"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "SharedConfig.xml" between
shorewall-docs-xml-5.2.3.6.tar.bz2 and shorewall-docs-xml-5.2.6.tar.bz2

About: Shorewall (The Shoreline Firewall) is an iptables based firewall (documentation; XML)

SharedConfig.xml  (shorewall-docs-xml-5.2.3.6.tar.bz2):SharedConfig.xml  (shorewall-docs-xml-5.2.6.tar.bz2)
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article> <article>
<!--mangle$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>Shared Shorewall and Shorewall6 Configuration</title> <title>Shared Shorewall and Shorewall6 Configuration</title>
<authorgroup> <authorgroup>
<author> <author>
<firstname>Tom</firstname> <firstname>Tom</firstname>
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
</authorgroup> </authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright> <copyright>
<year>2017</year> <year>2017</year>
<year>2020</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
<legalnotice> <legalnotice>
<para>Permission is granted to copy, distribute and/or modify this <para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para> License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<section> <section>
<title>Introduction</title> <title>Introduction</title>
<para>Netfilter separates management of IPv4 and IPv6 configurations. Each <para>Iptables separates management of IPv4 and IPv6 configurations. Each
address family has its own utility (iptables and ip6tables), and changes address family has its own utility (iptables and ip6tables), and changes
made to the configuration of one address family do not affect the other. made to the configuration of one address family do not affect the other.
While Shorewall also separates the address families in this way, it is While Shorewall also separates the address families in this way, it is
possible for Shorewall and Shorewall6 to share almost all of the possible for Shorewall and Shorewall6 to share almost all of the
configuration files. This article gives an example.</para> configuration files. This article gives an example.</para>
<caution> <caution>
<para>What is shown here currently works best with Debian and <para>What is shown here currently works best with Debian and
derivatives, or when the tarball installer is used and the SPARSE option derivatives, or when the tarball installer is used and the SPARSE option
is enabled when running configure[.pl].</para> is enabled when running configure[.pl].</para>
skipping to change at line 71 skipping to change at line 73
used (eth1) and supports the public IPv4 subnet 70.90.191.120/29. For used (eth1) and supports the public IPv4 subnet 70.90.191.120/29. For
IPv6, a Hurricane Electric 6in4 tunnel is used (sit1), which provides the IPv6, a Hurricane Electric 6in4 tunnel is used (sit1), which provides the
public IPv6 subnet 2001:470:b:227::/64. The router also has two bridges. A public IPv6 subnet 2001:470:b:227::/64. The router also has two bridges. A
DMZ bridge (br0) provides access to containers running a web server, a DMZ bridge (br0) provides access to containers running a web server, a
mail exchanger, and an IMAPS mail access server. The second bridge (br1) mail exchanger, and an IMAPS mail access server. The second bridge (br1)
provides access to a container running irssi under screen, allowing provides access to a container running irssi under screen, allowing
constant access to and monitoring of IRC channels.</para> constant access to and monitoring of IRC channels.</para>
<para>Here is a diagram of this installation:</para> <para>Here is a diagram of this installation:</para>
<graphic fileref="images/Network2017.png"/> <graphic fileref="images/Network2020.png"/>
</section> </section>
<section> <section>
<title>Configuration</title> <title>Configuration</title>
<para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para> <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
<programlisting>root@gateway:~# ls -l /etc/shorewall/ <programlisting>root@gateway:~# ls -l /etc/shorewall
total 92 total 120
-rw-r--r-- 1 root root 201 Mar 19 2017 action.Mirrors -rw-r--r-- 1 root root 201 Mar 19 2017 action.Mirrors
-rw-r--r-- 1 root root 109 Oct 20 09:18 actions -rw-r--r-- 1 root root 109 Oct 20 2017 actions
-rw-r--r-- 1 root root 654 Oct 13 13:46 conntrack -rw-r--r-- 1 root root 82 Oct 5 2018 arprules
-rw-r--r-- 1 root root 104 Oct 13 13:21 hosts -rw-r--r-- 1 root root 528 Oct 7 2019 blrules
-rw-r--r-- 1 root root 867 Jul 1 10:50 interfaces -rw-r--r-- 1 root root 1797 Sep 16 2019 capabilities
-rw-r--r-- 1 root root 107 Jun 29 15:14 isusable -rw-r--r-- 1 root root 656 Jun 10 2018 conntrack
-rw-r--r-- 1 root root 240 Oct 13 13:34 macro.FTP -rw-r--r-- 1 root root 104 Oct 13 2017 hosts
-rw-r--r-- 1 root root 559 Oct 19 12:56 mangle -rw-r--r-- 1 root root 867 Jun 10 2018 interfaces
-rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors -rw-r--r-- 1 root root 107 Jun 29 2017 isusable
-rw-r--r-- 1 root root 2687 Oct 15 14:20 params -rw-r--r-- 1 root root 240 Oct 13 2017 macro.FTP
-rw-r--r-- 1 root root 738 Oct 15 12:16 policy -rw-r--r-- 1 root root 705 Oct 22 2019 mangle
-rw-r--r-- 1 root root 1838 Oct 11 08:29 providers -rw-r--r-- 1 root root 1308 Apr 2 2018 mirrors
-rw-r--r-- 1 root root 2889 Apr 23 17:13 params
-rw-r--r-- 1 root root 1096 Oct 14 2019 policy
-rw-r--r-- 1 root root 2098 Apr 23 17:19 providers
-rw-r--r-- 1 root root 398 Mar 18 2017 proxyarp -rw-r--r-- 1 root root 398 Mar 18 2017 proxyarp
rw-r--r-- 1 root root <span class="insert">2098 Apr 23 17:19</span> providers -rw-r--r-- 1 root root 726 Oct 24 2018 routes
-rw-r--r-- 1 root root 738 Nov 8 09:34 routes -rw-r--r-- 1 root root 729 Mar 1 11:08 rtrules
-rw-r--r-- 1 root root 729 Nov 7 12:52 rtrules -rw-r--r-- 1 root root 8593 Feb 25 08:49 rules
-rw-r--r-- 1 root root 6367 Oct 13 13:21 rules -rw-r--r-- 1 root root 5490 Mar 1 18:34 shorewall.conf
-rw-r--r-- 1 root root 5520 Oct 19 10:01 shorewall.conf -rw-r--r-- 1 root root 1090 Sep 16 2019 snat
-rw-r--r-- 1 root root 1090 Oct 25 15:17 snat -rw-r--r-- 1 root root 180 Jan 30 2018 started
-rw-r--r-- 1 root root 181 Jun 29 15:12 started -rw-r--r-- 1 root root 539 Feb 6 14:33 stoppedrules
-rw-r--r-- 1 root root 435 Oct 13 13:21 tunnels -rw-r--r-- 1 root root 435 Oct 13 2017 tunnels
-rw-r--r-- 1 root root 941 Oct 15 11:27 zones -rw-r--r-- 1 root root 941 Oct 15 2017 zones
root@gateway:~# ls -l /etc/shorewall6/ root@gateway:~# ls -l /etc/shorewall6
total 8 total 12
lrwxrwxrwx 1 root root 20 Jul 6 16:35 mirrors -&gt; ../shorewall/mirrors -rw-r--r-- 1 root root 1786 Sep 16 2019 capabilities
lrwxrwxrwx 1 root root 19 Jul 6 12:48 params -&gt; ../shorewall/params lrwxrwxrwx 1 root root 20 Jul 6 2017 mirrors -&gt; ../shorewall/mirrors
-rw-r--r-- 1 root root 5332 Oct 14 11:53 shorewall6.conf lrwxrwxrwx 1 root root 19 Jul 6 2017 params -&gt; ../shorewall/params
root@gateway:~# -rw-r--r-- 1 root root 5324 Oct 18 2019 shorewall6.conf
</programlisting> root@gateway:~#</programlisting>
<para>The various configuration files are described in the sections that <para>The various configuration files are described in the sections that
follow. Note that in all cases, these files use the <ulink follow. Note that in all cases, these files use the <ulink
url="/configuration_file_basics.htm#Pairs">alternate format for column url="/configuration_file_basics.htm#Pairs">alternate format for column
specification</ulink>.</para> specification</ulink>.</para>
<section> <section>
<title>/usr/share/shorewall/shorewallrc</title> <title>/usr/share/shorewall/shorewallrc</title>
<para>The key setting here is SPARSE=Very</para> <para>The key setting here is SPARSE=Very</para>
skipping to change at line 188 skipping to change at line 194
STARTUP_ENABLED=Yes STARTUP_ENABLED=Yes
############################################################################### ###############################################################################
