"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "SharedConfig.xml" between
shorewall-docs-xml-5.2.6.tar.bz2 and shorewall-docs-xml-5.2.6.1.tar.bz2

About: Shorewall (The Shoreline Firewall) is an iptables based firewall (documentation; XML)

SharedConfig.xml  (shorewall-docs-xml-5.2.6.tar.bz2):SharedConfig.xml  (shorewall-docs-xml-5.2.6.1.tar.bz2)
skipping to change at line 71 skipping to change at line 71
IPv4 address, but can delegate IPv6 subnets to the Shorewall-based router. IPv4 address, but can delegate IPv6 subnets to the Shorewall-based router.
Both address families also have a production uplink. For IPv4, Ethernet is Both address families also have a production uplink. For IPv4, Ethernet is
used (eth1) and supports the public IPv4 subnet 70.90.191.120/29. For used (eth1) and supports the public IPv4 subnet 70.90.191.120/29. For
IPv6, a Hurricane Electric 6in4 tunnel is used (sit1), which provides the IPv6, a Hurricane Electric 6in4 tunnel is used (sit1), which provides the
public IPv6 subnet 2001:470:b:227::/64. The router also has two bridges. A public IPv6 subnet 2001:470:b:227::/64. The router also has two bridges. A
DMZ bridge (br0) provides access to containers running a web server, a DMZ bridge (br0) provides access to containers running a web server, a
mail exchanger, and an IMAPS mail access server. The second bridge (br1) mail exchanger, and an IMAPS mail access server. The second bridge (br1)
provides access to a container running irssi under screen, allowing provides access to a container running irssi under screen, allowing
constant access to and monitoring of IRC channels.</para> constant access to and monitoring of IRC channels.</para>
<para>The firewall's local ethernet interface (eth2) is connected to a
Netgear GS108E smart switch with two vlans:</para>
<itemizedlist>
<listitem>
<para>VLAN 1 (eth2.1) is connected to a wireless access point
supporting both IPv4 (172.20.1.0/24) and IPv6
(2601:601:a000:16f2::/64).</para>
</listitem>
<listitem>
<para>VLAN 2 (eth2.2) is connected to devices located in my office
supporting both IPv4 (172.20.1.0/24) and IPv6
(2601:601:a000:16f2::/64).</para>
</listitem>
</itemizedlist>
<para>The switch's management interface is accessed via eth2
(192.168.0.0/24).</para>
<note>
<para>The GS108E does not currently support restricting the management
interface to a particular VLAN -- it is accessible from any connected
host whose IP configuration allows unrouted access to the switch's IP
address.</para>
</note>
<para>Here is a diagram of this installation:</para> <para>Here is a diagram of this installation:</para>
<graphic fileref="images/Network2020.png"/> <graphic fileref="images/Network2020.png"/>
<para>The boxes in the diagram represent the six shorewall zones (The
firewall and IPSec vpn zone are not shown).</para>
</section> </section>
<section> <section>
<title>Configuration</title> <title>Configuration</title>
<para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para> <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
<programlisting>root@gateway:~# ls -l /etc/shorewall <programlisting>root@gateway:~# ls -l /etc/shorewall
total 120 total 132
-rw-r--r-- 1 root root 201 Mar 19 2017 action.Mirrors -rw-r--r-- 1 root root 1152 May 18 10:51 action.NotSyn
-rw-r--r-- 1 root root 109 Oct 20 2017 actions -rw-r--r-- 1 root root 180 Jun 27 09:24 actions
-rw-r--r-- 1 root root 60 May 31 17:55 action.SSHLIMIT
-rw-r--r-- 1 root root 82 Oct 5 2018 arprules -rw-r--r-- 1 root root 82 Oct 5 2018 arprules
-rw-r--r-- 1 root root 528 Oct 7 2019 blrules -rw-r--r-- 1 root root 528 May 25 15:39 blrules
-rw-r--r-- 1 root root 1797 Sep 16 2019 capabilities -rw-r--r-- 1 root root 1797 Sep 16 2019 capabilities
-rw-r--r-- 1 root root 656 Jun 10 2018 conntrack -rw-r--r-- 1 root root 722 Jul 2 13:49 conntrack
-rw-r--r-- 1 root root 104 Oct 13 2017 hosts -rw-r--r-- 1 root root 104 Oct 13 2017 hosts
-rw-r--r-- 1 root root 867 Jun 10 2018 interfaces -rw-r--r-- 1 root root 1119 Jul 4 14:02 interfaces
-rw-r--r-- 1 root root 107 Jun 29 2017 isusable -rw-r--r-- 1 root root 107 Jun 29 2017 isusable
-rw-r--r-- 1 root root 240 Oct 13 2017 macro.FTP -rw-r--r-- 1 root root 240 Oct 13 2017 macro.FTP
-rw-r--r-- 1 root root 705 Oct 22 2019 mangle -rw-r--r-- 1 root root 773 Jul 2 15:04 mangle
-rw-r--r-- 1 root root 1308 Apr 2 2018 mirrors -rw-r--r-- 1 root root 3108 Jul 3 15:51 params
-rw-r--r-- 1 root root 2889 Apr 23 17:13 params -rw-r--r-- 1 root root 1108 Jul 3 16:25 policy
-rw-r--r-- 1 root root 1096 Oct 14 2019 policy
-rw-r--r-- 1 root root 2098 Apr 23 17:19 providers -rw-r--r-- 1 root root 2098 Apr 23 17:19 providers
rw-r--r-- 1 root root <span class="insert">1108 Jul 3 16:25</span> policy
-rw-r--r-- 1 root root 398 Mar 18 2017 proxyarp -rw-r--r-- 1 root root 398 Mar 18 2017 proxyarp
-rw-r--r-- 1 root root 726 Oct 24 2018 routes -rw-r--r-- 1 root root 726 Oct 24 2018 routes
-rw-r--r-- 1 root root 729 Mar 1 11:08 rtrules -rw-r--r-- 1 root root 729 Mar 1 11:08 rtrules
-rw-r--r-- 1 root root 8593 Feb 25 08:49 rules -rw-r--r-- 1 root root 8589 Jul 4 09:34 rules
-rw-r--r-- 1 root root 5490 Mar 1 18:34 shorewall.conf -rw-r--r-- 1 root root 5503 Jun 5 17:29 shorewall.conf
-rw-r--r-- 1 root root 1090 Sep 16 2019 snat -rw-r--r-- 1 root root 1090 Jul 2 14:32 snat
-rw-r--r-- 1 root root 180 Jan 30 2018 started -rw-r--r-- 1 root root 180 Jan 30 2018 started
rw-r--r-- 1 root root 1090 <span class="insert">Jul 2 14:32</span> snat -rw-r--r-- 1 root root 468 Apr 25 14:42 stoppedrules
-rw-r--r-- 1 root root 539 Feb 6 14:33 stoppedrules
-rw-r--r-- 1 root root 435 Oct 13 2017 tunnels -rw-r--r-- 1 root root 435 Oct 13 2017 tunnels
rw-r--r-- 1 root root <span class="insert">468 Apr 25 14:42</span> stoppedrules -rw-r--r-- 1 root root 978 Jul 3 12:28 zones
-rw-r--r-- 1 root root 941 Oct 15 2017 zones
root@gateway:~# ls -l /etc/shorewall6 root@gateway:~# ls -l /etc/shorewall6
rw-r--r-- 1 root root <span class="insert">978 Jul 3 12:28</span> zones
total 12 total 12
-rw-r--r-- 1 root root 1786 Sep 16 2019 capabilities -rw-r--r-- 1 root root 1786 Sep 16 2019 capabilities
lrwxrwxrwx 1 root root 20 Jul 6 2017 mirrors -&gt; ../shorewall/mirrors
lrwxrwxrwx 1 root root 19 Jul 6 2017 params -&gt; ../shorewall/params lrwxrwxrwx 1 root root 19 Jul 6 2017 params -&gt; ../shorewall/params
-rw-r--r-- 1 root root 5324 Oct 18 2019 shorewall6.conf -rw-r--r-- 1 root root 5338 Jun 7 16:40 shorewall6.conf
root@gateway:~#</programlisting> </programlisting>
<para>The various configuration files are described in the sections that <para>The various configuration files are described in the sections that
follow. Note that in all cases, these files use the <ulink follow. Note that in all cases, these files use the <ulink
url="/configuration_file_basics.htm#Pairs">alternate format for column url="/configuration_file_basics.htm#Pairs">alternate format for column
specification</ulink>.</para> specification</ulink>.</para>
<section> <section>
<title>/usr/share/shorewall/shorewallrc</title> <title>/usr/share/shorewall/shorewallrc</title>
<para>The key setting here is SPARSE=Very</para> <para>The key setting here is SPARSE=Very</para>
skipping to change at line 194 skipping to change at line 223
STARTUP_ENABLED=Yes STARTUP_ENABLED=Yes
############################################################################### ###############################################################################
# V E R B O S I T Y # V E R B O S I T Y
############################################################################### ###############################################################################
