Hi Tom and gurus
Well after loading the two port files exactly as per instructions, the
is still a major problem.
Its not masquerading :(.
Looked the tcpdump on interface ppp0 and could see the other end of the
p-t-p link compaining of packets from the address of one of the PC''s on
the lan.
Looking at the syslog its seems only conntrack is being loaded, even
though the modules file is the same as this machine.
this is backed up by the contents of /proc/modules
I have the offending machine here now, at least that saves a 50mile
round trip each time.
Any sugestions ,? before I reformat the HD and reload everything again
in the hope that lightning dos''nt stroike twice in the same place.
config files attached
TIA
Richard
--
Richard Bown <richard.bown@blueyonder.co.uk>
-------------- next part --------------
#
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
-------------- next part --------------
#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed and the interface must only be associated
# with a single subnet.
#
# If you don''t want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# routestopped - (Deprecated -- use
# /etc/shorewall/routestopped)
# When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally in
# the /etc/shorewall/shorewall.conf file.
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it''s IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255 routestopped
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect dhcp
# loc eth1 detect routestopped
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections.
#
# net ppp0 -
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 - routefilter,norfc1918
loc eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.3 - Masquerade file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
#
# Columns are:
#
# INTERFACE -- Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
#
# This column may not contain a DNS Name.
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# eth0 eth1
#
# or
#
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176
#
##############################################################################
#INTERFACE SUBNET ADDRESS
ppp0 eth0 80.177.118.138
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don''t get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or
"CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don''t want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
#
# If you want open access to the internet from your firewall, uncomment the
# following line
fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
-------------- next part --------------
##############################################################################
#
# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#
# This file is used to define the hosts that are accessible when the
# firewall is stopped
#
# Columns must be separated by white space and are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
#
# Example:
#
# INTERFACE HOST(S)
# eth2 192.168.1.0/24
# eth0 192.0.2.44
##############################################################################
#INTERFACE HOST(S)
eth0 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case) as a log level.\
# This will log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!'' and a comma-separated list of sub-zone names.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
#
# The port that the server is listening on may be
# included and separated from the server''s IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp",
a number,
# "all" or "related". If "related", the
remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don''t want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
#
#Accept SSH connections from the net to the firewall
#
ACCEPT net fw tcp 22
#
#Accept FTP,POP3,SMTP,TELNET,HTTP connections from local network to the
firewall
#
ACCEPT loc fw tcp 19,110,25,23,80,443
ACCEPT loc fw udp 19,110,25,23,80,443
#
#Accept FTP,POP3,SMTP,TELNET,HTTP connections from firewall to local network
#
ACCEPT fw loc tcp 19,110,25,23,80,443
ACCEPT fw loc udp 19,110,25,23,80,443
#
#Accept SAMBA connection from local to firewall/viceversa
#
ACCEPT loc fw tcp 137:139,445
ACCEPT loc fw udp 137:139,1024: 137
ACCEPT fw loc tcp 137:139,445
ACCEPT fw loc udp 137:139,1024: 137
# Accept Ping Ubiquitously
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
#
# All ICMP are accepted fw->all
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
##############################################################################
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# You should not have to change the variables in this section -- they are set
# by the packager of your Shorewall distribution
#
SHARED_DIR=/usr/lib/shorewall
#
##############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# Valid levels are:
#
# 7 debug
# 6 info
# 5 notice
# 4 warning
# 3 err
# 2 crit
# 1 alert
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# ''kern'' and the level that you specifify. If you are unsure
of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have build your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called
''ulogd''.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string,
"fw"
# is assumed.
#
FW=fw
#
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don''t use lock
files,
# set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all
connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED=yes
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR
#
# LOG RATE LIMITING
#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second'', `/minute'', `/hour'', or `/day''
suffix and specifies the maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
LOGRATELOGBURST
#
# LEVEL AT WHICH TO LOG ''UNCLEAN'' PACKETS
#
# This variable determines the level at which Mangled/Invalid packets are logged
# under the ''dropunclean'' interface option. If you set this
variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#
# The value of this variable also determines the level at which Mangled/Invalid
# packets are logged under the ''logunclean'' interface option.
If the variable
# is empty, these packets will still be logged at the ''info''
level.
#
# See the comment at the top of this file for a description of log levels
#
LOGUNCLEAN=info
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g.,
LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the ''shorewall''
program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/FAQ.htm#faq6
LOGFILE=/var/log/messages
#
# ENABLE NAT SUPPORT
#
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED=Yes
#
# ENABLE MANGLE SUPPORT
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos
file
# and will not initialize the mangle table when starting or stopping
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED=Yes
#
# ENABLE IP FORWARDING
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is
enabled. If you
# say "Off" or "off", packet forwarding will be disabled.
You would only want
# to disable packet forwarding if you are installing Shorewall on a
# standalone system or if you want all traffic through the Shorewall system
# to be handled by proxies.
#
# If you set this variable to "Keep" or "keep", Shorewall
will neither
# enable nor disable packet forwarding.
#
IP_FORWARDING=On
#
# AUTOMATICALLY ADD NAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will
automatically add IP addresses
# for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES=Yes
#
# AUTOMATICALLY ADD SNAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will
automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you
say
# "No" or "no", you must add these aliases youself. LEAVE
THIS SET TO "No" unless
# you are sure that you need it -- most people don''t!!!
#
ADD_SNAT_ALIASES=No
#
# ENABLE TRAFFIC SHAPING
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled
in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled.
