forked from extern/shorewall_code
Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
e021285199 | ||
|
|
4dad6d2bb9 | ||
|
|
b537fab05d | ||
|
|
fbfb688346 | ||
|
b6ea20e7df | ||
|
|
0f55863076 | ||
|
|
9f9d9fd8d1 | ||
|
|
ec4fc4ee8f |
14
Shorewall/Macros/macro.AMQP
Normal file
14
Shorewall/Macros/macro.AMQP
Normal file
@@ -0,0 +1,14 @@
|
||||
#
|
||||
# Shorewall version 4 - AMQP Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.AMQP
|
||||
#
|
||||
# This macro handles AMQP traffic.
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
PARAM - - tcp 5672
|
||||
PARAM - - udp 5672
|
||||
19
Shorewall/Macros/macro.IPMI
Normal file
19
Shorewall/Macros/macro.IPMI
Normal file
@@ -0,0 +1,19 @@
|
||||
#
|
||||
# Shorewall version 4 - IPMI Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.IPMI
|
||||
#
|
||||
# This macro handles IPMI used by Asus, Dell, MSI, and Supermicro.
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
PARAM - - tcp 623 # RMCP
|
||||
PARAM - - tcp 5900,5901 # Remote Console
|
||||
PARAM - - tcp 8889 # WS-MAN
|
||||
PARAM - - udp 623 # RMCP
|
||||
SSH
|
||||
HTTP
|
||||
HTTPS
|
||||
13
Shorewall/Macros/macro.MongoDB
Normal file
13
Shorewall/Macros/macro.MongoDB
Normal file
@@ -0,0 +1,13 @@
|
||||
#
|
||||
# Shorewall version 4 - MongoDB Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.MongoDB
|
||||
#
|
||||
# This macro handles MongoDB Daemon/Router traffic.
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
PARAM - - tcp 27017
|
||||
13
Shorewall/Macros/macro.Redis
Normal file
13
Shorewall/Macros/macro.Redis
Normal file
@@ -0,0 +1,13 @@
|
||||
#
|
||||
# Shorewall version 4 - Redis Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.Redis
|
||||
#
|
||||
# This macro handles Redis traffic.
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
PARAM - - tcp 6379
|
||||
13
Shorewall/Macros/macro.Sieve
Normal file
13
Shorewall/Macros/macro.Sieve
Normal file
@@ -0,0 +1,13 @@
|
||||
#
|
||||
# Shorewall version 4 - Sieve Macro
|
||||
#
|
||||
# /usr/share/shorewall/macro.Sieve
|
||||
#
|
||||
# This macro handles sieve aka ManageSieve protocol.
|
||||
#
|
||||
###############################################################################
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/
|
||||
# PORT(S) PORT(S) DEST LIMIT GROUP
|
||||
PARAM - - tcp 4190
|
||||
@@ -991,7 +991,10 @@
|
||||
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||
role="bold">DNAT</emphasis> or <emphasis
|
||||
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
||||
addresses in the range in a round-robin fashion.</para>
|
||||
addresses in the range in a round-robin fashion. <emphasis
|
||||
role="bold">DNAT</emphasis> and <emphasis
|
||||
role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
|
||||
ranges.</para>
|
||||
|
||||
<para>If you kernel and iptables have ipset match support then you
|
||||
may give the name of an ipset prefaced by "+". The ipset name may be
|
||||
|
||||
@@ -934,6 +934,17 @@
|
||||
<para>Restriction: MAC addresses are not allowed (this is a
|
||||
Netfilter restriction).</para>
|
||||
|
||||
<para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
|
||||
you may specify a range of IP addresses using the syntax
|
||||
<emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
|
||||
When the <emphasis role="bold">ACTION</emphasis> is <emphasis
|
||||
role="bold">DNAT</emphasis> or <emphasis
|
||||
role="bold">DNAT-</emphasis>, the connections will be assigned to
|
||||
addresses in the range in a round-robin fashion. <emphasis
|
||||
role="bold">DNAT</emphasis> and <emphasis
|
||||
role="bold">DNAT-</emphasis> do not allow a list of addresses and/or
|
||||
ranges.</para>
|
||||
|
||||
<para>If you kernel and ip6tables have ipset match support then you
|
||||
may give the name of an ipset prefaced by "+". The ipset name may be
|
||||
optionally followed by a number from 1 to 6 enclosed in square
|
||||
|
||||
@@ -49,8 +49,7 @@
|
||||
support is based on <ulink
|
||||
url="http://ipset.netfilter.org/">ipset</ulink>. Most current
|
||||
distributions have ipset, but you may need to install the <ulink
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.
