||||
#
|
||||
# This macro handles Internet Printing Protocol (IPP) broadcasts.
|
||||
# If you also need to handle TCP 631 connections in the opposite
|
||||
# direction, use the IPPserver Macro
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - udp 631
|
||||
@@ -1,5 +1,5 @@
|
||||
#
|
||||
# Shorewall version 4 - IPPserver Macro
|
||||
# Shorewall version 3.2 - IPPserver Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.IPPserver
|
||||
#
|
||||
@@ -27,3 +27,4 @@
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM SOURCE DEST tcp 631
|
||||
PARAM DEST SOURCE udp 631
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -12,3 +12,4 @@ PARAM - - udp 500 500 # IKE
|
||||
PARAM - - 50 # ESP
|
||||
PARAM DEST SOURCE udp 500 500 # IKE
|
||||
PARAM DEST SOURCE 50 # ESP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -13,3 +13,4 @@ PARAM - - udp 500 500 # IKE
|
||||
PARAM - - 51 # AH
|
||||
PARAM DEST SOURCE udp 500 500 # IKE
|
||||
PARAM DEST SOURCE 51 # AH
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -14,3 +14,4 @@ PARAM - - 50 # ESP
|
||||
PARAM DEST SOURCE udp 500 # IKE
|
||||
PARAM DEST SOURCE udp 4500 # NAT-T
|
||||
PARAM DEST SOURCE 50 # ESP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 6667
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -15,3 +15,4 @@ PARAM - - tcp 6544 # HTTP port
|
||||
PARAM - - tcp 6543 # InfoService port
|
||||
HTTPS/PARAM
|
||||
SSH/PARAM
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 5222
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 5223
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 5269
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 9100
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -11,3 +11,4 @@
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - udp 1701 # L2TP
|
||||
PARAM DEST SOURCE udp 1701 # L2TP
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -14,3 +14,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 389
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -14,3 +14,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 636
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 3306
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 119
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 563
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - udp 123
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -1,12 +0,0 @@
|
||||
#
|
||||
# Shorewall version 4 - NTPbi Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.NTPbi
|
||||
#
|
||||
# This macro handles bi-directional NTP (for NTP peers)
|
||||
#
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - udp 123
|
||||
PARAM DEST SOURCE udp 123
|
||||
@@ -15,3 +15,4 @@
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - udp 123
|
||||
PARAM - - udp 1024: 123
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -1,11 +0,0 @@
|
||||
#
|
||||
# Shorewall version 4 - OSPF Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.OSPF
|
||||
#
|
||||
# This macro handles OSPF multicast traffic
|
||||
#
|
||||
#######################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP DEST
|
||||
PARAM - - 89 - # OSPF
|
||||
@@ -9,3 +9,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - udp 1194
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - udp 5632
|
||||
PARAM - - tcp 5631
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 110
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -10,3 +10,4 @@
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
# PORT(S) PORT(S) LIMIT GROUP
|
||||
PARAM - - tcp 995 # Secure POP3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
@@ -11,3 +11,4 @@
|
||||
PARAM - - 47
|
||||
PARAM DEST SOURCE 47
|
||||
PARAM - - tcp 1723
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user