# V E R B O S I T Y # V E R B O S I T Y
############################################################################### ###############################################################################
VERBOSITY=1 VERBOSITY=1
############################################################################### ###############################################################################
# P A G E R # P A G E R
############################################################################### ###############################################################################
PAGER=pager PAGER=pager
############################################################################### ###############################################################################
# F I R E W A L L # F I R E W A L L
############################################################################### ###############################################################################
FIREWALL= FIREWALL=
############################################################################### ###############################################################################
# L O G G I N G # L O G G I N G
############################################################################### ###############################################################################
LOG_LEVEL="NFLOG(0,64,1)" LOG_LEVEL="NFLOG(0,64,1)"
BLACKLIST_LOG_LEVEL="none" BLACKLIST_LOG_LEVEL="none"
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=netlink LOG_BACKEND=netlink
LOG_MARTIANS=Yes LOG_MARTIANS=Yes
LOG_VERBOSITY=1 LOG_VERBOSITY=1
LOG_ZONE=Src
LOGALLNEW= LOGALLNEW=
LOGFILE=/var/log/ulogd/ulogd.syslogemu.log LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
LOGFORMAT=": %s %s" LOGFORMAT="%s %s"
LOGTAGONLY=Yes LOGTAGONLY=Yes
LOGLIMIT="s:5/min" LOGLIMIT="s:5/min"
MACLIST_LOG_LEVEL="$LOG_LEVEL" MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL="$LOG_LEVEL:,related" RELATED_LOG_LEVEL="$LOG_LEVEL:,related"
RPFILTER_LOG_LEVEL="$LOG_LEVEL:,rpfilter" RPFILTER_LOG_LEVEL="$LOG_LEVEL:,rpfilter"
SFILTER_LOG_LEVEL="$LOG_LEVEL" SFILTER_LOG_LEVEL="$LOG_LEVEL"
SMURF_LOG_LEVEL="$LOG_LEVEL" SMURF_LOG_LEVEL="$LOG_LEVEL"
STARTUP_LOG=/var/log/shorewall-init.log STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
UNTRACKED_LOG_LEVEL= UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
ARPTABLES= ARPTABLES=
CONFIG_PATH="/etc/shorewall:/usr/share/shorewall:/usr/share/shorewall/Shorewall" CONFIG_PATH="/etc/shorewall:/usr/share/shorewall:/usr/share/shorewall/Shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=/sbin/iptables IPTABLES=/sbin/iptables
IP=/sbin/ip IP=/sbin/ip
IPSET= IPSET=
LOCKFILE=/var/lib/shorewall/lock LOCKFILE=/var/lib/shorewall/lock
MODULESDIR="+extra/RTPENGINE" MODULESDIR="+extra/RTPENGINE"
NFACCT= NFACCT=
PATH="/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" PATH="/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin"
PERL=/usr/bin/perl PERL=/usr/bin/perl
RESTOREFILE= RESTOREFILE=
SHOREWALL_SHELL=/bin/sh SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK= SUBSYSLOCK=
TC= TC=
############################################################################### ###############################################################################
# D E F A U L T A C T I O N S / M A C R O S # D E F A U L T A C T I O N S / M A C R O S
############################################################################### ###############################################################################
ACCEPT_DEFAULT="none" ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="NotSyn(DROP):$LOG_LEVEL" BLACKLIST_DEFAULT="NotSyn(DROP):$LOG_LEVEL"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none" NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none" QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S
############################################################################### ###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}' RSH_COMMAND='ssh ${root}@${system} ${command}'
############################################################################### ###############################################################################
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
############################################################################### ###############################################################################
ACCOUNTING=Yes ACCOUNTING=Yes
ACCOUNTING_TABLE=mangle ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=No AUTOHELPERS=No
AUTOMAKE=Yes AUTOMAKE=Yes
BALANCE_PROVIDERS=No BALANCE_PROVIDERS=No
BASIC_FILTERS=No BASIC_FILTERS=No
BLACKLIST="NEW,INVALID,UNTRACKED" BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=Yes CLAMPMSS=No
CLEAR_TC=Yes CLEAR_TC=Yes
COMPLETE=No COMPLETE=No
DEFER_DNS_RESOLUTION=No DEFER_DNS_RESOLUTION=No
DELETE_THEN_ADD=No DELETE_THEN_ADD=No
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=No DISABLE_IPV6=No
DOCKER=No DOCKER=No
DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323" DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323"
DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200" DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
EXPAND_POLICIES=Yes EXPAND_POLICIES=No
EXPORTMODULES=Yes EXPORTMODULES=Yes
FASTACCEPT=Yes FASTACCEPT=Yes
FORWARD_CLEAR_MARK=No FORWARD_CLEAR_MARK=No
HELPERS="ftp,irc" HELPERS="ftp,irc"
IGNOREUNKNOWNVARIABLES=No IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes
IP_FORWARDING=Yes IP_FORWARDING=Yes
KEEP_RT_TABLES=Yes KEEP_RT_TABLES=Yes
LOAD_HELPERS_ONLY=Yes
MACLIST_TABLE=filter MACLIST_TABLE=filter
MACLIST_TTL=60 MACLIST_TTL=60
MANGLE_ENABLED=Yes MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=No MARK_IN_FORWARD_CHAIN=No
MINIUPNPD=No MINIUPNPD=No
MULTICAST=No MULTICAST=No
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=unreachable NULL_ROUTE_RFC1918=unreachable
OPTIMIZE=All OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=12345 PERL_HASH_SEED=12345
REJECT_ACTION= REJECT_ACTION=
RENAME_COMBINED=No
REQUIRE_INTERFACE=No REQUIRE_INTERFACE=No
RESTART=restart RESTART=restart
RESTORE_DEFAULT_ROUTE=No RESTORE_DEFAULT_ROUTE=No
RESTORE_ROUTEMARKS=Yes RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No RETAIN_ALIASES=No
ROUTE_FILTER=No ROUTE_FILTER=No
SAVE_ARPTABLES=No SAVE_ARPTABLES=No
SAVE_IPSETS=ipv4 SAVE_IPSETS=ipv4
TC_ENABLED=No TC_ENABLED=No
TC_EXPERT=No TC_EXPERT=No
skipping to change at line 317 skipping to change at line 322
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=Yes USE_NFLOG_SIZE=Yes
USE_PHYSICAL_NAMES=Yes USE_PHYSICAL_NAMES=Yes
USE_RT_NAMES=Yes USE_RT_NAMES=Yes
VERBOSE_MESSAGES=No VERBOSE_MESSAGES=No
WARNOLDCAPVERSION=Yes WARNOLDCAPVERSION=Yes
WORKAROUNDS=No WORKAROUNDS=No
ZERO_MARKS=No ZERO_MARKS=No
ZONE2ZONE=- ZONE2ZONE=-
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
BLACKLIST_DISPOSITION=DROP BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=ACCEPT MACLIST_DISPOSITION=ACCEPT
RELATED_DISPOSITION=REJECT RELATED_DISPOSITION=REJECT
RPFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=DROP UNTRACKED_DISPOSITION=DROP
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################
TC_BITS=8 TC_BITS=8
PROVIDER_BITS=2 PROVIDER_BITS=2
PROVIDER_OFFSET=16 PROVIDER_OFFSET=16
MASK_BITS=8 MASK_BITS=8
ZONE_BITS=0 ZONE_BITS=0</programlisting>
</programlisting>
</section> </section>
<section> <section>
<title>shorewall6.conf</title> <title>shorewall6.conf</title>
<para>The contents of /etc/shorewall6/shorewall6.conf are:</para> <para>The contents of /etc/shorewall6/shorewall6.conf are:</para>
<programlisting>######################################################## ####################### <programlisting>######################################################## #######################
# #
# Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf # Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