|
||||
</para>
|
||||
url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section id="xtables-addons">
|
||||
@@ -211,9 +210,9 @@
|
||||
net ipv4
|
||||
rsyncok:loc ipv4 <emphasis role="bold">dynamic_shared</emphasis></programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth0 - …
|
||||
loc eth1 - …</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth0 …
|
||||
loc eth1 …</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
@@ -308,9 +307,8 @@ rsyncok:
|
||||
loc ipv4
|
||||
webok:loc ipv4</programlisting><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth0 - …
|
||||
</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth0 …</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
|
||||
12
docs/FAQ.xml
12
docs/FAQ.xml
@@ -516,8 +516,8 @@ DNAT net net:66.249.93.111:993 tcp 80 - 2
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>, specify the
|
||||
<emphasis role="bold">routeback</emphasis> option on
|
||||
eth0:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect <emphasis role="bold">routeback</emphasis></programlisting></para>
|
||||
eth0:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 <emphasis role="bold">routeback</emphasis></programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT
|
||||
eth0:66.249.93.111 0.0.0.0/0 206.124.146.176 tcp 993</programlisting></para>
|
||||
@@ -700,8 +700,8 @@ DNAT net net:192.168.4.22 tcp 80,443 - <
|
||||
<listitem>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -821,8 +821,8 @@ DNAT loc loc:192.168.1.5 tcp www - <emph
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
dmz eth2 192.168.2.255 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
dmz eth2 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/masq</filename>:</para>
|
||||
|
||||
|
||||
@@ -86,8 +86,8 @@ vpn ipv4</programlisting>
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
|
||||
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tun0 10.255.255.255</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tun0</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
@@ -99,8 +99,8 @@ generic:47 net 134.28.54.2</programlisting>
|
||||
TCP port 1071 and the Generalized Routing Encapsulation Protocol (47) will
|
||||
be accepted to/from the remote gateway.</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tun0 192.168.1.255</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tun0</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system B, we have:</para>
|
||||
|
||||
|
||||
@@ -103,8 +103,8 @@ vpn ipv4</programlisting>
|
||||
<para>On system A, the 10.0.0.0/8 will comprise the <emphasis
|
||||
role="bold">vpn</emphasis> zone. In /etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
vpn tosysb 10.255.255.255</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tosysb</programlisting>
|
||||
|
||||
<para>In /etc/shorewall/tunnels on system A, we need the following:</para>
|
||||
|
||||
|
||||
@@ -238,7 +238,7 @@
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
|
||||
<graphic fileref="images/TwoNets1.png"/>
|
||||
<graphic fileref="images/TwoNets1.png" />
|
||||
|
||||
<para>We want systems in the 192.168.1.0/24 sub-network to be able to
|
||||
communicate with systems in the 10.0.0.0/8 network. We assume that on both
|
||||
@@ -481,7 +481,7 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
|
||||
when you travel and you want to be able to establish a secure connection
|
||||
back to your local network.</para>
|
||||
|
||||
<graphic fileref="images/Mobile.png"/>
|
||||
<graphic fileref="images/Mobile.png" />
|
||||
|
||||
<example id="roadWarrior">
|
||||
<title>Road Warrior VPN</title>
|
||||
@@ -734,9 +734,9 @@ loc ipv4
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter
|
||||
loc eth1 192.168.1.255
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter
|
||||
loc eth1 -
|
||||
l2tp ppp+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
@@ -827,9 +827,9 @@ HTTPS(ACCEPT) l2tp $FW
|
||||
hosts in that network. In that case, IPSEC transport mode is an
|
||||
appropriate solution.</para>
|
||||
|
||||
<para><graphic fileref="images/TransportMode.png"/>Here's an example using
|
||||
the ipsec-tools package. The files shown are from host 192.168.20.10; the
|
||||
configuration of the other nodes is similar.</para>
|
||||
<para><graphic fileref="images/TransportMode.png" />Here's an example
|
||||
using the ipsec-tools package. The files shown are from host
|
||||
192.168.20.10; the configuration of the other nodes is similar.</para>
|
||||
|
||||
<blockquote>
|
||||
<para><filename>/etc/racoon/racoon.conf</filename>:</para>
|
||||
@@ -889,8 +889,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.