VERBOSITY=1 VERBOSITY=1
############################################################################### ###############################################################################
# P A G E R # P A G E R
############################################################################### ###############################################################################
PAGER=pager PAGER=pager
############################################################################### ###############################################################################
# F I R E W A L L # F I R E W A L L
############################################################################### ###############################################################################
FIREWALL= FIREWALL=
############################################################################### ###############################################################################
# L O G G I N G # L O G G I N G
############################################################################### ###############################################################################
LOG_LEVEL="NFLOG(0,64,1)" LOG_LEVEL="NFLOG(0,64,1)"
BLACKLIST_LOG_LEVEL="none" BLACKLIST_LOG_LEVEL="none"
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=netlink LOG_BACKEND=netlink
LOG_MARTIANS=Yes LOG_MARTIANS=Yes
LOG_VERBOSITY=1 LOG_VERBOSITY=1
LOG_ZONE=Src LOG_ZONE=Src
LOGALLNEW= LOGALLNEW=
LOGFILE=/var/log/ulogd/ulogd.syslogemu.log LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
LOGFORMAT="%s %s" LOGFORMAT="%s %s"
LOGTAGONLY=Yes LOGTAGONLY=Yes
LOGLIMIT="s:5/min" LOGLIMIT="s:5/min"
MACLIST_LOG_LEVEL="$LOG_LEVEL" MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL="$LOG_LEVEL:,related" RELATED_LOG_LEVEL="$LOG_LEVEL:"
RPFILTER_LOG_LEVEL="$LOG_LEVEL:,rpfilter" RPFILTER_LOG_LEVEL="$LOG_LEVEL:"
SFILTER_LOG_LEVEL="$LOG_LEVEL" SFILTER_LOG_LEVEL="$LOG_LEVEL"
SMURF_LOG_LEVEL="$LOG_LEVEL" SMURF_LOG_LEVEL="$LOG_LEVEL"
STARTUP_LOG=/var/log/shorewall-init.log STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
UNTRACKED_LOG_LEVEL= UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
ARPTABLES= ARPTABLES=
CONFIG_PATH="/etc/shorewall:/usr/share/shorewall:/usr/share/shorewall/Shorewall" CONFIG_PATH="/etc/shorewall:/usr/share/shorewall:/usr/share/shorewall/Shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=/sbin/iptables IPTABLES=/sbin/iptables
IP=/sbin/ip IP=/sbin/ip
IPSET= IPSET=
LOCKFILE=/var/lib/shorewall/lock LOCKFILE=/var/lib/shorewall/lock
MODULESDIR="+extra/RTPENGINE" MODULESDIR="+extra/RTPENGINE"
NFACCT= NFACCT=
PATH="/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" PATH="/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin"
PERL=/usr/bin/perl PERL=/usr/bin/perl
RESTOREFILE= RESTOREFILE=
SHOREWALL_SHELL=/bin/sh SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK= SUBSYSLOCK=
TC= TC=
############################################################################### ###############################################################################
# D E F A U L T A C T I O N S / M A C R O S # D E F A U L T A C T I O N S / M A C R O S
############################################################################### ###############################################################################
ACCEPT_DEFAULT="none" ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="NotSyn(DROP):$LOG_LEVEL" BLACKLIST_DEFAULT="NotSyn(DROP):$LOG_LEVEL"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none" NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none" QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S
############################################################################### ###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}' RSH_COMMAND='ssh ${root}@${system} ${command}'
############################################################################### ###############################################################################
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
############################################################################### ###############################################################################
ACCOUNTING=Yes ACCOUNTING=Yes
ACCOUNTING_TABLE=filter ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=No AUTOHELPERS=No
AUTOMAKE=Yes AUTOMAKE=Yes
BALANCE_PROVIDERS=No BALANCE_PROVIDERS=No
skipping to change at line 275 skipping to change at line 304
BLACKLIST="NEW,INVALID,UNTRACKED" BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No CLAMPMSS=No
CLEAR_TC=Yes CLEAR_TC=Yes
COMPLETE=No COMPLETE=No
DEFER_DNS_RESOLUTION=No DEFER_DNS_RESOLUTION=No
DELETE_THEN_ADD=No DELETE_THEN_ADD=No
DETECT_DNAT_IPADDRS=No DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=No DISABLE_IPV6=No
DOCKER=No DOCKER=No
DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323" DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323"
DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200" DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200,log,noupdate"
EXPAND_POLICIES=No EXPAND_POLICIES=No
EXPORTMODULES=Yes EXPORTMODULES=Yes
FASTACCEPT=Yes FASTACCEPT=Yes
FORWARD_CLEAR_MARK=No FORWARD_CLEAR_MARK=No
HELPERS="ftp,irc" HELPERS="ftp,irc"
IGNOREUNKNOWNVARIABLES=No IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes
IP_FORWARDING=Yes IP_FORWARDING=Yes
KEEP_RT_TABLES=Yes KEEP_RT_TABLES=Yes
skipping to change at line 322 skipping to change at line 351
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=Yes USE_NFLOG_SIZE=Yes
USE_PHYSICAL_NAMES=Yes USE_PHYSICAL_NAMES=Yes
USE_RT_NAMES=Yes USE_RT_NAMES=Yes
VERBOSE_MESSAGES=No VERBOSE_MESSAGES=No
WARNOLDCAPVERSION=Yes WARNOLDCAPVERSION=Yes
WORKAROUNDS=No WORKAROUNDS=No
ZERO_MARKS=No ZERO_MARKS=No
ZONE2ZONE=- ZONE2ZONE=-
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
BLACKLIST_DISPOSITION=DROP BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=ACCEPT MACLIST_DISPOSITION=ACCEPT
RELATED_DISPOSITION=REJECT RELATED_DISPOSITION=REJECT
RPFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=DROP UNTRACKED_DISPOSITION=DROP
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################
TC_BITS=8 TC_BITS=8
PROVIDER_BITS=2 PROVIDER_BITS=2
PROVIDER_OFFSET=16 PROVIDER_OFFSET=16
MASK_BITS=8 MASK_BITS=8
ZONE_BITS=0</programlisting> ZONE_BITS=0</programlisting>
</section> </section>
<section> <section>
<title>shorewall6.conf</title> <title>shorewall6.conf</title>
skipping to change at line 357 skipping to change at line 386
<programlisting>######################################################## ####################### <programlisting>######################################################## #######################
# #
# Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf # Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
# #
# For information about the settings in this file, type "man shorewall6.conf" # For information about the settings in this file, type "man shorewall6.conf"
# #
# Manpage also online at # Manpage also online at
# http://www.shorewall.net/manpages6/shorewall6.conf.html # http://www.shorewall.net/manpages6/shorewall6.conf.html
############################################################################### ###############################################################################
# S T A R T U P E N A B L E D # S T A R T U P E N A B L E D
############################################################################### ###############################################################################
STARTUP_ENABLED=Yes STARTUP_ENABLED=Yes