# #
# For information about the settings in this file, type "man shorewall6.conf" # For information about the settings in this file, type "man shorewall6.conf"
# #
# Manpage also online at # Manpage also online at
# http://www.shorewall.net/manpages/shorewall.conf.html # http://www.shorewall.net/manpages6/shorewall6.conf.html
############################################################################### ###############################################################################
# S T A R T U P E N A B L E D # S T A R T U P E N A B L E D
############################################################################### ###############################################################################
STARTUP_ENABLED=Yes STARTUP_ENABLED=Yes
############################################################################### ###############################################################################
# V E R B O S I T Y # V E R B O S I T Y
############################################################################### ###############################################################################
VERBOSITY=1 VERBOSITY=1
############################################################################### ###############################################################################
# P A G E R # P A G E R
############################################################################### ###############################################################################
PAGER=pager PAGER=pager
############################################################################### ###############################################################################
# F I R E W A L L # F I R E W A L L
############################################################################### ###############################################################################
FIREWALL= FIREWALL=
############################################################################### ###############################################################################
# L O G G I N G # L O G G I N G
############################################################################### ###############################################################################
LOG_LEVEL="NFLOG(0,64,1)" LOG_LEVEL="NFLOG(0,64,1)"
BLACKLIST_LOG_LEVEL="none" BLACKLIST_LOG_LEVEL="none"
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=netlink LOG_BACKEND=netlink
LOG_VERBOSITY=2 LOG_VERBOSITY=2
LOG_ZONE=Src
LOGALLNEW= LOGALLNEW=
LOGFILE=/var/log/ulogd/ulogd.syslogemu.log LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
LOGFORMAT="%s %s " LOGFORMAT="%s %s"
LOGLIMIT="s:5/min" LOGLIMIT="s:5/min"
LOGTAGONLY=Yes LOGTAGONLY=Yes
MACLIST_LOG_LEVEL="$LOG_LEVEL" MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL= RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL="$LOG_LEVEL" RPFILTER_LOG_LEVEL="$LOG_LEVEL"
SFILTER_LOG_LEVEL="$LOG_LEVEL" SFILTER_LOG_LEVEL="$LOG_LEVEL"
SMURF_LOG_LEVEL="$LOG_LEVEL" SMURF_LOG_LEVEL="$LOG_LEVEL"
STARTUP_LOG=/var/log/shorewall6-init.log STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
UNTRACKED_LOG_LEVEL= UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${ SHAREDIR}/shorewall" CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${ SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE GEOIPDIR=/usr/share/xt_geoip/LE
IP6TABLES= IP6TABLES=
IP= IP=
IPSET= IPSET=
LOCKFILE= LOCKFILE=
MODULESDIR="+extra/RTPENGINE" MODULESDIR="+extra/RTPENGINE"
NFACCT= NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
RESTOREFILE=restore RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall6 SUBSYSLOCK=/var/lock/subsys/shorewall6
TC= TC=
############################################################################### ###############################################################################
# D E F A U L T A C T I O N S / M A C R O S # D E F A U L T A C T I O N S / M A C R O S
############################################################################### ###############################################################################
ACCEPT_DEFAULT="none" ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LE VEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LE VEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none" NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none" QUEUE_DEFAULT="none"
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S
############################################################################### ###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}' RSH_COMMAND='ssh ${root}@${system} ${command}'
############################################################################### ###############################################################################
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
############################################################################### ###############################################################################
ACCOUNTING=Yes ACCOUNTING=Yes
ACCOUNTING_TABLE=mangle ACCOUNTING_TABLE=mangle
ADMINISABSENTMINDED=Yes ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=No AUTOHELPERS=No
AUTOMAKE=Yes AUTOMAKE=Yes
BALANCE_PROVIDERS=No BALANCE_PROVIDERS=No
BASIC_FILTERS=No BASIC_FILTERS=No
BLACKLIST="NEW,INVALID,UNTRACKED" BLACKLIST="NEW,INVALID,UNTRACKED"
skipping to change at line 446 skipping to change at line 451
DELETE_THEN_ADD=No DELETE_THEN_ADD=No
DONT_LOAD= DONT_LOAD=
DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200" DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
EXPAND_POLICIES=Yes EXPAND_POLICIES=Yes
EXPORTMODULES=Yes EXPORTMODULES=Yes
FASTACCEPT=Yes FASTACCEPT=Yes
FORWARD_CLEAR_MARK=No FORWARD_CLEAR_MARK=No
HELPERS=ftp HELPERS=ftp
IGNOREUNKNOWNVARIABLES=No IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
INLINE_MATCHES=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes
IP_FORWARDING=Keep IP_FORWARDING=Keep
KEEP_RT_TABLES=Yes KEEP_RT_TABLES=Yes
LOAD_HELPERS_ONLY=Yes
MACLIST_TABLE=filter MACLIST_TABLE=filter
MACLIST_TTL= MACLIST_TTL=
MANGLE_ENABLED=Yes MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No MARK_IN_FORWARD_CHAIN=No
MINIUPNPD=No MINIUPNPD=No
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
OPTIMIZE=All OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0 PERL_HASH_SEED=0
REJECT_ACTION= REJECT_ACTION=
RENAME_COMBINED=No
REQUIRE_INTERFACE=No REQUIRE_INTERFACE=No
RESTART=restart RESTART=restart
RESTORE_DEFAULT_ROUTE=No RESTORE_DEFAULT_ROUTE=No
RESTORE_ROUTEMARKS=Yes RESTORE_ROUTEMARKS=Yes
SAVE_IPSETS=No SAVE_IPSETS=No
TC_ENABLED=Shared TC_ENABLED=Shared
TC_EXPERT=No TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes TRACK_PROVIDERS=Yes
TRACK_RULES=No TRACK_RULES=No
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=Yes USE_NFLOG_SIZE=Yes
USE_PHYSICAL_NAMES=No USE_PHYSICAL_NAMES=Yes
USE_RT_NAMES=No USE_RT_NAMES=No
VERBOSE_MESSAGES=No VERBOSE_MESSAGES=No
WARNOLDCAPVERSION=Yes WARNOLDCAPVERSION=Yes
WORKAROUNDS=No WORKAROUNDS=No
ZERO_MARKS=No ZERO_MARKS=No
ZONE2ZONE=- ZONE2ZONE=-
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
BLACKLIST_DISPOSITION=DROP BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=REJECT RELATED_DISPOSITION=REJECT
SFILTER_DISPOSITION=DROP SFILTER_DISPOSITION=DROP
RPFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=DROP UNTRACKED_DISPOSITION=DROP
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################
TC_BITS=8 TC_BITS=8
PROVIDER_BITS=2 PROVIDER_BITS=2
PROVIDER_OFFSET=8 PROVIDER_OFFSET=8
MASK_BITS=8 MASK_BITS=8
ZONE_BITS=0 ZONE_BITS=0
#LAST LINE -- DO NOT REMOVE
</programlisting> </programlisting>
</section> </section>
</section> </section>
<section> <section>
<title>params</title> <title>params</title>
<para>Because addresses and interfaces are different between the two <para>Because addresses and interfaces are different between the two
address families, they cannot be hard-coded in the configuration files. address families, they cannot be hard-coded in the configuration files.