|
||||
<blockquote>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter,dhcp,tcpflags
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter,dhcp,tcpflags
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
@@ -200,12 +200,12 @@ vpn eth0:192.168.1.0/24</programlisting>
|
||||
|
||||
<para>/etc/shorewall/masq - System A</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS
|
||||
eth0:!10.0.0.0/8 192.168.1.0/24</programlisting>
|
||||
|
||||
<para>/etc/shorewall/masq - System B</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS
|
||||
<programlisting>#INTERFACE SOURCE ADDRESS
|
||||
eth0:!192.168.1.0/24 10.0.0.0/8</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -425,8 +425,8 @@ ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3</programlisting>
|
||||
Shorewall will issue warnings to that effect. These warnings may be safely
|
||||
ignored. FreeS/Wan may now be configured to have three different Road
|
||||
Warrior connections with the choice of connection being based on X-509
|
||||
certificates or some other means. Each of these connections will utilize
|
||||
a different updown script that adds the remote station to the appropriate
|
||||
certificates or some other means. Each of these connections will utilize a
|
||||
different updown script that adds the remote station to the appropriate
|
||||
zone when the connection comes up and that deletes the remote station when
|
||||
the connection comes down. For example, when 134.28.54.2 connects for the
|
||||
vpn2 zone the <quote>up</quote> part of the script will issue the
|
||||
|
||||
@@ -181,10 +181,10 @@ dmz ipv4</programlisting>
|
||||
file. In the three-interface sample, the three zones are defined using
|
||||
that file as follows:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,routefilter
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 dhcp,routefilter
|
||||
loc eth1
|
||||
dmz eth2</programlisting>
|
||||
|
||||
<para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
|
||||
hosts interfacing to the firewall through eth0, the
|
||||
@@ -201,10 +201,10 @@ dmz eth2 detect</programlisting>
|
||||
file or you may use the nets= option in
|
||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,routefilter,nets=(!192.168.0.0/23)
|
||||
loc eth1 detect nets=(192.168.0.0/24)
|
||||
dmz eth2 detect nets=(192.168.1.0/24)</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 dhcp,routefilter,nets=(!192.168.0.0/23)
|
||||
loc eth1 nets=(192.168.0.0/24)
|
||||
dmz eth2 nets=(192.168.1.0/24)</programlisting>
|
||||
|
||||
<para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
|
||||
hosts interfacing to the firewall through eth0 <emphasis>except</emphasis>
|
||||
|
||||
@@ -68,10 +68,10 @@
|
||||
optional interfaces for the 'net' zone in
|
||||
<filename>/etc/shorewall/interfaces</filename>.</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect optional,…
|
||||
net wlan0 detect optional,…
|
||||
net ppp0 - optional,…</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 optional,…
|
||||
net wlan0 optional,…
|
||||
net ppp0 optional,…</programlisting>
|
||||
|
||||
<para>With this configuration, access to the 'net' zone is possible
|
||||
regardless of which of the interfaces is being used.</para>
|
||||
|
||||
@@ -172,12 +172,12 @@ MACLIST_LOG_LEVEL=info</programlisting>
|
||||
|
||||
<para>/etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $EXT_IF 206.124.146.255 dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF 192.168.1.255 dhcp
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $EXT_IF dhcp,routefilter,logmartians,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF dhcp
|
||||
dmz $DMZ_IF -
|
||||
vpn tun+ -
|
||||
Wifi $WIFI_IF - maclist,dhcp
|
||||
Wifi $WIFI_IF maclist,dhcp
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>/etc/shorewall/maclist:</para>
|
||||
|
||||
@@ -832,9 +832,9 @@ ISP2 2 2 main eth1 130.252.99.254 track,ba
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect …
|
||||
net eth1 detect …</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 …
|
||||
net eth1 …</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||
|
||||
@@ -1991,9 +1991,9 @@ ComcastC 2 - - eth0 detect loose,fallback,load=0.33
|
||||
<para>You specify the <option>optional</option> option in
|
||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect <emphasis role="bold">optional</emphasis>
|
||||
net eth1 detect <emphasis role="bold">optional</emphasis></programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 <emphasis role="bold">optional</emphasis>
|
||||
net eth1 <emphasis role="bold">optional</emphasis></programlisting>
|
||||
|
||||
<section id="lsm">
|
||||
<title>Link Status Monitor (LSM)</title>
|
||||
@@ -2562,11 +2562,11 @@ kvm all ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting></para>