############################################################################### ###############################################################################
# V E R B O S I T Y # V E R B O S I T Y
############################################################################### ###############################################################################
VERBOSITY=1 VERBOSITY=1
############################################################################### ###############################################################################
# P A G E R # P A G E R
############################################################################### ###############################################################################
PAGER=pager PAGER=pager
############################################################################### ###############################################################################
# F I R E W A L L # F I R E W A L L
############################################################################### ###############################################################################
FIREWALL= FIREWALL=
############################################################################### ###############################################################################
# L O G G I N G # L O G G I N G
############################################################################### ###############################################################################
LOG_LEVEL="NFLOG(0,64,1)" LOG_LEVEL="NFLOG(0,64,1)"
BLACKLIST_LOG_LEVEL="none" BLACKLIST_LOG_LEVEL="none"
INVALID_LOG_LEVEL= INVALID_LOG_LEVEL=
LOG_BACKEND=netlink LOG_BACKEND=netlink
LOG_VERBOSITY=2 LOG_VERBOSITY=2
LOG_ZONE=Src LOG_ZONE=Src
LOGALLNEW= LOGALLNEW=
LOGFILE=/var/log/ulogd/ulogd.syslogemu.log LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
LOGFORMAT="%s %s" LOGFORMAT="%s %s"
LOGLIMIT="s:5/min" LOGLIMIT="s:5/min"
LOGTAGONLY=Yes LOGTAGONLY=Yes
MACLIST_LOG_LEVEL="$LOG_LEVEL" MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL= RELATED_LOG_LEVEL="$LOG_LEVEL"
RPFILTER_LOG_LEVEL="$LOG_LEVEL" RPFILTER_LOG_LEVEL="$LOG_LEVEL"
SFILTER_LOG_LEVEL="$LOG_LEVEL" SFILTER_LOG_LEVEL="$LOG_LEVEL"
SMURF_LOG_LEVEL="$LOG_LEVEL" SMURF_LOG_LEVEL="$LOG_LEVEL"
STARTUP_LOG=/var/log/shorewall6-init.log STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
UNTRACKED_LOG_LEVEL= UNTRACKED_LOG_LEVEL=
############################################################################### ###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
############################################################################### ###############################################################################
CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${ SHAREDIR}/shorewall" CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${ SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE GEOIPDIR=/usr/share/xt_geoip/LE
IP6TABLES= IP6TABLES=
IP= IP=
IPSET= IPSET=
LOCKFILE= LOCKFILE=
MODULESDIR="+extra/RTPENGINE" MODULESDIR="+extra/RTPENGINE"
NFACCT= NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
RESTOREFILE=restore RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall6 SUBSYSLOCK=/var/lock/subsys/shorewall6
TC= TC=
############################################################################### ###############################################################################
# D E F A U L T A C T I O N S / M A C R O S # D E F A U L T A C T I O N S / M A C R O S
############################################################################### ###############################################################################
ACCEPT_DEFAULT="none" ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LE VEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),NotSyn(DROP):$LOG_ LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none" NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none" QUEUE_DEFAULT="none"
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
############################################################################### ###############################################################################
# R S H / R C P C O M M A N D S # R S H / R C P C O M M A N D S
############################################################################### ###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}' RSH_COMMAND='ssh ${root}@${system} ${command}'
############################################################################### ###############################################################################
# F I R E W A L L O P T I O N S # F I R E W A L L O P T I O N S
############################################################################### ###############################################################################
ACCOUNTING=Yes ACCOUNTING=Yes
ACCOUNTING_TABLE=mangle ACCOUNTING_TABLE=mangle
ADMINISABSENTMINDED=Yes ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes AUTOCOMMENT=Yes
AUTOHELPERS=No AUTOHELPERS=No
AUTOMAKE=Yes AUTOMAKE=Yes
BALANCE_PROVIDERS=No BALANCE_PROVIDERS=No
BASIC_FILTERS=No BASIC_FILTERS=No
BLACKLIST="NEW,INVALID,UNTRACKED" BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=Yes CLAMPMSS=Yes
CLEAR_TC=No CLEAR_TC=No
COMPLETE=No COMPLETE=No
DEFER_DNS_RESOLUTION=Yes DEFER_DNS_RESOLUTION=Yes
DELETE_THEN_ADD=No DELETE_THEN_ADD=No
DONT_LOAD= DONT_LOAD=
DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200" DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200,log,noupdate"
EXPAND_POLICIES=Yes EXPAND_POLICIES=No
EXPORTMODULES=Yes EXPORTMODULES=Yes
FASTACCEPT=Yes FASTACCEPT=Yes
FORWARD_CLEAR_MARK=No FORWARD_CLEAR_MARK=No
HELPERS=ftp HELPERS=ftp
IGNOREUNKNOWNVARIABLES=No IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes IPSET_WARNINGS=Yes
IP_FORWARDING=Keep IP_FORWARDING=Keep
KEEP_RT_TABLES=Yes KEEP_RT_TABLES=Yes
MACLIST_TABLE=filter MACLIST_TABLE=filter
skipping to change at line 485 skipping to change at line 514
USE_DEFAULT_RT=Yes USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=Yes USE_NFLOG_SIZE=Yes
USE_PHYSICAL_NAMES=Yes USE_PHYSICAL_NAMES=Yes
USE_RT_NAMES=No USE_RT_NAMES=No
VERBOSE_MESSAGES=No VERBOSE_MESSAGES=No
WARNOLDCAPVERSION=Yes WARNOLDCAPVERSION=Yes
WORKAROUNDS=No WORKAROUNDS=No
ZERO_MARKS=No ZERO_MARKS=No
ZONE2ZONE=- ZONE2ZONE=-
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################
BLACKLIST_DISPOSITION=DROP BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=REJECT RELATED_DISPOSITION=REJECT
SFILTER_DISPOSITION=DROP SFILTER_DISPOSITION=DROP
RPFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=DROP UNTRACKED_DISPOSITION=DROP
################################################################################ ################################################################################
# P A C K E T M A R K L A Y O U T # P A C K E T M A R K L A Y O U T
################################################################################ ################################################################################
TC_BITS=8 TC_BITS=8
PROVIDER_BITS=2 PROVIDER_BITS=2
PROVIDER_OFFSET=8 PROVIDER_OFFSET=8
MASK_BITS=8 MASK_BITS=8
ZONE_BITS=0 ZONE_BITS=0
#LAST LINE -- DO NOT REMOVE
</programlisting> </programlisting>
</section> </section>
</section> </section>
<section> <section>
<title>params</title> <title>params</title>
<para>Because addresses and interfaces are different between the two <para>Because addresses and interfaces are different between the two
address families, they cannot be hard-coded in the configuration files. address families, they cannot be hard-coded in the configuration files.
