This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C1E9D5.C0C8DE60"
------_=_NextPart_001_01C1E9D5.C0C8DE60
Content-Type: text/plain;
charset="iso-8859-1"
Hello everybody,
I''m a new user of the shorewall firewall and I''ve a hard
problem getting the
firewall working.
Can someone please can help me ?
Here is my situation:
I''ve a RedHat linux server with 2 NIC''s. One is connected to
the internet
with a cable modem with a dhcp ip adress (24.132.59.69) but I always get
this address so it''s almost a static one, and the other one is eth1
connected to my lan with ipaddress 192.168.0.5
My linux server is used as a firewall and as a webserver and mail server
(Lotus Domino) and I also want to use my server as an internet gateway
(Masquerading) for my other pc''s in my lan.
In my lan I''ve two win2000 machine one workstation and one laptop with
ipaddresses : 192.168.0.1 and 192.168.0.4
I''ve downloaded and installed the quick two-interfaces.tgz file and
I''ve
changed the files to my needs.
But there are still problems with internet access from my 2 windows2000
machines. Also I can''t receive or send any email, outgoing mail is
pending
and incoming mail get bounced.
It looks like there''s now internet connection allowed or there is
something
misconfigurated.
I''ve attached my files, who I''ve changed.
Could some please help me with this problem?
Thank you so much!
<<common>> <<interfaces>> <<masq>>
<<params>> <<policy>> <<rules>>
<<zones>>
lino.catucci@nuon.com
or
linocatucci@yahoo.com
------_=_NextPart_001_01C1E9D5.C0C8DE60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html;
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version
5.5.2653.12">
<TITLE>cable modem trouble</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2 FACE=3D"Verdana">Hello
everybody,</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Verdana">I''m a new user
of the shorewall firewall and I''ve a hard problem getting the firewall
working.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">Can someone please can
help me ?</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">Here is my
situation:</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Verdana">I''ve a RedHat
linux server with 2 NIC''s. One is connected to the internet with a
cable modem with a dhcp ip adress (24.132.59.69) but I always get this address
so it''s almost a static one, and the other one is eth1
connected to my lan with ipaddress 192.168.0.5</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Verdana">My linux server is used
as a firewall and as a webserver and mail server (Lotus Domino) and I also want
to use my server as an internet gateway (Masquerading) for my other
pc''s in my lan.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Verdana">In my lan I''ve
two win2000 machine one workstation and one laptop with ipaddresses :
192.168.0.1 and 192.168.0.4 </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">I''ve
downloaded and installed the quick two-interfaces.tgz file and I''ve
changed the files to my needs.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">But there are still
problems with internet access from my 2 windows2000 machines. Also I
can''t receive or send any email, outgoing mail is pending and incoming
mail get bounced.</FONT></P>
<P><FONT SIZE=3D2 FACE=3D"Verdana">It looks like
there''s now internet connection allowed or there is something
misconfigurated.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Verdana">I''ve attached
my files, who I''ve changed.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">Could some please help
me with this problem?</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Verdana">Thank you so
much!</FONT>
</P>
<P><FONT FACE=3D"Arial" SIZE=3D2
COLOR=3D"#000000"> <<common>>
</FONT><FONT FACE=3D"Arial" SIZE=3D2
COLOR=3D"#000000"> <<interfaces>>
</FONT><FONT FACE=3D"Arial" SIZE=3D2
COLOR=3D"#000000"> <<masq>>
</FONT><FONT FACE=3D"Arial" SIZE=3D2
COLOR=3D"#000000"> <<params>>
</FONT><FONT FACE=3D"Arial" SIZE=3D2
COLOR=3D"#000000"> <<policy>>
</FONT><FONT FACE=3D"Arial" SIZE=3D2
COLOR=3D"#000000"> <<rules>>
</FONT><FONT FACE=3D"Arial" SIZE=3D2
COLOR=3D"#000000"> <<zones>>
</FONT>
</P>
<P><FONT SIZE=3D2
FACE=3D"Verdana">lino.catucci@nuon.com</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">or</FONT>
<BR><FONT SIZE=3D2
FACE=3D"Verdana">linocatucci@yahoo.com</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C1E9D5.C0C8DE60--
------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
name="common"
Content-Disposition: attachment;
filename="common"
############################################################################
# Shorewall 1.2 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
#
# Do not modify this file -- if you wish to change these rules, copy this
# file to /etc/shorewall/common and modify that file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# accept ACKs and RSTs that aren''t related to any session so that the
# protocol stack can handle them
#
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139 -j DROP
run_iptables -A common -p udp --dport 445 -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
name="interfaces"
Content-Disposition: attachment;
filename="interfaces"