|
||||
|
||||
<para>interfaces:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
|
||||
<para>interfaces:<programlisting>#ZONE INTERFACE PTIONS GATEWAY
|
||||
#
|
||||
net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
|
||||
net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional
|
||||
kvm br0 detect routeback #Virtual Machines</programlisting><note>
|
||||
net eth0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
|
||||
net wlan0 dhcp,tcpflags,routefilter,blacklist,logmartians,optional
|
||||
kvm br0 routeback #Virtual Machines</programlisting><note>
|
||||
<para><filename class="devicefile">wlan0</filename> is the wireless
|
||||
adapter in the notebook. Used when the laptop is in our home but not
|
||||
connected to the wired network.</para>
|
||||
|
||||
@@ -209,7 +209,7 @@ loc1:loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
@@ -247,8 +247,8 @@ loc2 ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
- eth1 192.168.1.255
|
||||
<programlisting>#ZONE INTERFACE
|
||||
- eth1
|
||||
</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename></para>
|
||||
@@ -287,8 +287,8 @@ loc1:loc ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
loc eth1 -</programlisting>
|
||||
<programlisting>#ZONE INTERFACE
|
||||
loc eth1</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE HOSTS OPTIONS
|
||||
loc1 eth1:192.168.1.8/29 broadcast</programlisting></para>
|
||||
|
||||
@@ -130,7 +130,7 @@ vpn ipv4</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
A:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tun0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -198,7 +198,7 @@ verb 5</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
B:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
vpn tun0 </programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -269,7 +269,7 @@ road ipv4</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
A:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
road tun+</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -355,7 +355,7 @@ home ipv4</programlisting>
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename> on system
|
||||
B:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
home tun0</programlisting>
|
||||
</blockquote>
|
||||
|
||||
@@ -586,14 +586,14 @@ net ipv4 #Internet
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc INT_IF detect dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5
|
||||
net COM_IF detect dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs
|
||||
<emphasis role="bold">vpn TUN_IF+ detect physical=tun+,routeback</emphasis>
|
||||
- sit1 - ignore
|
||||
<emphasis role="bold">- mac - ignore</emphasis>
|
||||
- EXT_IF - ignore
|
||||
- lo - ignore</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc INT_IF dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5
|
||||
net COM_IF dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs
|
||||
<emphasis role="bold">vpn TUN_IF+ physical=tun+,routeback</emphasis>
|
||||
- sit1 ignore
|
||||
<emphasis role="bold">- mac ignore</emphasis>
|
||||
- EXT_IF ignore
|
||||
- lo ignore</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
||||
@@ -617,10 +617,10 @@ rest ipv6</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall6/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net sit1 detect tcpflags,forward=1,nosmurfs,routeback
|
||||
loc eth4 detect tcpflags,forward=1
|
||||
<emphasis role="bold">loc mac detect tcpflags,forward=1</emphasis>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net sit1 tcpflags,forward=1,nosmurfs,routeback
|
||||
loc eth4 tcpflags,forward=1
|
||||
<emphasis role="bold">loc mac tcpflags,forward=1</emphasis>
|
||||
rest eth+</programlisting>
|
||||
|
||||
<para>Note that in the IPv6 firewall configuration, the remove Macbook
|
||||
|
||||
@@ -149,9 +149,9 @@ vz ipv4</programlisting>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>###############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 - proxyarp=1
|
||||
vz venet0 - <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
|
||||
#ZONE INTERFACE OPTIONS
|
||||
net eth0 proxyarp=1
|
||||
vz venet0 <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@@ -159,8 +159,8 @@ vz venet0 - <emphasis role="bold">routeback,arp_f
|
||||
|
||||
<para>If you run Shorewall Multi-ISP support on the host, you should
|
||||
arrange for traffic to your containers to use the main routing table. In
|
||||
the configuration shown here, this entry in /etc/shorewall/rtrules
|
||||
is appropriate:</para>
|
||||
the configuration shown here, this entry in /etc/shorewall/rtrules is
|
||||
appropriate:</para>
|
||||
|
||||
<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
||||
- 206.124.146.178 main 1000</programlisting>