<filename>/etc/shorewall/params</filename> is used to set shell <filename>/etc/shorewall/params</filename> is used to set shell
variables whose contents will vary between Shorewall and Shorewall6. In variables whose contents will vary between Shorewall and Shorewall6. In
the <filename>params</filename> file and in run-time extension files, the <filename>params</filename> file and in run-time extension files,
the shell variable <emphasis role="bold">g_family</emphasis> can be used the shell variable <emphasis role="bold">g_family</emphasis> can be used
to determine which address family to use; if IPv4, then $g_family will to determine which address family to use; if IPv4, then $g_family will
expand to 4 and if IPv6, $g_family will expand to 6.</para> expand to 4 and if IPv6, $g_family will expand to 6.</para>
<para>The contents of /etc/shorewall/params is as follows:</para> <para>The contents of /etc/shorewall/params is as follows:</para>
<programlisting>INCLUDE mirrors #Sets the MIRRORS variable for the Mirrors <programlisting>#
action
#
# Set compile-time variables depending on the address family # Set compile-time variables depending on the address family
# #
if [ $g_family = 4 ]; then if [ $g_family = 4 ]; then
# #
# IPv4 compilation # IPv4 compilation
# #
FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback i nterface FALLBACK=Yes # Make FAST_IF the primary and PROD_IF the fallback i nterface
# See /etc/shorewall/providers # See /etc/shorewall/providers
STATISTICAL= # Use statistical load balancing STATISTICAL= # Use statistical load balancing
LISTS=70.90.191.124 # IP address of lists.shorewall.net (MX) LISTS=70.90.191.124 # IP address of lists.shorewall.net (MX)
MAIL=70.90.191.122 # IP address of mail.shorewall.net (IMAPS) MAIL=70.90.191.122 # IP address of mail.shorewall.net (IMAPS)
SERVER=70.90.191.125 # IP address of www.shorewall.org SERVER=70.90.191.125 # IP address of www.shorewall.org
IRSSIEXT=10.2.10.2 # External address of irssi.shorewall.net IRSSIEXT=10.2.10.2 # External address of irssi.shorewall.net
IRSSIINT=172.20.2.44 # Internal IP address of irssi.shorewall.net IRSSIINT=172.20.2.44 # Internal IP address of irssi.shorewall.net
PROXY=Yes # Use TPROXY for local web access PROXY=Yes # Use TPROXY for local web access
ALL=0.0.0.0/0 # Entire address space ALL=0.0.0.0/0 # Entire address space
LOC_ADDR=172.20.1.253 # IP address of the local LAN interface LOC_ADDR=172.20.1.253 # IP address of the local LAN interface
FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface
FAST_MARK=0x20000 # Multi-ISP mark setting for IF_FAST FAST_MARK=0x20000 # Multi-ISP mark setting for IF_FAST
IPSECMSS=1460 IPSECMSS=1460
DBL_SET=SW_DBL4
# #
# Interface Options # Interface Options
# #
LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,phys LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,tcpflags=0,nodbl,physical=eth2.
ical=eth2 2
WLAN_OPTIONS=dhcp,ignore=1,wait=5,routefilter,tcpflags=0,nodbl,physical=eth2
.1
FAST_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,prox yarp=0,nosmurfs,rpfilter,physical=eth0 FAST_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,prox yarp=0,nosmurfs,rpfilter,physical=eth0
PROD_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,prox yarp=0,nosmurfs,rpfilter,physical=eth1 PROD_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,prox yarp=0,nosmurfs,rpfilter,physical=eth1
DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,nodb l,physical=br0 DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,nodb l,physical=br0
IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,no dbl,physical=br1 IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,no dbl,physical=br1
SWCH_OPTIONS=dhcp,tcpflags=0,nodbl,physical=eth2
else else
# #
# IPv6 compilation # IPv6 compilation
# #
FALLBACK=Yes # Make FAST_IF the primary and PROD_I FALLBACK=Yes # Make FAST_IF the primary and PROD
F the fallback interface _IF the fallback interface
# See /etc/shorewall/providers # See /etc/shorewall/providers
STATISTICAL=No # Don't use statistical load balancin STATISTICAL=No # Don't use statistical load balanc
g ing
LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net ( LISTS=[2001:470:b:227::42] # IP address of lists.shorewall.net
MX and HTTPS) (MX and HTTPS)
MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net ( MAIL=[2001:470:b:227::45] # IP address of mail.shorewall.net
IMAPS and HTTPS) (IMAPS and HTTPS)
SERVER=[2001:470:b:227::43] # IP address of www.shorewall.org ( SERVER=[2001:470:b:227::43] # IP address of server.shor
HTTP, FTP and RSYNC) ewall.net(FTP)
IRSSI=[2601:601:a000:16f1::]/64 # IP address of asus.shorewall.org ( IRSSI=[2601:601:a000:16f1::]/64 # IP address of irssi.shorewall.net
Bit Torrent) PROXY=Yes # Use TPROXY for local web access
PROXY=Yes # Use TPROXY for local web access ALL=[::]/0 # Entire address space
ALL=[::]/0 # Entire address space LOC_ADDR=[2601:601:a000:16f0::1] # IP address of the local LAN inter
LOC_ADDR=[2601:601:a000:16f0::1] # IP address of the local LAN interfa face
ce
FAST_GATEWAY=2601:601:a000:1600:22e5:2aff:feb7:f2cf FAST_GATEWAY=2601:601:a000:1600:22e5:2aff:feb7:f2cf
FAST_MARK=0x100 # Multi-ISP mark setting for IF_FAST FAST_MARK=0x100 # Multi-ISP mark setting for IF_FAS T
IPSECMSS=1440 IPSECMSS=1440
DBL_SET=SW_DBL6
# #
# Interface Options # Interface Options
# #
PROD_OPTIONS=forward=1,optional,rpfilter,routeback,physical=sit1 PROD_OPTIONS=forward=1,optional,rpfilter,routeback,physical=sit1
FAST_OPTIONS=forward=1,optional,dhcp,rpfilter,physical=eth0 FAST_OPTIONS=forward=1,optional,dhcp,rpfilter,physical=eth0
LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2 LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2.2
DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0 DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0
IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1 IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1
WLAN_OPTIONS=forward=1,nodbl,routeback,physical=eth2.1
fi</programlisting> fi</programlisting>
</section> </section>
<section> <section>
<title>zones</title> <title>zones</title>
<para>Here is the /etc/shorewall/zones file:</para> <para>Here is the /etc/shorewall/zones file:</para>
<programlisting>########################################################## <programlisting>#ZONE TYPE OPTIONS IN
##################### OUT
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS # OPTIONS OPTIONS
# #
# By using the 'ip' type, both Shorewall and Shorewall6 can share this file # By using the 'ip' type, both Shorewall and Shorewall6 can share this file
# #
fw { TYPE=firewall } fw { TYPE=firewall }
net { TYPE=ip } net { TYPE=ip }
loc { TYPE=ip } loc { TYPE=ip }
dmz { TYPE=ip } dmz { TYPE=ip }
apps { TYPE=ip } apps { TYPE=ip }
vpn { TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS } vpn { TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
</programlisting> wlan { TYPE=ip }
?if __IPV4
swch { TYPE=local }
?endif</programlisting>
</section> </section>
<section> <section>
<title>interfaces</title> <title>interfaces</title>
<para>/etc/shorewall/interfaces makes heavy use of variables set in <para>/etc/shorewall/interfaces makes heavy use of variables set in
/etc/shorewall/params:</para> /etc/shorewall/params:</para>
<programlisting>?FORMAT 2 <programlisting>?FORMAT 2
############################################################################### ###############################################################################
skipping to change at line 622 skipping to change at line 657
# #
# The two address families use different production interfaces and different # The two address families use different production interfaces and different
# #
# LOC_IF is the local LAN for both families # LOC_IF is the local LAN for both families
# FAST_IF is a Comcast IPv6 beta uplink which is used for internet access from t he local lan for both families # FAST_IF is a Comcast IPv6 beta uplink which is used for internet access from t he local lan for both families
# PROD_IF is the interface used by shorewall.org servers # PROD_IF is the interface used by shorewall.org servers
# For IPv4, it is eth1 # For IPv4, it is eth1
# For IPv6, it is sit1 (Hurricane Electric 6in4 link) # For IPv6, it is sit1 (Hurricane Electric 6in4 link)
# DMZ_IF is a bridge to the production containers # DMZ_IF is a bridge to the production containers
# IRC_IF is a bridge to a container that currently runs irssi under screen # IRC_IF is a bridge to a container that currently runs irssi under screen
# WLAN_IF is a vlan interface that connects to the wireless networks
# SWCH_IF is the vlan trunk interface used for switch management
loc { INTERFACE=LOC_IF, OPTIONS=$LOC_OPTIONS } loc { INTERFACE=LOC_IF, OPTIONS=$LOC_OPTIONS }
wlan { INTERFACE=WLAN_IF, OPTIONS=$WLAN_OPTIONS }
net { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS } net { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS }
net { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS } net { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS }
dmz { INTERFACE=DMZ_IF, OPTIONS=$DMZ_OPTIONS } dmz { INTERFACE=DMZ_IF, OPTIONS=$DMZ_OPTIONS }
apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS }</programlisting> apps { INTERFACE=IRC_IF, OPTIONS=$IRC_OPTIONS }
?if __IPV4
swch { INTERFACE=SWCH_IF, OPTIONS=$SWCH_OPTIONS }
?endif</programlisting>
</section> </section>
<section> <section>
<title>hosts</title> <title>hosts</title>
<para>/etc/shorewall/hosts is used to define the vpn zone:</para> <para>/etc/shorewall/hosts is used to define the vpn zone:</para>
<programlisting>##ZONE HOSTS OPTIONS <programlisting>##ZONE HOSTS OPTIONS
vpn { HOSTS=PROD_IF:$ALL } vpn { HOSTS=PROD_IF:$ALL }
vpn { HOSTS=FAST_IF:$ALL } vpn { HOSTS=FAST_IF:$ALL }
vpn { HOSTS=LOC_IF:$ALL }</programlisting> vpn { HOSTS=LOC_IF:$ALL }</programlisting>
</section> </section>
<section> <section>
<title>policy</title> <title>policy</title>
<para>The same set of policies apply to both address families:</para> <para>The same set of policies apply to both address families:</para>
<programlisting>#SOURCE DEST POLICY LOGLEVEL RATE <programlisting>SOURCE DEST POLICY LOGLEVEL RATE
$FW { DEST=dmz,net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } $FW { DEST=dmz,net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
?if __IPV4 ?if __IPV4
$FW { DEST=all, POLICY=ACCEPT:Broadcast(ACCEPT),Multicast(ACCEPT ), LOGLEVEL=$LOG_LEVEL } $FW { DEST=all, POLICY=ACCEPT:Broadcast(ACCEPT),Multicast(ACCEPT ), LOGLEVEL=$LOG_LEVEL }
?else ?else
$FW { DEST=all, POLICY=ACCEPT:AllowICMPs,Broadcast(ACCEPT),Multi cast(ACCEPT) LOGLEVEL=$LOG_LEVEL } $FW { DEST=all, POLICY=ACCEPT:AllowICMPs,Broadcast(ACCEPT),Multi cast(ACCEPT) LOGLEVEL=$LOG_LEVEL }
?endif ?endif
loc,apps { DEST=net, POLICY=ACCEPT } loc,apps,wlan { DEST=net, POLICY=ACCEPT }
loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT } loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT }
loc { DEST=fw, POLICY=REJECT, loc { DEST=fw, POLICY=REJECT,
LOGLEVEL=$LOG_LEVEL } LOGLEVEL=$LOG_LEVEL }
?if __IPV4 ?if __IPV4
net { DEST=net, POLICY=NONE } net { DEST=net, POLICY=NONE }
?else ?else
net { DEST=net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL } net { DEST=net, POLICY=REJECT, LOGLEVEL=$LOG_LEVEL }
?endif ?endif
net { DEST=fw, POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP net { DEST=fw, POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP
),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 } ),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
net { DEST=all, POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL, net { DEST=all, POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL,
LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 } LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
dmz { DEST=fw POLICY=REJECT,
LOGLEVEL=$LOG_LEVEL }
dmz { DEST=dmz POLICY=REJECT,
LOGLEVEL=$LOG_LEVEL }
all { DEST=all, POLICY=REJECT, dmz { DEST=fw, POLICY=REJECT,
LOGLEVEL=$LOG_LEVEL }</programlisting> LOGLEVEL=$LOG_LEVEL }
dmz { DEST=dmz, POLICY=REJECT,
LOGLEVEL=$LOG_LEVEL }
all { DEST=all, POLICY=REJECT,
LOGLEVEL=$LOG_LEVEL }</programlisting>
</section> </section>
<section> <section>
<title>providers</title> <title>providers</title>
<para>The providers file is set up to allow for three different <para>The providers file is set up to allow for three different
configurations:</para> configurations:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
skipping to change at line 789 skipping to change at line 829
# not effective in routing the 'ping' request packets out of FAST_IF. # not effective in routing the 'ping' request packets out of FAST_IF.
# The following route solves that problem. # The following route solves that problem.
# #
{ PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=$FAST_GATEWAY, DEVICE =FAST_IF, OPTIONS=persistent } { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=$FAST_GATEWAY, DEVICE =FAST_IF, OPTIONS=persistent }
?endif</programlisting> ?endif</programlisting>
</section> </section>
<section> <section>
<title>actions</title> <title>actions</title>
<para>/etc/shorewall/actions defines one action:</para> <para>/etc/shorewall/actions defines a single action:</para>
<programlisting>#ACTION COMMENT <programlisting>#ACTION OPTIONS COMMENT
Mirrors # Accept traffic from Shorewall Mirrors SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers
</programlisting> dport=ssh</programlisting>
<para>/etc/shorewall/action.Mirrors:</para> <para>/etc/shorewall/action.SSHLIMIT:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST S <programlisting>ACCEPT { RATE=s:3/min:3 }
OURCE ORIGINAL RATE BLACKLIST:$LOG_LEVEL:net_SSHLIMIT</programlisting>
# PORT PORT(S) DEST L
IMIT
?COMMENT Accept traffic from Mirrors
?FORMAT 2
DEFAULTS -
$1 $MIRRORS
</programlisting>
</section> </section>
<section> <section>
<title>Macros</title> <title>Macros</title>
<para>/etc/shorewall/macro.FTP:</para> <para>/etc/shorewall/macro.FTP:</para>
<programlisting>########################################################## ##################### <programlisting>########################################################## #####################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE U SER #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE U SER
PARAM - - tcp 21 PARAM - - tcp 21
skipping to change at line 826 skipping to change at line 861
<para>This is just the normal Shorewall FTP macro without the helper <para>This is just the normal Shorewall FTP macro without the helper
logic -- we take care of that in the conntrack file below.</para> logic -- we take care of that in the conntrack file below.</para>
</section> </section>
<section> <section>
<title>conntrack</title> <title>conntrack</title>
<para>In addition to invoking the FTP helper on TCP port 21, this file <para>In addition to invoking the FTP helper on TCP port 21, this file
notracks some IPv4 traffic:</para> notracks some IPv4 traffic:</para>
<programlisting>#ACTION SOURCE DEST P <programlisting>?FORMAT 3
ROTO DPORT SPORT USER SWITCH ################################################################################
######################
#ACTION SOURCE DEST PROTO DPORT
SPORT USER SWITCH
CT:helper:ftp:P { PROTO=tcp, DPORT=21 } CT:helper:ftp:P { PROTO=tcp, DPORT=21 }
CT:helper:ftp:O { PROTO=tcp, DPORT=21 } CT:helper:ftp:O { PROTO=tcp, DPORT=21 }
?if __IPV4 ?if __IPV4
# #
# Don't track IPv4 broadcasts # Don't track IPv4 broadcasts
# #
NOTRACK:P { SOURCE=LOC_IF, DEST=172.20.1.255, PROTO=udp } NOTRACK:P { SOURCE=LOC_IF, DEST=172.20.1.255, PROTO=udp }
NOTRACK:P { DEST=255.255.255.255, PROTO=udp } NOTRACK:P { DEST=255.255.255.255, PROTO=udp }
NOTRACK:O { DEST=255.255.255.255, PROTO=udp } NOTRACK:O { DEST=255.255.255.255, PROTO=udp }
NOTRACK:O { DEST=172.20.1.255, PROTO=udp } NOTRACK:O { DEST=LOC_IF:172.20.0.255, PROTO=udp }
NOTRACK:O { DEST=70.90.191.127, PROTO=udp } NOTRACK:O { DEST=LOC_IF:172.20.1.255, PROTO=udp }
?endif NOTRACK:O { DEST=PROD_IF:70.90.191.127, PROTO=udp }
</programlisting> ?endif</programlisting>
</section> </section>
<section> <section>
<title>rules</title> <title>rules</title>
<para>/etc/shorewall/rules has only a couple of rules that are <para>/etc/shorewall/rules has only a couple of rules that are
conditional based on address family:</para> conditional based on address family:</para>
<programlisting>########################################################## ################################################################################ #################### <programlisting>########################################################## ################################################################################ ####################
#ACTION SOURCE DEST PROTO DPORT SPORT O RIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH H ELPER #ACTION SOURCE DEST PROTO DPORT SPORT O RIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH H ELPER
skipping to change at line 870 skipping to change at line 907
?SECTION RELATED ?SECTION RELATED
ACCEPT { SOURCE=all, DEST=dmz:$SERVER, PROTO=tcp, DPORT=61001:62000, h elper=ftp } ACCEPT { SOURCE=all, DEST=dmz:$SERVER, PROTO=tcp, DPORT=61001:62000, h elper=ftp }
ACCEPT { SOURCE=dmz, DEST=all, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=dmz, DEST=all, PROTO=tcp, helper=ftp }
ACCEPT { SOURCE=all, DEST=net, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=all, DEST=net, PROTO=tcp, helper=ftp }
ACCEPT { SOURCE=$FW, DEST=loc, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=$FW, DEST=loc, PROTO=tcp, helper=ftp }
ACCEPT { SOURCE=loc, DEST=$FW, PROTO=tcp, helper=ftp } ACCEPT { SOURCE=loc, DEST=$FW, PROTO=tcp, helper=ftp }
ACCEPT { SOURCE=all, DEST=all, PROTO=icmp } ACCEPT { SOURCE=all, DEST=all, PROTO=icmp }
RST(ACCEPT) { SOURCE=all, DEST=all } RST(ACCEPT) { SOURCE=all, DEST=all }
ACCEPT { SOURCE=dmz, DEST=dmz } ACCEPT { SOURCE=dmz, DEST=dmz }
ACCEPT { SOURCE=$FW, DEST=$FW }
?SECTION INVALID ?SECTION INVALID
RST(ACCEPT) { SOURCE=all, DEST=all } RST(ACCEPT) { SOURCE=all, DEST=all }
FIN(ACCEPT) { SOURCE=all, DEST=all } FIN(ACCEPT) { SOURCE=all, DEST=all }
DROP { SOURCE=net, DEST=all } DROP { SOURCE=net, DEST=all }
?SECTION UNTRACKED ?SECTION UNTRACKED
?if __IPV4 ?if __IPV4
skipping to change at line 922 skipping to change at line 960
################################################################################ ###################### ################################################################################ ######################
# 6in4 # 6in4
# #
?if __IPV4 ?if __IPV4
ACCEPT { SOURCE=net:216.218.226.238, DEST=$FW, PROTO=41 } ACCEPT { SOURCE=net:216.218.226.238, DEST=$FW, PROTO=41 }
ACCEPT { SOURCE=$FW, DEST=net:216.218.226.238, PROTO=41 } ACCEPT { SOURCE=$FW, DEST=net:216.218.226.238, PROTO=41 }
?endif ?endif
################################################################################ ###################### ################################################################################ ######################
# Ping # Ping
# #
Ping(ACCEPT) { SOURCE=$FW,loc,dmz,vpn,apps, DEST=$FW,loc,dmz,vpn,apps } Ping(ACCEPT) { SOURCE=all!net, DEST=all }