<filename>/etc/shorewall/params</filename> is used to set shell <filename>/etc/shorewall/params</filename> is used to set shell
skipping to change at line 527 skipping to change at line 532
<programlisting>INCLUDE mirrors #Sets the MIRRORS variable for the Mirrors action <programlisting>INCLUDE mirrors #Sets the MIRRORS variable for the Mirrors action
# #
# Set compile-time variables depending on the address family # Set compile-time variables depending on the address family
# #
if [ $g_family = 4 ]; then if [ $g_family = 4 ]; then
# #
# IPv4 compilation # IPv4 compilation
# #
FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback in terface FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback i nterface
# See /etc/shorewall/providers # See /etc/shorewall/providers
STATISTICAL=No # Don't use statistical load balancing STATISTICAL= # Use statistical load balancing
LISTS=70.90.191.124 # IP address of lists.shorewall.net (MX) LISTS=70.90.191.124 # IP address of lists.shorewall.net (MX)
MAIL=70.90.191.122 # IP address of mail.shorewall.net (IMAPS) MAIL=70.90.191.122 # IP address of mail.shorewall.net (IMAPS)
SERVER=70.90.191.125 # IP address of www.shorewall.org SERVER=70.90.191.125 # IP address of www.shorewall.org
PROXY= # Use TPROXY for local web access IRSSIEXT=10.2.10.2 # External address of irssi.shorewall.net
ALL=0.0.0.0/0 # Entire address space IRSSIINT=172.20.2.44 # Internal IP address of irssi.shorewall.net
PROXY=Yes # Use TPROXY for local web access
ALL=0.0.0.0/0 # Entire address space
LOC_ADDR=172.20.1.253 # IP address of the local LAN interface LOC_ADDR=172.20.1.253 # IP address of the local LAN interface
FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface
FAST_MARK=0x20000 # Multi-ISP mark setting for IF_FAST FAST_MARK=0x20000 # Multi-ISP mark setting for IF_FAST
IPSECMSS=1460 IPSECMSS=1460
# #
# Interface Options # Interface Options
# #
LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,phys ical=eth2 LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,phys ical=eth2
FAST_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_i FAST_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,prox
gnore=1,proxyarp=0,upnp,nosmurfs,physical=eth0 yarp=0,nosmurfs,rpfilter,physical=eth0
PROD_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_i PROD_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,prox
gnore=1,proxyarp=0,upnp,nosmurfs,physical=eth1 yarp=0,nosmurfs,rpfilter,physical=eth1
DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,dhcp DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,nodb
,nodbl,physical=br0 l,physical=br0
IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,no dbl,physical=br1 IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,no dbl,physical=br1
else else
# #
# IPv6 compilation # IPv6 compilation
# #
FALLBACK=Yes # Make FAST_IF the primary and PROD FALLBACK=Yes # Make FAST_IF the primary and PROD_I
_IF the fallback interface F the fallback interface
# See /etc/shorewall/providers # See /etc/shorewall/providers
STATISTICAL=No # Don't use statistical load balanc STATISTICAL=No # Don't use statistical load balancin
ing g
LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net (
(MX and HTTPS) MX and HTTPS)
MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net (
(IMAPS and HTTPS) IMAPS and HTTPS)
SERVER=[2001:470:b:227::43] # IP address of www.shorewa SERVER=[2001:470:b:227::43] # IP address of www.shorewall.org (
ll.org (HTTP, FTP and RSYNC) HTTP, FTP and RSYNC)
PROXY=3 # Use TPROXY for local web access IRSSI=[2601:601:a000:16f1::]/64 # IP address of asus.shorewall.org (
ALL=[::]/0 # Entire address space Bit Torrent)
LOC_ADDR=[2601:601:a000:16f0::1] # IP address of the local LAN inter PROXY=Yes # Use TPROXY for local web access
face ALL=[::]/0 # Entire address space
FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf # Default gateway through the IF_F LOC_ADDR=[2601:601:a000:16f0::1] # IP address of the local LAN interfa
AST interface ce
FAST_MARK=0x100 # Multi-ISP mark setting for IF_FAS FAST_GATEWAY=2601:601:a000:1600:22e5:2aff:feb7:f2cf
T FAST_MARK=0x100 # Multi-ISP mark setting for IF_FAST
IPSECMSS=1440 IPSECMSS=1440
# #
# Interface Options # Interface Options
# #
PROD_OPTIONS=forward=1,optional,physical=sit1 PROD_OPTIONS=forward=1,optional,rpfilter,routeback,physical=sit1
FAST_OPTIONS=forward=1,optional,dhcp,upnp,physical=eth0 FAST_OPTIONS=forward=1,optional,dhcp,rpfilter,physical=eth0
LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2 LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2
DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0 DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0
IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1 IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1
fi</programlisting> fi</programlisting>
</section> </section>
<section> <section>
<title>zones</title> <title>zones</title>
<para>Here is the /etc/shorewall/zones file:</para> <para>Here is the /etc/shorewall/zones file:</para>
<programlisting>########################################################## ##################### <programlisting>########################################################## #####################
#ZONE TYPE OPTIONS IN OUT #ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS # OPTIONS OPTIONS
# #
# By using the 'ip' type, both Shorewall and Shorewall6 can share this file # By using the 'ip' type, both Shorewall and Shorewall6 can share this file
# #
fw { TYPE=firewall } fw { TYPE=firewall }
net { TYPE=ip } net { TYPE=ip }
loc { TYPE=ip } loc { TYPE=ip }
dmz { TYPE=ip } dmz { TYPE=ip }
apps { TYPE=ip } apps { TYPE=ip }
vpn { TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS } vpn { TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
</programlisting> </programlisting>
</section> </section>
<section> <section>
<title>interfaces</title> <title>interfaces</title>
<para>/etc/shorewall/interfaces makes heavy use of variables set in <para>/etc/shorewall/interfaces makes heavy use of variables set in
/etc/shorewall/params:</para> /etc/shorewall/params:</para>
<programlisting># <programlisting>?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
#
# The two address families use different production interfaces and different # The two address families use different production interfaces and different
# #
# LOC_IF is the local LAN for both families # LOC_IF is the local LAN for both families
# FAST_IF is a Comcast IPv6 beta uplink which is used for internet access from t he local lan for both families # FAST_IF is a Comcast IPv6 beta uplink which is used for internet access from t he local lan for both families
# PROD_IF is the interface used by shorewall.org servers # PROD_IF is the interface used by shorewall.org servers
# For IPv4, it is eth1 # For IPv4, it is eth1
# For IPv6, it is sit1 (Hurricane Electric 6in4 link) # For IPv6, it is sit1 (Hurricane Electric 6in4 link)
# DMZ_IF is a bridge to the production containers # DMZ_IF is a bridge to the production containers
# IRC_IF is a bridge to a container that currently runs irssi under screen # IRC_IF is a bridge to a container that currently runs irssi under screen
loc { INTERFACE=LOC_IF, OPTIONS=$LOC_OPTIONS } loc { INTERFACE=LOC_IF, OPTIONS=$LOC_OPTIONS }
net { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS } net { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS }
net { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS } net { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS }
dmz { INTERFACE=DMZ_IF, OPTIONS=$DMZ_OPTIONS } dmz { INTERFACE=DMZ_IF, OPTIONS=$DMZ_OPTIONS }
apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS } apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS }</programlisting>
</programlisting>
</section> </section>
<section> <section>
<title>hosts</title> <title>hosts</title>
<para>/etc/shorewall/hosts is used to define the vpn zone:</para> <para>/etc/shorewall/hosts is used to define the vpn zone:</para>
<programlisting>#ZONE HOSTS OPTIONS <programlisting>##ZONE HOSTS OPTIONS
vpn { HOSTS=PROD_IF:$ALL } vpn { HOSTS=PROD_IF:$ALL }
vpn { HOSTS=FAST_IF:$ALL } vpn { HOSTS=FAST_IF:$ALL }
vpn { HOSTS=LOC_IF:$ALL } vpn { HOSTS=LOC_IF:$ALL }</programlisting>
</programlisting>
</section> </section>
<section> <section>
<title>policy</title> <title>policy</title>
<para>The same set of policies apply to both address families:</para> <para>The same set of policies apply to both address families:</para>
<programlisting>#SOURCE DEST POLICY LOGLEVEL RATE <programlisting>#SOURCE DEST POLICY LOGLEVEL RATE
$FW { DEST=dmz,net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } $FW { DEST=dmz,net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
$FW { DEST=all, POLICY=ACCEPT }
loc { DEST=net, POLICY=ACCEPT } ?if __IPV4
$FW { DEST=all, POLICY=ACCEPT:Broadcast(ACCEPT),Multicast(ACCEPT
), LOGLEVEL=$LOG_LEVEL }
?else
$FW { DEST=all, POLICY=ACCEPT:AllowICMPs,Broadcast(ACCEPT),Multi
cast(ACCEPT) LOGLEVEL=$LOG_LEVEL }
?endif
loc,apps { DEST=net, POLICY=ACCEPT }
loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT } loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT }
loc { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } loc { DEST=fw, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
?if __IPV4
net { DEST=net, POLICY=NONE } net { DEST=net, POLICY=NONE }
?else
net { DEST=net, POLICY=REJECT,
LOGLEVEL=$LOG_LEVEL }
?endif
net { DEST=fw, POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP ),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 } net { DEST=fw, POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP ),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
net { DEST=all, POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 } net { DEST=all, POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
dmz { DEST=fw, POLICY=REJECT, dmz { DEST=fw POLICY=REJECT,
LOGLEVEL=$LOG_LEVEL } LOGLEVEL=$LOG_LEVEL }
dmz { DEST=dmz POLICY=REJECT,
LOGLEVEL=$LOG_LEVEL }
all { DEST=all, POLICY=REJECT, all { DEST=all, POLICY=REJECT,
LOGLEVEL=$LOG_LEVEL } LOGLEVEL=$LOG_LEVEL }</programlisting>
</programlisting>
</section> </section>
<section> <section>
<title>providers</title> <title>providers</title>
<para>The providers file is set up to allow for three different <para>The providers file is set up to allow for three different
configurations:</para> configurations:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
skipping to change at line 679 skipping to change at line 696
<listitem> <listitem>
<para>STATISTICAL -- Statistical load balancing between FAST_IF and <para>STATISTICAL -- Statistical load balancing between FAST_IF and
PROD_IF</para> PROD_IF</para>
</listitem> </listitem>
<listitem> <listitem>
<para>IPv4 only -- balance between FAST_IF and PROD_IF</para> <para>IPv4 only -- balance between FAST_IF and PROD_IF</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<programlisting># <programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE G
ATEWAY OPTIONS COPY
#
# This could be cleaned up a bit, but I'm leaving it as is for now # This could be cleaned up a bit, but I'm leaving it as is for now
# #
# - The two address families use different fw mark geometry # - The two address families use different fw mark geometry
# - The two address families use different fallback interfaces # - The two address families use different fallback interfaces
# - The 'balance' option doesn't work as expected in IPv6 so I have no balance configuration for Shorewall6 # - The 'balance' option doesn't work as expected in IPv6 so I have no balance configuration for Shorewall6
# - IPv4 uses the 'loose' option on PROD_IF # - IPv4 uses the 'loose' option on PROD_IF
# #
?if $FALLBACK ?if $FALLBACK
# FAST_IF is primary, PROD_IF is fallback # FAST_IF is primary, PROD_IF is fallback
# #
?info Compiling with FALLBACK ?if $VERBOSITY &gt; 0
?info Compiling with FALLBACK
?endif
IPv6Beta { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST _GATEWAY, OPTIONS=loose,primary,persistent,noautosrc } IPv6Beta { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST _GATEWAY, OPTIONS=loose,primary,persistent,noautosrc }
?if __IPV4 ?if __IPV4
ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1. 10.1, OPTIONS=loose,fallback,persistent } ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1. 10.1, OPTIONS=loose,fallback,persistent }
?else ?else
HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=fallb ack,persistent } HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=fallb ack,persistent }
?endif ?endif
?elsif $STATISTICAL ?elsif $STATISTICAL
# Statistically balance traffic between FAST_IF and PROD_IF # Statistically balance traffic between FAST_IF and PROD_IF
?info Compiling with STATISTICAL ?if $VERBOSITY &gt; 0
?info Compiling with STATISTICAL
?endif
?if __IPV4 ?if __IPV4
IPv6Beta { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GA IPv6Beta { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GA
TEWAY, OPTIONS=loose,load=0.66666667,primary } TEWAY, OPTIONS=loose,load=0.66666667,primary,persistent }
ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.