|
||||
@@ -472,11 +472,11 @@ INT_IF=eth1
|
||||
<emphasis role="bold">VPS_IF=venet0</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
|
||||
role="bold">proxyarp=1</emphasis>
|
||||
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
<emphasis role="bold">dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
|
||||
loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
<emphasis role="bold">dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
|
||||
...</programlisting>This is a multi-ISP configuration so entries are required
|
||||
in <filename>/etc/shorewall/rtrules</filename>:</para>
|
||||
|
||||
@@ -508,8 +508,8 @@ net ipv4</programlisting>
|
||||
|
||||
<para>/etc/shorewall/interfaces:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net <emphasis role="bold">venet0 </emphasis> detect dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net <emphasis role="bold">venet0 </emphasis> dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@@ -783,10 +783,10 @@ INT_IF=eth1
|
||||
<emphasis role="bold">VPS_IF=vzbr0</emphasis>
|
||||
...</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
|
||||
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
|
||||
loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
|
||||
dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
|
||||
...</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp:</filename></para>
|
||||
@@ -820,8 +820,8 @@ net ipv4</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces:</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net <emphasis role="bold">eth0 </emphasis> detect dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net <emphasis role="bold">eth0 </emphasis> dhcp,tcpflags,logmartians,nosmurfs</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
|
||||
@@ -147,16 +147,16 @@
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall 4.5</title>
|
||||
<title>Shorewall 4.5/4.6</title>
|
||||
|
||||
<para>Shorewall 4.5 adds an additional <emphasis
|
||||
<para>Shorewall 4.5 added an additional <emphasis
|
||||
role="bold">Shorewall-core</emphasis> package. This package contains the
|
||||
core Shorewall shell libraries that are required by the other
|
||||
packages.</para>
|
||||
</section>
|
||||
|
||||
<section id="Prereqs">
|
||||
<title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5
|
||||
<title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5/4.6
|
||||
Perl-based Compiler</title>
|
||||
|
||||
<itemizedlist>
|
||||
|
||||
@@ -257,8 +257,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
|
||||
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
||||
</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback,routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -327,8 +327,8 @@ MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
|
||||
<para>In <filename> <filename>/etc/shorewall/interfaces</filename>
|
||||
</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth2 detect <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth2 <emphasis role="bold">routefilter=0,logmartians=0</emphasis> </programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -402,8 +402,8 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces:</filename></para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
- lo - -</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- lo -</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/providers</filename>:</para>
|
||||
|
||||
|
||||
@@ -298,8 +298,8 @@ loc ipv4</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 - <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc eth1 <emphasis role="bold">routeback</emphasis> </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/rules</filename>, simply specify
|
||||
ACCEPT rules for the traffic that you want to permit.</para>
|
||||
@@ -320,7 +320,7 @@ loc2 ipv4</programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- eth1 - </programlisting>
|
||||
|
||||
<para>In <filename>/etc/shorewall/hosts</filename>:</para>
|
||||
|
||||
@@ -108,9 +108,9 @@
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect ...
|
||||
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 ...
|
||||
loc <emphasis role="bold">br0</emphasis> <emphasis
|
||||
role="bold">routeback</emphasis>,...</programlisting>
|
||||
|
||||
<para>So the key points here are:</para>
|
||||
@@ -140,9 +140,9 @@ loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <
|
||||
|
||||
<para><emphasis role="bold">Note to Shorewall-perl users</emphasis>: You
|
||||
should also specify the <emphasis role="bold">bridge</emphasis>
|
||||
option:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect ...
|
||||
loc <emphasis role="bold">br0</emphasis> 10.0.1.255 <emphasis
|
||||
option:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 ...