Ping(ACCEPT) { SOURCE=dmz, DEST=dmz } Ping(ACCEPT) { SOURCE=dmz, DEST=dmz }
Ping(ACCEPT) { SOURCE=all, DEST=net } ?if __IPV4
Ping(ACCEPT) { source=$FW, DEST=swch }
?endif
################################################################################
######################
# Logging
#
Syslog(ACCEPT) { SOURCE=dmz, DEST=$FW }
################################################################################ ###################### ################################################################################ ######################
# SSH # SSH
# #
AutoBL(SSH,60,-,-,-,-,$LOG_LEVEL)\ SSH(DROP) { SOURCE=net, DEST=dmz:$SERVER }
{ SOURCE=net, DEST=all, PROTO=tcp, DPORT=2 SSHLIMIT { SOURCE=net, DEST=all }
2 }
SSH(ACCEPT) { SOURCE=all, DEST=all }
?if __IPV4 ?if __IPV4
SSH(ACCEPT) { SOURCE=all+!swch, DEST=all+ }
SSH(DNAT-) { SOURCE=net, DEST=172.20.2.44, PROTO=tcp, DPORT=s sh, ORIGDEST=70.90.191.123 } SSH(DNAT-) { SOURCE=net, DEST=172.20.2.44, PROTO=tcp, DPORT=s sh, ORIGDEST=70.90.191.123 }
?else
SSH(ACCEPT) { SOURCE=all+, DEST=all+ }
?endif ?endif
################################################################################ ###################### ################################################################################ ######################
# DNS # DNS
# #
DNS(ACCEPT) { SOURCE=loc,dmz,vpn,apps, DEST=$FW } DNS(ACCEPT) { SOURCE=loc,dmz,vpn,apps,wlan, DEST=$FW }
DNS(ACCEPT) { SOURCE=$FW, DEST=net } DNS(ACCEPT) { SOURCE=$FW, DEST=net }
?if $TEST ?if $TEST
DNS(REDIRECT) loc 53 - 53 - !&amp;LOC_IF DNS(REDIRECT) loc 53 - 53 - !&amp;LOC_IF
DNS(REDIRECT) fw 53 - 53 - !::1 DNS(REDIRECT) fw 53 - 53 - !::1
?endif ?endif
DropDNSrep { SOURCE=net, DEST=all } DropDNSrep { SOURCE=net, DEST=all }
################################################################################ ###################### ################################################################################ ######################
# Traceroute # Traceroute
# #
Trcrt(ACCEPT) { SOURCE=all, DEST=net } Trcrt(ACCEPT) { SOURCE=all, DEST=net }
Trcrt(ACCEPT) { SOURCE=net, DEST=$FW,dmz } Trcrt(ACCEPT) { SOURCE=net, DEST=$FW,dmz }
################################################################################ ###################### ################################################################################ ######################
# Email # Email
# #
SMTP(ACCEPT) { SOURCE=net,$FW, DEST=dmz:$LISTS } SMTP(ACCEPT) { SOURCE=net,$FW, DEST=dmz:$LISTS }
SMTP(ACCEPT) { SOURCE=dmz:$LISTS, DEST=net:PROD_IF } SMTP(ACCEPT) { SOURCE=dmz:$LISTS, DEST=net:PROD_IF }
SMTP(ACCEPT) { SOURCE=dmz, DEST=dmz:$LISTS } SMTP(ACCEPT) { SOURCE=dmz, DEST=dmz:$LISTS }
SMTP(REJECT) { SOURCE=dmz:$LISTS, DEST=net } SMTP(REJECT) { SOURCE=dmz:$LISTS, DEST=net }
IMAPS(ACCEPT) { SOURCE=all, DEST=dmz:$MAIL } IMAPS(ACCEPT) { SOURCE=all, DEST=dmz:$MAIL }
Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS } Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
SMTPS(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS } SMTPS(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
IMAP(ACCEPT) { SOURCE=loc,vpn, DEST=net } IMAP(REJECT) { SOURCE=net, DEST=all }
################################################################################ ###################### ################################################################################ ######################
# NTP # NTP
# #
NTP(ACCEPT) { SOURCE=all, DEST=net } NTP(ACCEPT) { SOURCE=all, DEST=net }
################################################################################ ###################### ################################################################################ ######################
# Squid # Squid
ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } ACCEPT { SOURCE=loc,vpn,wlan, DEST=$FW, PROTO=tcp, DPORT=3128 }
################################################################################ ###################### ################################################################################ ######################
# HTTP/HTTPS # HTTP/HTTPS
# #
Web(ACCEPT) { SOURCE=loc,vpn DEST=$FW } Web(ACCEPT) { SOURCE=loc,vpn,wlan DEST=$FW }
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=proxy } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=proxy }
Web(DROP) { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist we b crawlers" } Web(DROP) { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist we b crawlers" }
HTTP(ACCEPT) { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL } HTTP(ACCEPT) { SOURCE=net,loc,vpn,wlan,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
HTTPS(ACCEPT) { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL } HTTPS(ACCEPT) { SOURCE=net,loc,vpn,wlan,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
Web(ACCEPT) { SOURCE=dmz,apps DEST=net,$FW } Web(ACCEPT) { SOURCE=dmz,apps,loc,wlan, DEST=net,$FW }
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=root } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=root }
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=teastep } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=teastep }
?if __IPV4
Web(ACCEPT) { SOURCE=$FW, DEST=swch, USER=teastep }
?endif
Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=_apt } Web(ACCEPT) { SOURCE=$FW, DEST=net, USER=_apt }
################################################################################ ###################### ################################################################################ ######################
# FTP # FTP
# #
FTP(ACCEPT) { SOURCE=loc,vpn,apps DEST=net } FTP(ACCEPT) { SOURCE=dmz, DEST=net }
FTP(ACCEPT) { SOURCE=dmz, DEST=net } FTP(ACCEPT) { SOURCE=$FW, DEST=net, USER=root }
FTP(ACCEPT) { SOURCE=$FW, DEST=net, USER=root } FTP(ACCEPT) { SOURCE=all, DEST=dmz:$SERVER }
FTP(ACCEPT) { SOURCE=all, DEST=dmz:$SERVER }
# #
# Some FTP clients seem prone to sending the PORT command split over two packets . # Some FTP clients seem prone to sending the PORT command split over two packets .
# This prevents the FTP connection tracking code from processing the command and setting # This prevents the FTP connection tracking code from processing the command and setting
# up the proper expectation. # up the proper expectation.
# #
# The following rule allows active FTP to work in these cases # The following rule allows active FTP to work in these cases
# but logs the connection so I can keep an eye on this potential security hole. # but logs the connection so I can keep an eye on this potential security hole.