1, OPTIONS=loose,load=0.33333333,fallback,persistent }
?else ?else
HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=track,load=0.33333333,persistent } HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=track,load=0.33333333,persistent }
?endif ?endif
?else ?else
?INFO Compiling with BALANCE ?if $VERBOSITY &gt; 0
IPv6Beta { NUMBER=1, MARK=0x100, INTERFACE=eth0, GATEWAY=$FAST_GATEW ?info Compiling with BALANCE
AY, OPTIONS=track,balance=2,loose,persistent } ?endif
IPv6Beta { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GA
TEWAY, OPTIONS=track,balance=2,loose,persistent }
?if __IPV4 ?if __IPV4
ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=IPV4_IF, GATEWAY=10.1.10.1, OPTIONS=nohostroute,loose,balance,persistent } ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10. 1, OPTIONS=nohostroute,loose,balance,persistent }
?else ?else
?warning No BALANCE IPv6 configuration ?warning No BALANCE IPv6 configuration
HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=fallback,persistent } HE { NUMBER=2, MARK=0x200, INTERFACE=PROD_IF, OPTIONS=fallback,persistent }
?endif ?endif
?endif ?endif
Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy } Tproxy { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }</programlisting>
</programlisting>
</section> </section>
<section> <section>
<title>rtrules</title> <title>rtrules</title>
<para>The routing rules are quite dependent on the address <para>The routing rules are quite dependent on the address
family:</para> family:</para>
<programlisting>#SOURCE DEST PROVIDER PRIORITY <programlisting>#SOURCE DEST PROVIDER PRIORITY
skipping to change at line 757 skipping to change at line 782
<para>This file is used only for IPv6:</para> <para>This file is used only for IPv6:</para>
<programlisting>#PROVIDER DEST GATEWAY DEVICE OPTIONS <programlisting>#PROVIDER DEST GATEWAY DEVICE OPTIONS
?if __IPV6 ?if __IPV6
# #
# In my version of FOOLSM (1.0.10), the 'sourceip' option doesn't work. # In my version of FOOLSM (1.0.10), the 'sourceip' option doesn't work.
# As a result, routing rules that specify the source IPv6 address are # As a result, routing rules that specify the source IPv6 address are
# not effective in routing the 'ping' request packets out of FAST_IF. # not effective in routing the 'ping' request packets out of FAST_IF.
# The following route solves that problem. # The following route solves that problem.
# #
{ PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=fe80::22e5:2aff:feb7: f2cf, DEVICE=FAST_IF, OPTIONS=persistent } { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=$FAST_GATEWAY, DEVICE =FAST_IF, OPTIONS=persistent }
?endif</programlisting> ?endif</programlisting>
</section> </section>
<section> <section>
<title>actions</title> <title>actions</title>
<para>/etc/shorewall/actions defines one action:</para> <para>/etc/shorewall/actions defines one action:</para>
<programlisting>#ACTION COMMENT <programlisting>#ACTION COMMENT
Mirrors # Accept traffic from Shorewall Mirrors Mirrors # Accept traffic from Shorewall Mirrors
skipping to change at line 825 skipping to change at line 850
?endif ?endif
</programlisting> </programlisting>
</section> </section>
<section> <section>
<title>rules</title> <title>rules</title>
<para>/etc/shorewall/rules has only a couple of rules that are <para>/etc/shorewall/rules has only a couple of rules that are
conditional based on address family:</para> conditional based on address family:</para>
<programlisting>#ACTION SOURCE DEST PROTO D <programlisting>##########################################################
PORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME H ################################################################################
EADERS SWITCH HELPER ####################
#ACTION SOURCE DEST PROTO DPORT SPORT O
RIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH H
ELPER
?SECTION ALL ?SECTION ALL
Ping(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 } Ping(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
Trcrt(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 } Trcrt(ACCEPT) { SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
?SECTION ESTABLISHED ?SECTION ESTABLISHED
?SECTION RELATED ?SECTION RELATED
ACCEPT { SOURCE=all, DEST=dmz:$SERVER, PROTO=tcp, DPORT=61001:62000, h elper=ftp } ACCEPT { SOURCE=all, DEST=dmz:$SERVER, PROTO=tcp, DPORT=61001:62000, h elper=ftp }
ACCEPT { SOURCE=dmz, DEST=all, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=dmz, DEST=all, PROTO=tcp, helper=ftp }
ACCEPT { SOURCE=all, DEST=net, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=all, DEST=net, PROTO=tcp, helper=ftp }
ACCEPT { SOURCE=$FW, DEST=loc, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=$FW, DEST=loc, PROTO=tcp, helper=ftp }
ACCEPT { SOURCE=loc, DEST=$FW, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=loc, DEST=$FW, PROTO=tcp, helper=ftp }
ACCEPT { SOURCE=all, DEST=all, PROTO=icmp } ACCEPT { SOURCE=all, DEST=all, PROTO=icmp }
RST(ACCEPT) { SOURCE=all, DEST=all } RST(ACCEPT) { SOURCE=all, DEST=all }
ACCEPT { SOURCE=dmz, DEST=dmz } ACCEPT { SOURCE=dmz, DEST=dmz }
?SECTION INVALID ?SECTION INVALID
RST(ACCEPT) { SOURCE=all, DEST=all } RST(ACCEPT) { SOURCE=all, DEST=all }
FIN(ACCEPT) { SOURCE=all, DEST=all }
DROP { SOURCE=net, DEST=all } DROP { SOURCE=net, DEST=all }
FIN { SOURCE=all, DEST=all }
?SECTION UNTRACKED ?SECTION UNTRACKED
?if __IPV4 ?if __IPV4
Broadcast(ACCEPT) { SOURCE=all, DEST=$FW } Broadcast(ACCEPT) { SOURCE=all, DEST=$FW }
ACCEPT { SOURCE=all, DEST=$FW, PROTO=udp } ACCEPT { SOURCE=all, DEST=$FW, PROTO=udp }
CONTINUE { SOURCE=loc, DEST=$FW } CONTINUE { SOURCE=loc, DEST=$FW }
CONTINUE { SOURCE=$FW, DEST=all } CONTINUE { SOURCE=$FW, DEST=all }
?endif ?endif
?SECTION NEW ?SECTION NEW
################################################################################ ###################### ################################################################################ ######################
# Stop certain outgoing traffic to the net # Stop certain outgoing traffic to the net
# #
REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 } #Stop direct loc-&gt;net SMTP (Comcast uses submission). REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 } #Stop direct loc-&gt;net SMTP (Comcast uses submission).
REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 } # MS Messaging #REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 } #MS Messaging
REJECT { SOURCE=all, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop N REJECT { SOURCE=all!dmz,apps, DEST=net, PROTO=tcp, DPORT=137,445, commen
ETBIOS Crap" } t="Stop NETBIOS Crap" }
REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop N REJECT { SOURCE=all!dmz,apps, DEST=net, PROTO=udp, DPORT=137:139, commen
ETBIOS Crap" } t="Stop NETBIOS Crap" }
REJECT { SOURCE=all, DEST=net, PROTO=tcp, DPORT=3333, comment="Disallow port 3333" } REJECT { SOURCE=all, DEST=net, PROTO=tcp, DPORT=3333, comment="Disallow port 3333" }
REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Tere do" } REJECT { SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Tere do" }
?if __IPV6
DROP { SOURCE=net:PROD_IF, DEST=net:PROD_IF }
?endif
?COMMENT ?COMMENT
################################################################################ ###################### ################################################################################ ######################
# SACK
#
DROP:$LOG_LEVEL { SOURCE=net, DEST=all } ;;+ -p tcp -m tcpmss --mss 1:53
5
################################################################################
######################
# 6in4 # 6in4
# #
?if __IPV4 ?if __IPV4
ACCEPT { SOURCE=net:216.218.226.238, DEST=$FW, PROTO=41 } ACCEPT { SOURCE=net:216.218.226.238, DEST=$FW, PROTO=41 }
ACCEPT { SOURCE=$FW, DEST=net:216.218.226.238, PROTO=41 } ACCEPT { SOURCE=$FW, DEST=net:216.218.226.238, PROTO=41 }
?endif ?endif
################################################################################ ###################### ################################################################################ ######################
# Ping # Ping
# #
Ping(ACCEPT) { SOURCE=$FW,loc,dmz,vpn, DEST=$FW,loc,dmz,vpn } Ping(ACCEPT) { SOURCE=$FW,loc,dmz,vpn,apps, DEST=$FW,loc,dmz,vpn,apps }
Ping(ACCEPT) { SOURCE=all, DEST=net } Ping(ACCEPT) { SOURCE=dmz, DEST=dmz }
Ping(ACCEPT) { SOURCE=all, DEST=net }
################################################################################ ###################### ################################################################################ ######################
# SSH # SSH
# #
AutoBL(SSH,60,-,-,-,-,$LOG_LEVEL)\ AutoBL(SSH,60,-,-,-,-,$LOG_LEVEL)\
{ SOURCE=net, DEST=all, PROTO=tcp, DPORT=2 2 } { SOURCE=net, DEST=all, PROTO=tcp, DPORT=2 2 }
SSH(ACCEPT) { SOURCE=all, DEST=all } SSH(ACCEPT) { SOURCE=all, DEST=all }
?if __IPV4 ?if __IPV4
SSH(DNAT-) { SOURCE=net, DEST=172.20.2.44, PROTO=tcp, DPORT=s sh, ORIGDEST=70.90.191.123 } SSH(DNAT-) { SOURCE=net, DEST=172.20.2.44, PROTO=tcp, DPORT=s sh, ORIGDEST=70.90.191.123 }
?endif ?endif
################################################################################ ###################### ################################################################################ ######################
# DNS # DNS
# #
DNS(ACCEPT) { SOURCE=loc,dmz,vpn,apps, DEST=$FW } DNS(ACCEPT) { SOURCE=loc,dmz,vpn,apps, DEST=$FW }
DNS(ACCEPT) { SOURCE=$FW, DEST=net } DNS(ACCEPT) { SOURCE=$FW, DEST=net }
?if $TEST
DNS(REDIRECT) loc 53 - 53 - !&amp;LOC_IF
DNS(REDIRECT) fw 53 - 53 - !::1
?endif
DropDNSrep { SOURCE=net, DEST=all }
################################################################################ ###################### ################################################################################ ######################
# Traceroute # Traceroute
# #
Trcrt(ACCEPT) { SOURCE=all, DEST=net } Trcrt(ACCEPT) { SOURCE=all, DEST=net }
Trcrt(ACCEPT) { SOURCE=net, DEST=$FW,dmz } Trcrt(ACCEPT) { SOURCE=net, DEST=$FW,dmz }
################################################################################ ###################### ################################################################################ ######################
# Email # Email
# #
SMTP(ACCEPT) { SOURCE=net,$FW, DEST=dmz:$LISTS } SMTP(ACCEPT) { SOURCE=net,$FW, DEST=dmz:$LISTS }
SMTP(ACCEPT) { SOURCE=dmz:$LISTS, DEST=net:PROD_IF } SMTP(ACCEPT) { SOURCE=dmz:$LISTS, DEST=net:PROD_IF }
SMTP(ACCEPT) { SOURCE=dmz, DEST=dmz:$LISTS }
SMTP(REJECT) { SOURCE=dmz:$LISTS, DEST=net } SMTP(REJECT) { SOURCE=dmz:$LISTS, DEST=net }
IMAPS(ACCEPT) { SOURCE=all, DEST=dmz:$MAIL } IMAPS(ACCEPT) { SOURCE=all, DEST=dmz:$MAIL }
Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS } Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
SMTPS(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS } SMTPS(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
IMAP(ACCEPT) { SOURCE=loc,vpn, DEST=net } IMAP(ACCEPT) { SOURCE=loc,vpn, DEST=net }
################################################################################ ###################### ################################################################################ ######################
# NTP # NTP
# #
NTP(ACCEPT) { SOURCE=all, DEST=net } NTP(ACCEPT) { SOURCE=all, DEST=net }
NTP(ACCEPT) { SOURCE=loc,vpn,dmz,apps DEST=$FW }
################################################################################ ###################### ################################################################################ ######################
# Squid # Squid
ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 }
################################################################################ ###################### ################################################################################ ######################
# HTTP/HTTPS # HTTP/HTTPS
# #
Web(ACCEPT) { SOURCE=loc,vpn DEST=$FW } Web(ACCEPT) { SOURCE=loc,vpn DEST=$FW }
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=proxy } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=proxy }
Web(DROP) { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist we b crawlers" } Web(DROP) { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist we b crawlers" }
HTTP(ACCEPT) { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$SERVER,$LISTS,$MAIL } HTTP(ACCEPT) { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
HTTPS(ACCEPT) { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$LISTS,$MAIL } HTTPS(ACCEPT) { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
Web(ACCEPT) { SOURCE=dmz,apps DEST=net,$FW } Web(ACCEPT) { SOURCE=dmz,apps DEST=net,$FW }
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=root } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=root }
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=teastep } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=teastep }
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=_apt } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=_apt }
################################################################################ ###################### ################################################################################ ######################
# FTP # FTP
# #
FTP(ACCEPT) { SOURCE=loc,vpn,apps DEST=net } FTP(ACCEPT) { SOURCE=loc,vpn,apps DEST=net }
FTP(ACCEPT) { SOURCE=dmz, DEST=net } FTP(ACCEPT) { SOURCE=dmz, DEST=net }
FTP(ACCEPT) { SOURCE=$FW, DEST=net, USER=root } FTP(ACCEPT) { SOURCE=$FW, DEST=net, USER=root }
FTP(ACCEPT) { SOURCE=all, DEST=dmz:$SERVER } FTP(ACCEPT) { SOURCE=all, DEST=dmz:$SERVER }
# #
# Some FTP clients seem prone to sending the PORT command split over two packets . # Some FTP clients seem prone to sending the PORT command split over two packets .
# This prevents the FTP connection tracking code from processing the command an d setting # This prevents the FTP connection tracking code from processing the command and setting
# up the proper expectation. # up the proper expectation.
# #
# The following rule allows active FTP to work in these cases # The following rule allows active FTP to work in these cases
# but logs the connection so I can keep an eye on this potential security hole. # but logs the connection so I can keep an eye on this potential security hole.
# #
ACCEPT:$LOG_LEVEL { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 } ACCEPT:$LOG_LEVEL { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 }
################################################################################ ###################### ################################################################################ ######################
# Git
#
Git(ACCEPT) { source=all, DEST=dmz:$SERVER }
################################################################################
######################
# whois # whois
# #
Whois(ACCEPT) { SOURCE=all, DEST=net } Whois(ACCEPT) { SOURCE=all, DEST=net }
################################################################################ ###################### ################################################################################ ######################
# SMB # SMB
# #
SMBBI(ACCEPT) { SOURCE=loc, DEST=$FW } SMBBI(ACCEPT) { SOURCE=loc, DEST=$FW }
SMBBI(ACCEPT) { SOURCE=vpn, DEST=$FW } SMBBI(ACCEPT) { SOURCE=vpn, DEST=$FW }
################################################################################ ###################### ################################################################################ ######################
# IRC # IRC
# #
IRC(ACCEPT) { SOURCE=loc,apps, DEST=net } SetEvent(IRC) { SOURCE=loc,apps, DEST=net, PROTO=tcp, DPO
RT=6667 }
IfEvent(IRC,ACCEPT,10,1,dst,reset) { SOURCE=net, DEST=loc,apps, PROTO=tcp, DP
ORT=113 }
################################################################################
######################
# AUTH
Auth(REJECT) { SOURCE=net, DEST=all }
################################################################################ ###################### ################################################################################ ######################
# Rsync # Rsync
# #
Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 } Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
</programlisting> ################################################################################
######################
# IPSEC
#
?if __IPV4
DNAT { SOURCE=loc,net, DEST=apps:172.20.2.44, PROTO=udp, DPORT=500,450
0, ORIGDEST=70.90.191.123 }
?else
ACCEPT { SOURCE=loc,net, DEST=apps, PROTO=udp, DPORT=500,4500 }
ACCEPT { SOURCE=loc,net, DEST=apps, PROTO=esp }
?endif
ACCEPT { SOURCE=$FW, DEST=net, PROTO=udp, SPORT=4500 }
################################################################################
######################
# Bit Torrent
?if __IPV4
DNAT { SOURCE=net, DEST=apps:$IRSSIINT, PROTO=udp,tcp, DPORT=594
10, ORIGDEST=$IRSSIEXT }
?else
ACCEPT { SOURCE=net, DEST=apps:$IRSSI, PROTO=udp,tcp, DPORT=594
10 }
?endif
REJECT { SOURCE=net, DEST=all, PROTO=udp,tcp, DPORT=514
13,59410 }
################################################################################
######################
# VNC
ACCEPT { SOURCE=loc, DEST=$FW, PROTO=tcp, DPORT=590
0 }
################################################################################
######################
# FIN &amp; RST
RST(ACCEPT) { SOURCE=all, DEST=all }
FIN(ACCEPT) { SOURCE=all, DEST=all }
################################################################################
######################
# Multicast
?if __IPV4
Multicast(ACCEPT) { SOURCE=all, DEST=$FW }
?endif</programlisting>
</section> </section>
<section> <section>
<title>mangle</title> <title>mangle</title>
<para>Note that TPROXY can be enabled/disabled via a shell variable <para>Note that TPROXY can be enabled/disabled via a shell variable
setting in /etc/shorewall/params:</para> setting in /etc/shorewall/params:</para>
<programlisting>#ACTION SOURCE DEST PROTO D PORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILI TY DSCP <programlisting>#ACTION SOURCE DEST PROTO D PORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILI TY DSCP
?if $VERSION &gt;= 50109
TCPMSS(pmtu,none) { PROTO=tcp }
?endif
?if __IPV4 ?if __IPV4
# #
# I've had a checksum issue with certain IPv4 UDP packets # I've had a checksum issue with certain IPv4 UDP packets
# #
CHECKSUM:T { DEST=FAST_IF, PROTO=udp } CHECKSUM:T { DEST=FAST_IF, PROTO=udp }
CHECKSUM:T { DEST=DMZ_IF, PROTO=udp } CHECKSUM:T { DEST=DMZ_IF, PROTO=udp }
?endif ?endif
?if $PROXY ?if $PROXY
# #
# Use TPROXY for web access from the local LAN # Use TPROXY for IPv4 web access from the local LAN
# #
DIVERT:R { PROTO=tcp, SPORT=80 } DIVERT:R { PROTO=tcp, SPORT=80 }
DIVERT:R { PROTO=tcp, DPORT=80 } DIVERT:R { PROTO=tcp, DPORT=80 }
TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 } TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 }
?endif ?endif</programlisting>
</programlisting>
</section> </section>
<section> <section>
<title>snat</title> <title>snat</title>
<para>NAT entries are quite dependent on the address family:</para> <para>NAT entries are quite dependent on the address family:</para>
<programlisting>#ACTION SOURCE DEST P <programlisting>##########################################################
ROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY #########################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MAR
K USER SWITCH ORIGDEST PROBABILITY
?if __IPV4 ?if __IPV4
MASQUERADE { SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF } MASQUERADE { SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_I
MASQUERADE { SOURCE=70.90.191.120/29, DEST=FAST_I F }
F } MASQUERADE { SOURCE=70.90.191.120/29, DEST=FAST_I
SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, PROB F }
ABILITY=0.50, COMMENT="Masquerade Local Network" } SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29, DEST=PROD_I
SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_IF, F, PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
COMMENT="Masquerade Local Network" } SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_I
SNAT(172.20.1.253) { SOURCE=172.20.3.0/24, DEST=LOC_IF F, COMMENT="Masquerade Local Network" }
:172.20.1.100 } SNAT(172.20.1.253) { SOURCE=!172.20.1.0/24, DEST=LOC_IF
:172.20.1.100 }
?else ?else
SNAT(&amp;PROD_IF) { SOURCE=2601:601:8b00:bf0::/60, DEST=PROD SNAT(&amp;PROD_IF) { SOURCE=2601:601:a000:16f0::/60, D
_IF } EST=PROD_IF }
SNAT(&amp;FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, DEST=FAST SNAT(&amp;FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, D
_IF } EST=FAST_IF }
?endif ?endif</programlisting>
</programlisting>
</section> </section>
<section> <section>
<title>tunnels</title> <title>tunnels</title>
<para>Both address families define IPsec tunnels:</para> <para>Both address families define IPsec tunnels:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE <programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
ipsecnat {ZONE=net, GATEWAY=$ALL, GATEWAY_ZONE=vpn } ipsecnat {ZONE=net, GATEWAY=$ALL, GATEWAY_ZONE=vpn }
ipsecnat {ZONE=loc, GATEWAY=$ALL, GATEWAY_ZONE=vpn } ipsecnat {ZONE=loc, GATEWAY=$ALL, GATEWAY_ZONE=vpn }
</programlisting> </programlisting>
</section> </section>
<section> <section>
<title>proxyarp</title> <title>proxyarp</title>
<para>This file is only used in the IPv4 configuration:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE P ERSISTENT <programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE P ERSISTENT
70.90.191.122 { INTERFACE=br0, EXTERNAL=eth1, HAVEROUTE=yes, PERSISTENT=no } 70.90.191.122 { INTERFACE=br0, EXTERNAL=eth1, HAVEROUTE=yes, PERSISTENT=no }
</programlisting> </programlisting>
</section> </section>
<section> <section>
<title>isuable</title> <title>isuable</title>
<para>This is just the standard Shorewall isusable extension <para>This is just the standard Shorewall isusable extension
skipping to change at line 1071 skipping to change at line 1150
<para>/etc/shorewall/started only does something in the IPv4 <para>/etc/shorewall/started only does something in the IPv4
configuration, although it gets compiled into both scripts:</para> configuration, although it gets compiled into both scripts:</para>
<programlisting>if [ $g_family = 4 ]; then <programlisting>if [ $g_family = 4 ]; then
qt $IP -4 route replace 70.90.191.122 dev br0 qt $IP -4 route replace 70.90.191.122 dev br0
qt $IP -4 route replace 70.90.191.124 dev br0 qt $IP -4 route replace 70.90.191.124 dev br0
qt $IP -4 route replace 70.90.191.125 dev br0 qt $IP -4 route replace 70.90.191.125 dev br0
fi fi
</programlisting> </programlisting>
</section> </section>
<section>
<title>stoppedrules</title>
<para>/etc/shorewall/stoppedrules allow SSH connections into the
firewall system when Shorewall[6] is in the stopped state.</para>
<programlisting/>
</section>
</section> </section>
</article> </article>
 End of changes. 97 change blocks. 
168 lines changed or deleted 280 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)