Shorewall devel - Jan 2004 - Shorewall2 -- now running on gateway.shorewall.net

I''ve gotten the basic code working on my firewall.

So that I can quickly get back online if I screw up, I''m currently
calling it
shorewall2. That way if it screws up I can just "shorewall restart".

/sbin/shorewall2       -- command interpreter
/etc/shorewall2/       -- configuration files
/usr/share/shorewall2/ -- shared files

Both Shorewall and Shorewall2 use the same state directory.

/etc/shorewall/actions.std defines the actions that I release and currently 
contains just the actions I need to replace the ''common'' chain
(plus
AllowPing) which I personally like).

#
# Shorewall 2.0 /etc/shorewall/actions.std
#
#
DropBcast       #Silently Drops Broadcast Traffic
DropSMB         #Silently Drops Microsoft SMB Traffic
RejectSMB       #Silently Reject Microsoft SMB Traffic
DropUPnP        #Silently Drop UPnP Probes
DropNonSyn      #Silently Drop Non-syn TCP packets
RejectAuth      #Silently Reject Auth
DropPing        #Silently Drop Ping
AllowPing       #Accept Ping

Drop:DROP       #Common rules for DROP policy
Reject:REJECT   #Common Action for Reject policy
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

The ":DROP" and ":REJECT" after the last two action names
indicates that those
actions should be applied before any DROP or REJECT policy respectively. This 
is how user-defined actions can be used to replace the
''common'' chain.

In /etc/shorewall/actions, we have:

INCLUDE actions.std

The "Drop" action is as follows:

RejectAuth
DropBcast
DropSMB
DropUPnP
DropNonSyn

Some of the actions like DropBcast (which silently drops all broadcasts) 
require a little trickery to implement (think extension scripts).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net