#
# Shorewall 1.2 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# Columns are:
#
# ZONE Zone for this interface. Much match the short name
# of a zone defined in /etc/shorewall/zones.
#
# $<variable-name> is not allowed in this column.
#
# INTERFACE Name of interface
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started and you must have iproute
# installed.
#
# If you don''t want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP
# noping - icmp echo-request (ping) packets should
# be ignored on this interface
# routestopped - When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it''s IP address via DHCP from subnet
# 206.191.149.192/27 and you want pings from the internet
# to be ignored. You interface a DMZ with subnet
# 192.168.2.0/24 using eth2. You want to be able to
# access the firewall from the local network when the
# firewall is stopped.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 noping,dhcp
# local eth1 192.168.1.255 routestopped
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect noping,dhcp
# local eth1 detect routestopped
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections and you want to ignore ping requests.
#
# net ppp0 - noping
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,routefilter,dhcp
loc eth1 192.168.0.5 routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
name="masq"
Content-Disposition: attachment;
filename="masq"
#
# Shorewall 1.2 - Masquerade file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading)
#
# Columns are:
#
# INTERFACE -- Outgoing interface. This is usually your internet
# interface. This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# eth0 eth1
#
# or
#
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add the following entry to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
##############################################################################
#INTERFACE SUBNET
eth0 eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
name="params"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="params"