|
||||
loc <emphasis role="bold">br0</emphasis> <emphasis
|
||||
role="bold">routeback,bridge</emphasis>,...</programlisting></para>
|
||||
|
||||
<para>Your entry in <filename>/etc/shorewall/masq</filename> should be
|
||||
|
||||
@@ -93,9 +93,8 @@ forward_chain_name = forwardUPnP</programlisting>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth1 detect dhcp,routefilter,tcpflags,<emphasis
|
||||
role="bold">upnp</emphasis></programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth1 dhcp,routefilter,tcpflags,<emphasis role="bold">upnp</emphasis></programlisting>
|
||||
|
||||
<para>If your loc->fw policy is not ACCEPT then you need this
|
||||
rule:</para>
|
||||
|
||||
@@ -203,8 +203,8 @@ loc ipv4
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTION
|
||||
net eth0 - tcpflags,routefilter
|
||||
<programlisting>#ZONE INTERFACE OPTION
|
||||
net eth0 tcpflags,routefilter
|
||||
loc eth1 -
|
||||
<emphasis role="bold">rem ppp0 -</emphasis></programlisting>
|
||||
</section>
|
||||
@@ -259,8 +259,8 @@ rem2 ipv4 #Remote LAN 2</emphasis></programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTION
|
||||
net eth0 - tcpflags,routefilter
|
||||
<programlisting>#ZONE INTERFACE OPTION
|
||||
net eth0 tcpflags,routefilter
|
||||
loc eth1 -
|
||||
<emphasis role="bold">- tun+ -</emphasis></programlisting>
|
||||
|
||||
|
||||
@@ -580,16 +580,15 @@ OMAK=<IP address at our second home>
|
||||
|
||||
<programlisting>echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename> (don't specify
|
||||
the BROADCAST addresses if you are using Shorewall-perl):</para>
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net ${EXT_IF} detect dhcp,logmartians=1,blacklist
|
||||
dmz $DMZ_IF detect logmartians=1
|
||||
loc $INT_IF detect dhcp,logmartians=1,routeback,bridge
|
||||
loc $TEST_IF detect optional
|
||||
loc $TEST1_IF detect optional
|
||||
wifi $WIFI_IF detect dhcp,maclist,mss=1400
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net ${EXT_IF} dhcp,logmartians=1,blacklist
|
||||
dmz $DMZ_IF logmartians=1
|
||||
loc $INT_IF dhcp,logmartians=1,routeback,bridge
|
||||
loc $TEST_IF optional
|
||||
loc $TEST1_IF optional
|
||||
wifi $WIFI_IF dhcp,maclist,mss=1400
|
||||
vpn tun+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
@@ -624,7 +623,7 @@ $EXT_IF:192.168.99.1 192.168.98.1 192.168.1.98
|
||||
|
||||
COMMENT Masquerade Local Network
|
||||
|
||||
$EXT_IF $INT_IF 206.124.146.179
|
||||
$EXT_IF 192.168.1.0/24 206.124.146.179
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||
|
||||
@@ -450,9 +450,9 @@ all all ACCEPT
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc xenbr0 192.168.1.255 dhcp,routeback
|
||||
dmz xenbr1 - routeback
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc xenbr0 dhcp,routeback
|
||||
dmz xenbr1 routeback
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||
@@ -601,11 +601,11 @@ OMAK=<IP address at our second home>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $EXT_IF 206.124.146.255 dhcp,logmartians,blacklist,tcpflags,nosmurfs
|
||||
dmz $DMZ_IF 192.168.0.255 logmartians
|
||||
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
|
||||
wifi $WIFI_IF 192.168.3.255 dhcp,maclist
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net $EXT_IF dhcp,logmartians,blacklist,tcpflags,nosmurfs
|
||||
dmz $DMZ_IF logmartians
|
||||
loc $INT_IF dhcp,routeback,logmartians
|
||||
wifi $WIFI_IF dhcp,maclist
|
||||
vpn tun+ -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
|
||||
@@ -596,8 +596,8 @@ all all REJECT info
|
||||
is connected to <filename class="devicefile">eth0</filename> and the
|
||||
switch to <filename class="devicefile">eth1</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 detect bridge
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
net br0:eth0
|
||||
loc br0:eth1
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
@@ -645,9 +645,9 @@ br0 192.168.1.0/24 routeback
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 - bridge
|
||||
world br1 - bridge
|
||||
<programlisting> #ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
world br1 bridge
|
||||
z1 br0:p+
|
||||
z2 br1:p+</programlisting>
|
||||
|
||||
@@ -657,11 +657,11 @@ br0 192.168.1.0/24 routeback