# #
ACCEPT:$LOG_LEVEL { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 } ACCEPT:$LOG_LEVEL { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 }
################################################################################ ###################### ################################################################################ ######################
# Git # Git
# #
Git(ACCEPT) { source=all, DEST=dmz:$SERVER } Git(ACCEPT) { source=all, DEST=dmz:$SERVER }
################################################################################ ###################### ################################################################################ ######################
# whois # whois
# #
Whois(ACCEPT) { SOURCE=all, DEST=net } Whois(ACCEPT) { SOURCE=all, DEST=net }
################################################################################ ###################### ################################################################################ ######################
# SMB # SMB
# #
SMBBI(ACCEPT) { SOURCE=loc, DEST=$FW } SMBBI(ACCEPT) { SOURCE=loc,wlan, DEST=$FW }
SMBBI(ACCEPT) { SOURCE=vpn, DEST=$FW } SMBBI(ACCEPT) { SOURCE=vpn, DEST=$FW }
################################################################################ ###################### ################################################################################ ######################
# IRC # IRC
# #
SetEvent(IRC) { SOURCE=loc,apps, DEST=net, PROTO=tcp, DPO SetEvent(IRC) { SOURCE=loc,apps,wlan, DEST=net, PROTO=tcp
RT=6667 } , DPORT=6667 }
IfEvent(IRC,ACCEPT,10,1,dst,reset) { SOURCE=net, DEST=loc,apps, PROTO=tcp, DP IfEvent(IRC,ACCEPT,10,1,dst,reset) { SOURCE=net, DEST=loc,apps,wlan, PROTO=tc
ORT=113 } p, DPORT=113 }
################################################################################ ###################### ################################################################################ ######################
# AUTH # AUTH
Auth(REJECT) { SOURCE=net, DEST=all } Auth(REJECT) { SOURCE=net, DEST=all }
################################################################################ ###################### ################################################################################ ######################
# Rsync
#
Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
################################################################################
######################
# IPSEC # IPSEC
# #
?if __IPV4 ?if __IPV4
DNAT { SOURCE=loc,net, DEST=apps:172.20.2.44, PROTO=udp, DPORT=500,450 0, ORIGDEST=70.90.191.123 } DNAT { SOURCE=loc,net,wlan, DEST=apps:172.20.2.44, PROTO=udp, DPORT=50 0,4500, ORIGDEST=70.90.191.123 }
?else ?else
ACCEPT { SOURCE=loc,net, DEST=apps, PROTO=udp, DPORT=500,4500 } ACCEPT { SOURCE=loc,net,wlan, DEST=apps, PROTO=udp, DPORT=500,4500 }
ACCEPT { SOURCE=loc,net, DEST=apps, PROTO=esp } ACCEPT { SOURCE=loc,net,wlan, DEST=apps, PROTO=esp }
?endif ?endif
ACCEPT { SOURCE=$FW, DEST=net, PROTO=udp, SPORT=4500 } ACCEPT { SOURCE=$FW, DEST=net, PROTO=udp, SPORT=4500 }
################################################################################ ###################### ################################################################################ ######################
# Bit Torrent
?if __IPV4
DNAT { SOURCE=net, DEST=apps:$IRSSIINT, PROTO=udp,tcp, DPORT=594
10, ORIGDEST=$IRSSIEXT }
?else
ACCEPT { SOURCE=net, DEST=apps:$IRSSI, PROTO=udp,tcp, DPORT=594
10 }
?endif
REJECT { SOURCE=net, DEST=all, PROTO=udp,tcp, DPORT=514
13,59410 }
################################################################################
######################
# VNC # VNC
ACCEPT { SOURCE=loc, DEST=$FW, PROTO=tcp, DPORT=590 0 } ACCEPT { SOURCE=loc, DEST=$FW, PROTO=tcp, DPORT=590 0 }
################################################################################ ###################### ################################################################################ ######################
# FIN &amp; RST # FIN &amp; RST
RST(ACCEPT) { SOURCE=all, DEST=all } RST(ACCEPT) { SOURCE=all, DEST=all }
FIN(ACCEPT) { SOURCE=all, DEST=all } FIN(ACCEPT) { SOURCE=all, DEST=all }
################################################################################ ###################### ################################################################################ ######################
# Multicast # Multicast
?if __IPV4 ?if __IPV4
Multicast(ACCEPT) { SOURCE=all, DEST=$FW } Multicast(ACCEPT) { SOURCE=all, DEST=$FW }
?endif
################################################################################
######################
?if __IPV4
ACCEPT { SOURCE=fw, DEST=all, PROTO=icmp, DPORT=host-unreachable }
?endif</programlisting> ?endif</programlisting>
</section> </section>
<section> <section>
<title>mangle</title> <title>mangle</title>
<para>Note that TPROXY can be enabled/disabled via a shell variable <para>Note that TPROXY can be enabled/disabled via a shell variable
setting in /etc/shorewall/params:</para> setting in /etc/shorewall/params:</para>
<programlisting>#ACTION SOURCE DEST PROTO D PORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILI TY DSCP <programlisting>#ACTION SOURCE DEST PROTO D PORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILI TY DSCP
skipping to change at line 1074 skipping to change at line 1114
?if __IPV4 ?if __IPV4
# #
# I've had a checksum issue with certain IPv4 UDP packets # I've had a checksum issue with certain IPv4 UDP packets
# #
CHECKSUM:T { DEST=FAST_IF, PROTO=udp } CHECKSUM:T { DEST=FAST_IF, PROTO=udp }
CHECKSUM:T { DEST=DMZ_IF, PROTO=udp } CHECKSUM:T { DEST=DMZ_IF, PROTO=udp }
?endif ?endif
?if $PROXY ?if $PROXY
# #
# Use TPROXY for IPv4 web access from the local LAN # Use TPROXY for web access from the local LAN
# #
DIVERT:R { PROTO=tcp, SPORT=80 } DIVERT:R { PROTO=tcp, SPORT=80 }
DIVERT:R { PROTO=tcp, DPORT=80 } DIVERT:R { PROTO=tcp, DPORT=80 }
TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 } TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 }
TPROXY(3129,$LOC_ADDR) { SOURCE=WLAN_IF, PROTO=tcp, DPORT=80 }
# DIVERT:R { PROTO=tcp, SPORT=443 }
# DIVERT:R { PROTO=tcp, DPORT=443 }
# TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=443 }
?endif</programlisting> ?endif</programlisting>
</section> </section>
<section> <section>
<title>snat</title> <title>snat</title>
<para>NAT entries are quite dependent on the address family:</para> <para>NAT entries are quite dependent on the address family:</para>
<programlisting>########################################################## <programlisting>#ACTION SOURCE DEST P
######################################################### ROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#ACTION SOURCE DEST PROTO PORT IPSEC MAR
K USER SWITCH ORIGDEST PROBABILITY
?if __IPV4 ?if __IPV4
MASQUERADE { SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_I F } MASQUERADE { SOURCE=172.20.0.0/22, DEST=FAST_I F }
MASQUERADE { SOURCE=70.90.191.120/29, DEST=FAST_I F } MASQUERADE { SOURCE=70.90.191.120/29, DEST=FAST_I F }
SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29, DEST=PROD_I F, PROBABILITY=0.50, COMMENT="Masquerade Local Network" } SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29, DEST=PROD_I F, PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_I F, COMMENT="Masquerade Local Network" } SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29, DEST=PROD_I F, COMMENT="Masquerade Local Network" }
SNAT(172.20.1.253) { SOURCE=!172.20.1.0/24, DEST=LOC_IF :172.20.1.100 } SNAT(172.20.1.253) { SOURCE=!172.20.1.0/24, DEST=LOC_IF :172.20.1.100 }
?else ?else
SNAT(&amp;PROD_IF) { SOURCE=2601:601:a000:16f0::/60, D EST=PROD_IF } SNAT(&amp;PROD_IF) { SOURCE=2601:601:a000:16f0::/60, D EST=PROD_IF }
SNAT(&amp;FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, D EST=FAST_IF } SNAT(&amp;FAST_IF) { SOURCE=2001:470:b:227::/64,2001:470:a:227::2, D EST=FAST_IF }
?endif</programlisting> ?endif</programlisting>
</section> </section>
skipping to change at line 1157 skipping to change at line 1200
fi fi
</programlisting> </programlisting>
</section> </section>
<section> <section>
<title>stoppedrules</title> <title>stoppedrules</title>
<para>/etc/shorewall/stoppedrules allow SSH connections into the <para>/etc/shorewall/stoppedrules allow SSH connections into the
firewall system when Shorewall[6] is in the stopped state.</para> firewall system when Shorewall[6] is in the stopped state.</para>
<programlisting/> <programlisting>#ACTION SOURCE DEST P
ROTO DPORT SPORT
ACCEPT - $FW tcp 22
</programlisting>
</section> </section>
</section> </section>
</article> </article>
 End of changes. 100 change blocks. 
181 lines changed or deleted 216 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)