#
# Shorewall 1.2 /etc/shorewall/params
#
# This sample can be used to implement a simple firewall on a system with
# two network interfaces. The first interface interfaces to the internet and
# the second interfaces to a local network.
##############################################################################
#
# Specify the name of your internet interface in the following variable.
#
# If you access the internet via dial-up, the interface name with be ppp0
# If you have an ethernet interface to the internet, your interface name will
# be eth0.
NET_IF=3Deth0
# Specify the broadcast address for your network interface here. If your
# internet interface is point-to-point (such as with dial-up), then set this
# to "-". If you want Shorewall to automatically detect the broadcast
address,
# you can set the variable to "detect"; you will have to start your
network
# interface before starting Shorewall for this to work.
NET_BCAST=3Ddetect
#
# Specify the interface options in this variable as a comma-separated list.
#
# Possible options are as follows:
# dhcp - interface is managed by DHCP
# noping - icmp echo-request (ping) packets should
# be ignored on this interface
# routestopped - When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface.
#
NET_OPTIONS=3Ddhcp,noping,norfc1918
#
# Specify the name of your local interface in the following variable.
#
LOCAL_IF=3Deth1
# Specify the broadcast address for your network interface here. If your
# internet interface is point-to-point (such as with dial-up), then set this
# to "-". If you want Shorewall to automatically detect the broadcast
address,
# you can set the variable to "detect"; you will have to start your
network
# interface before starting Shorewall for this to work.
LOCAL_BCAST=3Ddetect
#
# Specify the interface options in this variable as a comma-separated list.
#
# Possible options are as follows:
# dhcp - interface is managed by DHCP
# noping - icmp echo-request (ping) packets should
# be ignored on this interface
# routestopped - When the firewall is stopped, allow
# and route traffic to and from this
# interface.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses.
# multi - This interface has multiple IP
# addresses and you want to be able to
# route between them.
# routefilter - turn on kernel route filtering for this
# interface.
#
LOCAL_OPTIONS=3Droutestopped
#
# Specify your local network address range as <network address>/<mask
length>
# (example: 192.168.1.0/24).
#
LOCAL_NET=3D192.168.0.0/24
# Your firewall may need to access the internet for certain services. For
example,
# your firewall probably needs have access to internet DNS servers (port 53).
List
# the TCP ports/services that your firewall needs to access as a comma-separated
# list. If your firewall doesn''t need to access any internet TCP
services, set
# this variable to "none".
#
# Note: If you want open access to the internet from your firewall, uncomment
the
# appropriate line in the "policy" file and set FW_TCP_OUT_PORTS and
# FW_UDP_OUT_PORTS to "none".
FW_TCP_OUT_PORTS=3Dnone
#
# Similarly, list the internet UDP ports/services that your firewall needs
access
# to.
#
FW_UDP_OUT_PORTS=3Dnone
# This sample configuration allows you forward connections to up to two
# systems (servers) in your local network.
#
# List the TCP ports or services that you wish to forward to the first
# server in this variable as a comma-separated list. For example, if you want
# to forward www and https to the first, you would have
LOC_TCP_PORTS1=3Dwww,https
# or LOC_TCP_PORTS1=3D80,443 and you would set SERVER1 to the IP address of the
# server. If you don''t want to forward any tcp ports, set the
# variable''s value to "none".
#
LOC_TCP_PORTS1=3D80,443,21,22,25,1352
# List the UDP ports or services that you wish to forward to the first
# server in this variable as a comma-separated list. If you don''t want
to
# forward any tcp ports, set the variable''s value to "none".
LOC_UDP_PORTS1=3Dnone
# List the TCP ports or services on your first server that you wish to be=20
# able to access from your firewall (comma-separated list). If you
don''t
# want the firewall to be able to access any tcp ports on your first=20
# server, set the variable''s value to "none"
FW_LOC_TCP_PORTS1=3Dnone
# List the UDP ports or services on your first server that you wish to be=20
# able to access from your firewall (comma-separated list). If you
don''t
# want the firewall to be able to access any udp ports on your first=20
# server, set the variable''s value to "none"
FW_LOC_UDP_PORTS1=3Dnone
#
# Enter the IP address of the server that you want the above ports forwarded
# to.
#
SERVER1=3Dnone
# List the TCP ports or services that you wish to forward to the second
# server in this variable as a comma-separated list. For example, if you want
# to forward www and https to the first, you would have
LOC_TCP_PORTS2=3Dwww,https
# or LOC_TCP_PORTS2=3D80,443 and you would set SERVER1 to the IP address of the
# server. If you don''t want to forward any tcp ports, set the
# variable''s value to "none".
#
LOC_TCP_PORTS2=3Dnone
# List the UDP ports or services that you wish to forward to the second
# server in this variable as a comma-separated list. If you don''t want
to
# forward any tcp ports, set the variable''s value to "none".
LOC_UDP_PORTS2=3Dnone
# List the TCP ports or services on your second server that you wish to be=20
# able to access from your firewall (comma-separated list). If you
don''t
# want the firewall to be able to access any tcp ports on your first=20
# server, set the variable''s value to "none"
FW_LOC_TCP_PORTS2=3Dnone
# List the UDP ports or services on your second server that you wish to be=20
# able to access from your firewall (comma-separated list). If you
don''t
# want the firewall to be able to access any udp ports on your first=20
# server, set the variable''s value to "none"
FW_LOC_UDP_PORTS2=3Dnone
#
# Enter the IP address of the server that you want the above ports forwarded
# to.
#
SERVER2=3Dnone
#
# If you wish to "open" incoming TCP ports for a server running on the
# firewall, list them in this variable as a comma-separated list. For example,
# if you want to enable secure shell (ssh) and FTP, from the internet to your
# firewall, you would have FW_TCP_PORTS=3Dssh,ftp or FW_TCP_PORTS=3D22,21.
#
# If you don''t run any TCP servers on the firewall, use the value
"none"
FW_TCP_IN_PORTS=3D22,80,25,443,
#
# If you wish to "open" incoming UDP ports for servers running on the
# firewall, list them in this variable as a comma-separated list.
#
# If you don''t want to open any UDP ports, use the value
"none"
FW_UDP_IN_PORTS=3Dnone
#
# You will probably need access to your firewall from your local network for
# administrative task. A good way to do this is with ssh (TCP port 22).
#
# Enter the list of TCP ports to open from the local network to the firewall.
# If you don''t wish to open any ports, use the value "none"
#
LOC_FW_TCP_PORTS=3D22,80,443,21,25
#
# Enter the list of UDP ports to open from the local network to the firewall.
# If you don''t wish to open any ports, use the value "none"
#
LOC_FW_UDP_PORTS=3Dnone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
name="policy"
Content-Disposition: attachment;
filename="policy"
#
# Shorewall 1.2 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don''t get a match from the /etc/seafall/rules file. For each
# client/server pair, the file is processed in order until a match is
# found ("all" will match any client or server).
#
# $<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
#
# Columns are:
#
# SOURCE Location of client. Must be the name of a zone defined
# in /etc/shorewall/zones, "fw" or "all".
#
# DESTINATION Location of server. Must be the name of a zone defined
# in /etc/shorewall/zones, "fw" or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DENY", "REJECT"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the network are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DESTINATION POLICY LOG LEVEL
loc net ACCEPT
#
# If you want open access to the internet from your firewall, uncomment the
# following line
#fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
name="rules"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="rules"
#
# Shorewall version 1.2 - Rules File
#
# /etc/shorewall/rules=20
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# Columns are:
#
#
# RESULT ACCEPT, DROP or REJECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable packet.
#
# The line may NOT start with $<variable-name>
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# CLIENT(S) Hosts permitted to be clients. May be a zone defined
# in /etc/shorewall/zones or "fw" to indicate the
# firewall itself.
#
# Clients may be further restricted to a particular
# subnet or host by appending ":" and the subnet or host.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# Alternatively, clients may be specified by interface
# by appending ":" followed by the interface name. For
# example, loc:eth1 specifies a client that
# communicates with the firewall system through eth1.
#
# SERVER Location of Server. May be a zone defined in
# /etc/shorewall/zones or "fw" to indicate the firewall
# itself.
#
# The server may be further restricted to a particular
# subnet, host or interface by appending ":" and the
# subnet, host or interface. See above.
#
# The port that the server is listening on may be
# included and separated from the server''s IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port.
#
# Example: loc:192.168.1.3:8080 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 8080. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp",
a number,
# "all" or "related". If "related", the
remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
#
# PORT(S) Destination Port. A comma-separated list of Port names
# (from /etc/services), port numbers or port ranges;
# if the protocol is "icmp", this column is interpreted as
# the destination icmp-type. If this column contains the
# value "none", the rule is ignored.
#
# This column is ignored if PROTOCOL =3D all but must be
# entered if any of the following fields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable.
#
# If you don''t want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# ADDRESS (0ptional) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the SERVER column.
#
# If the special value "all" is used, then requests from
# the client zone given in the CLIENT(s) column with the
# destination port given in PORT(s) will be forwarded to
# the IP address given in SERVER.
#
# The address (or "all") may optionally be followed by
# a colon (":") an an IP address. This causes Shorewall
# to use the specified IP address as the source address
# in forwarded packets. See the Shorewall documentation
# for restrictions concerning this feature. If no source
# IP address is given, the original source address is not
# altered.
#
# Example: Forward all ssh and www connection requests from the internet to
# local system 192.168.1.3
#
# #RESULT CLIENTS SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
# ACCEPT net loc:192.168.1.3 tcp ssh,www - all
#
# Example: Redirect all locally-originating www connection requests to
# port 8080 on the firewall (Squid running on the firewall
# system)
#
# #RESULT CLIENTS SERVER(S) PROTO PORTS(S) CLIENT PORT(S) ADDRESS
# ACCEPT loc fw::8080 tcp www - all
##############################################################################
#RESULT CLIENT(S) SERVER(S) PROTO PORT(S) CLIENT PORT(S) ADDRESS
#
# Accept outgoing connections from the firewall
#
ACCEPT fw net tcp $FW_TCP_OUT_PORTS
ACCEPT fw net udp $FW_UDP_OUT_PORTS
#
# Accept incoming connections from the internet to the firewall
#
ACCEPT net fw tcp $FW_TCP_IN_PORTS
ACCEPT net fw udp $FW_UDP_IN_PORTS
#
# To avoid connection delays, reject AUTH if the user hasn''t ACCEPTED
it above
#
REJECT net fw tcp 113
#
# Accept connections from the local network to the firewall
#
ACCEPT loc fw tcp $LOC_FW_TCP_PORTS
ACCEPT loc fw udp $LOC_FW_UDP_PORTS
#
# Ports forwarded to server 1
#
ACCEPT net loc:$SERVER1 tcp $LOC_TCP_PORTS1 - all
ACCEPT net loc:$SERVER1 udp $LOC_UDP_PORTS1 - all
#
# Firewall to server 1
#
ACCEPT fw loc:$SERVER1 tcp $FW_LOC_TCP_PORTS1
ACCEPT fw loc:$SERVER1 udp $FW_LOC_UDP_PORTS1
#
# Ports forwarded to server 2
#
ACCEPT net loc:$SERVER2 tcp $LOC_TCP_PORTS2 - all
ACCEPT net loc:$SERVER2 udp $LOC_UDP_PORTS2 - all
#
# Firewall to server 2
#
ACCEPT fw loc:$SERVER2 tcp $FW_LOC_TCP_PORTS2
ACCEPT fw loc:$SERVER2 udp $FW_LOC_UDP_PORTS2
#
# People whine if ping doesn''t work
#
ACCEPT fw loc icmp 8
ACCEPT loc fw icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
name="zones"
Content-Disposition: attachment;
filename="zones"
#
# Shorewall 1.2 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
# $<variable-name> is not permitted in this file.
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
------_=_NextPart_000_01C1E9D5.C0C8DE60--