|
||||
configuration may be defined using the following in
|
||||
<filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting> #ZONE INTERFACE BROADCAST OPTIONS
|
||||
world br0 - bridge
|
||||
world br1 - bridge
|
||||
z1 br0:x+ - physical=p+
|
||||
z2 br1:y+ - physical=p+</programlisting>
|
||||
<programlisting> #ZONE INTERFACE OPTIONS
|
||||
world br0 bridge
|
||||
world br1 bridge
|
||||
z1 br0:x+ physical=p+
|
||||
z2 br1:y+ physical=p+</programlisting>
|
||||
|
||||
<para>In this configuration, 'x+' is the logical name for ports p+ on
|
||||
bridge br0 while 'y+' is the logical name for ports p+ on bridge
|
||||
@@ -710,11 +710,11 @@ loc ipv4</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>The <filename>/etc/shorewall/interfaces</filename> file is as
|
||||
follows:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
pub br0 detect routefilter,bridge
|
||||
follows:<programlisting>#ZONE INTERFACE OPTIONS
|
||||
pub br0 routefilter,bridge
|
||||
net br0:eth0
|
||||
dmz br0:eth2
|
||||
loc eth1 detect</programlisting></para>
|
||||
loc eth1</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@@ -887,7 +887,7 @@ col ipv4 nomark</emphasis></programlisting>
|
||||
role="bold">loc</emphasis> spelled backward.</para>
|
||||
</note>
|
||||
|
||||
<programlisting>#ZONE INTERFACES BROADCAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACES OPTIONS
|
||||
net eth0 ...
|
||||
- br0 ...
|
||||
zone1 br0:eth1 ...
|
||||
|
||||
@@ -416,10 +416,10 @@ all all REJECT info</programlisting>
|
||||
url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces
|
||||
</ulink>file, that file would might contain:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0
|
||||
loc eth1
|
||||
dmz eth2</programlisting>
|
||||
|
||||
<para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
|
||||
in the /etc/shorewall/interfaces file.</para>
|
||||
@@ -435,10 +435,10 @@ dmz eth2 detect</programlisting>
|
||||
<example id="multi">
|
||||
<title>Multiple Interfaces to a Zone</title>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect
|
||||
loc eth1 detect
|
||||
loc eth2 detect</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0
|
||||
loc eth1
|
||||
loc eth2</programlisting>
|
||||
</example>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||
@@ -1816,22 +1816,10 @@ ACCEPT net $FW tcp ssh #SSH to the
|
||||
<para><filename>/etc/shorewall/interfaces</filename> (The
|
||||
<quote>options</quote> will be very site-specific).</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect routefilter
|
||||
loc eth1 detect
|
||||
dmz eth2 detect</programlisting>
|
||||
|
||||
<para>The setup described here requires that your network interfaces be
|
||||
brought up before Shorewall can start. This opens a short window during
|
||||
which you have no firewall protection. If you replace
|
||||
<quote>detect</quote> with the actual broadcast addresses in the entries
|
||||
above, you can bring up Shorewall before you bring up your network
|
||||
interfaces.</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 192.0.2.255
|
||||
loc eth1 192.168.201.7
|
||||
dmz eth2 192.168.202.7</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
net eth0 routefilter
|
||||
loc eth1
|
||||
dmz eth2</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq</filename> - Local Subnet</para>
|
||||
|
||||
|
||||
@@ -1802,7 +1802,7 @@ qt ip link set dev ifb0 up</programlisting></para>
|
||||
|
||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
- ifb0</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/tcdevices</filename>:</para>
|
||||
|
||||
@@ -1229,8 +1229,8 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
network interface. If the wireless interface is <filename
|
||||
class="devicefile">wlan0</filename>, the entry might look like:</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc wlan0 detect maclist</programlisting>
|
||||
<programlisting>#ZONE INTERFACE OPTIONS
|
||||
loc wlan0 maclist</programlisting>
|
||||
|
||||
<para>As shown in the above entry, I recommend using the <ulink
|
||||
url="MAC_Validation.html">maclist option</ulink> for the wireless
|
||||
|
||||
Reference in New Issue
Block a user