If you enable traffic
# shaping you must have iproute[2] installed (the "ip" and
"tc" utilities) and
# you must enable packet mangling above.
#
TC_ENABLED=No
#
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
# BLACKLIST LOG LEVEL
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beward of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
# See the comment at the top of this file for a description of log levels
#
BLACKLIST_LOGLEVEL
#
# MSS CLAMPING
#
# Set this variable to "Yes" or "yes" if you want the TCP
"Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
# This option adds a `TCPMSS'' target, which allows you to alter the
# MSS value of TCP SYN packets, to control the maximum size for that
# connection (usually limiting it to your outgoing interface''s MTU
# minus 40).
#
# This is used to overcome criminally braindead ISPs or servers which
# block ICMP Fragmentation Needed packets. The symptoms of this
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not
enabled.
#
CLAMPMSS=yes
#
# ROUTE FILTERING
#
# Set this variable to "Yes" or "yes" if you want kernel
route filtering on all
# interfaces (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is
assumed.
# In that case, you can still enable route filtering on individual interfaces
# in the /etc/shorewall/interfaces file.
ROUTE_FILTER=No
#
# NAT BEFORE RULES
#
# Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to
"No".
#
# If this variable is not set or is set to the empty value, "Yes" is
assumed.
NAT_BEFORE_RULES=Yes
# MULTIPORT support
#
# If your kernel includes the multiport match option
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it''s use here. When
this
# option is enabled by setting it''s value to "Yes" or
"yes":
#
# 1) If you list more that 15 ports in a comma-seperated list in
# /etc/shorewall/rules, Shorewall will not use the multiport option
# but will generate a separate rule for each element of each port
# list.
# 2) If you include a port range (<low port>:<high port>) in the
# rule, Shorewall will not use the multiport option but will generate
# a separate rule for each element of each port list.
#
# See the /etc/shorewall/rules file for additional information on this option.
#
# if this variable is not set or is set to the empty value, "No" is
assumed.
MULTIPORT=No
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
#
# DNAT net loc:192.168.1.3 tcp 80
#
# it will forward TCP port 80 connections from the net to 192.168.1.3
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
# convenient for two reasons:
#
# a) If the the network interface has a dynamic IP address, the
# firewall configuration will work even when the address
# changes.
#
# b) It saves having to configure the IP address in the rule
# while still allowing the firewall to be started before the
# internet interface is brought up.
#
# This default behavior can also have a negative effect. If the
# internet interface has more than one IP address then the above
# rule will forward connection requests on all of these addresses;
# that may not be what is desired.
#
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
# only if the original destination address is the primary IP address of
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started.
DETECT_DNAT_IPADDRS=No
#
# MERGE HOSTS FILE
#
# The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined
# entirely in the hosts file. This is counter-intuitive and has caused
# people some problems.
#
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
# are added to the contents described in the /etc/shorewall/interfaces file.
#
# Example: Suppose that we have the following interfaces and hosts files:
#
# Interfaces:
#
# net eth0
# loc eth1
# - ppp+
#
# Hosts:
#
# loc ppp+:192.168.1.0/24
# wrk ppp+:!192.168.1.0/24
#
# With MERGE_HOSTS=No, the contents of the ''loc'' zone would be
just
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
#
# If this variable is not set or is set to the empty value, "No" is
assumed.
MERGE_HOSTS=Yes
#
# MUTEX TIMEOUT
#
# The value of this variable determines the number of seconds that programs
# will wait for exclusive access to the Shorewall lock file. After the number
# of seconds corresponding to the value of this variable, programs will assume
# that the last program to hold the lock died without releasing the lock.
#
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
#
# An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart"
command.
MUTEX_TIMEOUT=60
#
# LOGGING ''New not SYN'' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this file for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN
#
# Old Ping Handling
#
# If this option is set to "Yes" then Shorewall will use its old ping
handling
# facility including the FORWARDPING option in this file and the
''noping'' and
# ''filterping'' interface options. If this option is set to
''No'' then ping
# is handled via policy and rules just like any other connection request.
#
# If you are a new Shorewall user DON''T CHANGE THE VALUE OF THIS OPTION
AND
# DON''T DELETE IT!!!!!!
#
OLD_PING_HANDLING=No
#
# NEWNOTSYN
#
# If this variable is set to "No" or "no", then When a TCP
packet that does
# not have the SYN flag set and the ACK and RST flags clear then unless the
# packet is part of an established connection, it will be dropped by the
# firewall
#
# If this variable is set to "Yes" or "yes" then such
packets will not be
# dropped but will pass through the normal rule processing.
#
# Users with a High-availability setup with two firewall''s and one
acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
NEWNOTSYN=No
#
# MAC List Disposition
#
# This variable determines the disposition of connection requests arriving
# on interfaces that have the ''maclist'' option and that are
from a device
# that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
MACLIST_DISPOSITION=REJECT
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Disposition
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# ''tcpflags'' option specified in /etc/shorewall/interfaces. If
not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is
assumed.
TCP_FLAGS_DISPOSITION=DROP
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="")
then
# such packets will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=ULOG
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this file for a description of log levels
#
RFC1918_LOG_LEVEL=ULOG
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall''s external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# Clear Traffic Shapping/Control
#
# If this option is set to ''No'' then Shorewall won''t
clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the ''fwmark''
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#LAST LINE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE