I wrote last night that I had trouble with losing connections behind the
firewall. I have been to the errata, faq, and reread all my files in the
quick start guide and sample files. Everything seems to be in order, I
get no error messages at start-up or shutdown. I have attached several
settings files to this email in hopes this will be enough info to at
least get a start on diagnosing the problem. It only loses the
connection if I stay unconnected from the internet for a short amount of
time. My cable modem uses DHCP for the external IP address resolution.
It remains constant unless I unplug and reset the modem. My internal
address scheme is a 192.168.1.0/24.
I have a perfect connection from the firewall to the internet at all times.
-------------- next part --------------
#
# Shorewall 1.3 -- Blacklist File
#
# /etc/shorewall/blacklist
#
# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
#
# Columns are:
#
# ADDRESS/SUBNET - Host address, subnetwork or MAC address
#
# MAC addresses must be prefixed with "~" and use
"-"
# as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# PROTOCOL - Optional. If specified, must be a protocol number
# or a protocol name from /etc/protocols.
#
# PORTS - Optional. May only be specified if the protocol
# is TCP (6) or UDP (17). A comma-separated list
# of port numbers or service names from /etc/services.
#
# When a packet arrives on in interface that has the
''blacklist'' option
# specified, its source IP address is checked against this file and disposed of
# according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
# /etc/shorewall/shorewall.conf
#
# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
# the protocol (and one of the ports if PORTS supplied) are blocked.
#
# Example:
#
# To block DNS queries from address 192.0.2.126:
#
# ADDRESS/SUBNET PROTOCOL PORT
# 192.0.2.126 udp 53
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
-------------- next part --------------
############################################################################
# Shorewall 1.3 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
#
# Do not modify this file -- if you wish to change these rules, create
# /etc/shorewall/common to replace it. It is suggested that you include
# the command ". /etc/shorewall/common.def" in your
# /etc/shorewall/common file so that you will continue to get the
# advantage of new releases of this file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# Drop invalid state TCP packets
#
run_iptables -A common -m state -p tcp --state INVALID -j DROP
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139 -j REJECT
run_iptables -A common -p udp --dport 445 -j REJECT
run_iptables -A common -p tcp --dport 135 -j reject
############################################################################
# UPnP
#
run_iptables -A common -p udp --dport 1900 -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4 -j DROP
############################################################################
# AUTH -- Silently reject it so that connections don''t get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject
-------------- next part --------------
#
# Shorewall 1.3 - Masquerade file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
#
# Columns are:
#
# INTERFACE -- Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
#
# SUBNET -- Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS -- (Optional). If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
#
# This column may not contain a DNS Name.
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# eth0 eth1
#
# or
#
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
#
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# eth0:0 192.168.1.0/24 206.124.146.176
#
##############################################################################
#INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don''t get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will
match
# any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or
"CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don''t want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
#
# If you want open access to the internet from your firewall, uncomment the
# following line
fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
-------------- next part --------------
#
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case) as a log level.\
# This will log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!'' and a comma-separated list of sub-zone names.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
#
# The port that the server is listening on may be
# included and separated from the server''s IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp",
"icmp", a number,
# "all" or "related". If "related", the
remainder of the
# entry must be omitted and connection requests that are
# related to existing requests will be accepted.
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don''t want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
#
# Accept Ping Ubiquitously
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
#ACCEPT net fw pop3 110
# All ICMP are accepted fw->all
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-------------- next part --------------
##############################################################################
# /etc/shorewall/shorewall.conf V1.3 - Change the following variables to
# match your setup
#
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
# This file should be placed in /etc/shorewall
#
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
##############################################################################
#
# You should not have to change the variables in this section -- they are set
# by the packager of your Shorewall distribution
#
SHARED_DIR=/usr/lib/shorewall
#
##############################################################################
#
# General note about log levels. Log levels are a method of describing
# to syslog (8) the importance of a message and a number of parameters
# in this file have log levels as their value.
#
# Valid levels are:
#
# 7 debug
# 6 info
# 5 notice
# 4 warning
# 3 err
# 2 crit
# 1 alert
# 0 emerg
#
# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
# log messages are generated by NetFilter and are logged using facility
# ''kern'' and the level that you specifify. If you are unsure
of the level
# to choose, 6 (info) is a safe bet. You may specify levels by name or by
# number.
#
# If you have build your kernel with ULOG target support, you may also
# specify a log level of ULOG (must be all caps). Rather than log its
# messages to syslogd, Shorewall will direct netfilter to log the messages
# via the ULOG target which will send them to a process called
''ulogd''.
# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
# configured to log all Shorewall message to their own log file
################################################################################
#
# PATH - Change this if you want to change the order in which Shorewall
# searches directories for executable files.
#
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# NAME OF THE FIREWALL ZONE
#
# Name of the firewall zone -- if not set or if set to an empty string,
"fw"
# is assumed.
#
FW=fw
#
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don''t use lock
files,
# set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
#
# SHOREWALL TEMPORARY STATE DIRECTORY
#
# This is the directory where the firewall maintains state information while
# it is running
#
STATEDIR=/var/lib/shorewall
#
# ALLOW RELATED CONNECTIONS
#
# Set this to "yes" or "Yes" if you want to accept all
connection requests
# that are related to already established connections. For example, you want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#
ALLOWRELATED=yes
#
# KERNEL MODULE DIRECTORY
#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.
MODULESDIR
#
# LOG RATE LIMITING
#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second'', `/minute'', `/hour'', or `/day''
suffix and specifies the maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the default
# value of 5 will be used.
#
# Example:
#
# LOGRATE=10/minute
# LOGBURST=5
#
# If BOTH variables are set empty then logging will not be rate-limited.
#
LOGRATELOGBURST
#
# LEVEL AT WHICH TO LOG ''UNCLEAN'' PACKETS
#
# This variable determines the level at which Mangled/Invalid packets are logged
# under the ''dropunclean'' interface option. If you set this
variable to an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
# silently.
#
# The value of this variable also determines the level at which Mangled/Invalid
# packets are logged under the ''logunclean'' interface option.
If the variable
# is empty, these packets will still be logged at the ''info''
level.
#
# See the comment at the top of this file for a description of log levels
#
LOGUNCLEAN=info
#
# LOG FILE LOCATION
#
# This variable tells the /sbin/shorewall program where to look for Shorewall
# log messages. If not set or set to an empty string (e.g.,
LOGFILE="") then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the ''shorewall''
program where to
# look for Shorewall messages.It does NOT control the destination for
# these messages. For information about how to do that, see
#
# http://www.shorewall.net/FAQ.htm#faq6
LOGFILE=/var/log/messages
#
# ENABLE NAT SUPPORT
#
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED=Yes
#
# ENABLE MANGLE SUPPORT
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos
file
# and will not initialize the mangle table when starting or stopping
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED=Yes
#
# ENABLE IP FORWARDING
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is
enabled. If you
# say "Off" or "off", packet forwarding will be disabled.
You would only want
# to disable packet forwarding if you are installing Shorewall on a
# standalone system or if you want all traffic through the Shorewall system
# to be handled by proxies.
#
# If you set this variable to "Keep" or "keep", Shorewall
will neither
# enable nor disable packet forwarding.
#
IP_FORWARDING=On
#
# AUTOMATICALLY ADD NAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will
automatically add IP addresses
# for each NAT external address that you give in /etc/shorewall/nat. If you say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES=Yes
#
# AUTOMATICALLY ADD SNAT IP ADDRESSES
#
# If you say "Yes" or "yes" here, Shorewall will
automatically add IP addresses
# for each SNAT external address that you give in /etc/shorewall/masq. If you
say
# "No" or "no", you must add these aliases youself. LEAVE
THIS SET TO "No" unless
# you are sure that you need it -- most people don''t!!!
#
ADD_SNAT_ALIASES=No
#
# ENABLE TRAFFIC SHAPING
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled
in the firewall. If
# you say "No" or "no" then traffic shaping is not enabled.
If you enable traffic
# shaping you must have iproute[2] installed (the "ip" and
"tc" utilities) and
# you must enable packet mangling above.
#
TC_ENABLED=No
#
# BLACKLIST DISPOSITION
#
# Set this variable to the action that you want to perform on packets from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP
#
# BLACKLIST LOG LEVEL
#
# Set this variable to the syslogd level that you want blacklist packets logged
# (beward of DOS attacks resulting from such logging). If not set, no logging
# of blacklist packets occurs.
#
# See the comment at the top of this file for a description of log levels
#
BLACKLIST_LOGLEVEL
#
# MSS CLAMPING
#
# Set this variable to "Yes" or "yes" if you want the TCP
"Clamp MSS to PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
# have CONFIG_IP_NF_TARGET_TCPMSS set.
#
# [From the kernel help:
#
# This option adds a `TCPMSS'' target, which allows you to alter the
# MSS value of TCP SYN packets, to control the maximum size for that
# connection (usually limiting it to your outgoing interface''s MTU
# minus 40).
#
# This is used to overcome criminally braindead ISPs or servers which
# block ICMP Fragmentation Needed packets. The symptoms of this
# problem are that everything works fine from your Linux
# firewall/router, but machines behind it can never exchange large
# packets:
# 1) Web browsers connect, then hang with no data received.
# 2) Small mail works fine, but large emails hang.
# 3) ssh works fine, but scp hangs after initial handshaking.
# ]
#
# If left blank, or set to "No" or "no", the option is not
enabled.
#
CLAMPMSS=No
#
# ROUTE FILTERING
#
# Set this variable to "Yes" or "yes" if you want kernel
route filtering on all
# interfaces (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is
assumed.
# In that case, you can still enable route filtering on individual interfaces
# in the /etc/shorewall/interfaces file.
ROUTE_FILTER=No
#
# NAT BEFORE RULES
#
# Shorewall has traditionally processed static NAT rules before port forwarding
# rules. If you would like to reverse the order, set this variable to
"No".
#
# If this variable is not set or is set to the empty value, "Yes" is
assumed.
NAT_BEFORE_RULES=Yes
# MULTIPORT support
#
# If your kernel includes the multiport match option
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it''s use here. When
this
# option is enabled by setting it''s value to "Yes" or
"yes":
#
# 1) If you list more that 15 ports in a comma-seperated list in
# /etc/shorewall/rules, Shorewall will not use the multiport option
# but will generate a separate rule for each element of each port
# list.
# 2) If you include a port range (<low port>:<high port>) in the
# rule, Shorewall will not use the multiport option but will generate
# a separate rule for each element of each port list.
#
# See the /etc/shorewall/rules file for additional information on this option.
#
# if this variable is not set or is set to the empty value, "No" is
assumed.
MULTIPORT=No
# DNAT IP ADDRESS DETECTION
#
# Normally when Shorewall encounters the following rule:
#
# DNAT net loc:192.168.1.3 tcp 80
#
# it will forward TCP port 80 connections from the net to 192.168.1.3
# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
# convenient for two reasons:
#
# a) If the the network interface has a dynamic IP address, the
# firewall configuration will work even when the address
# changes.
#
# b) It saves having to configure the IP address in the rule
# while still allowing the firewall to be started before the
# internet interface is brought up.
#
# This default behavior can also have a negative effect. If the
# internet interface has more than one IP address then the above
# rule will forward connection requests on all of these addresses;
# that may not be what is desired.
#
# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
# only if the original destination address is the primary IP address of
# one of the interfaces associated with the source zone. Note that this
# requires all interfaces to the source zone to be up when the firewall
# is [re]started.
DETECT_DNAT_IPADDRS=No
#
# MERGE HOSTS FILE
#
# The traditional behavior of the /etc/shorewall/hosts file has been that
# if that file has ANY entry for a zone then the zone must be defined
# entirely in the hosts file. This is counter-intuitive and has caused
# people some problems.
#
# By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file
# is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file
# are added to the contents described in the /etc/shorewall/interfaces file.
#
# Example: Suppose that we have the following interfaces and hosts files:
#
# Interfaces:
#
# net eth0
# loc eth1
# - ppp+
#
# Hosts:
#
# loc ppp+:192.168.1.0/24
# wrk ppp+:!192.168.1.0/24
#
# With MERGE_HOSTS=No, the contents of the ''loc'' zone would be
just
# ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be
# ppp+:192.168.1.0 and eth1:0.0.0.0/0
#
# If this variable is not set or is set to the empty value, "No" is
assumed.
MERGE_HOSTS=Yes
#
# MUTEX TIMEOUT
#
# The value of this variable determines the number of seconds that programs
# will wait for exclusive access to the Shorewall lock file. After the number
# of seconds corresponding to the value of this variable, programs will assume
# that the last program to hold the lock died without releasing the lock.
#
# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
#
# An appropriate value for this parameter would be twice the length of time
# that it takes your firewall system to process a "shorewall restart"
command.
MUTEX_TIMEOUT=60
#
# LOGGING ''New not SYN'' rejects
#
# This variable only has an effect when NEWNOTSYN=No (see below).
#
# When a TCP packet that does not have the SYN flag set and the ACK and RST
# flags clear then unless the packet is part of an established connection,
# it will be rejected by the firewall. If you want these rejects logged,
# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
#
# See the comment at the top of this file for a description of log levels
#
# Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN
#
# Old Ping Handling
#
# If this option is set to "Yes" then Shorewall will use its old ping
handling
# facility including the FORWARDPING option in this file and the
''noping'' and
# ''filterping'' interface options. If this option is set to
''No'' then ping
# is handled via policy and rules just like any other connection request.
#
# If you are a new Shorewall user DON''T CHANGE THE VALUE OF THIS OPTION
AND
# DON''T DELETE IT!!!!!!
#
OLD_PING_HANDLING=No
#
# NEWNOTSYN
#
# If this variable is set to "No" or "no", then When a TCP
packet that does
# not have the SYN flag set and the ACK and RST flags clear then unless the
# packet is part of an established connection, it will be dropped by the
# firewall
#
# If this variable is set to "Yes" or "yes" then such
packets will not be
# dropped but will pass through the normal rule processing.
#
# Users with a High-availability setup with two firewall''s and one
acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes.
NEWNOTSYN=No
#
# MAC List Disposition
#
# This variable determines the disposition of connection requests arriving
# on interfaces that have the ''maclist'' option and that are
from a device
# that is not listed for that interface in /etc/shorewall/maclist. Valid
# values are ACCEPT, DROP and REJECT. If not specified or specified as
# empty (MACLIST_DISPOSITION="") then REJECT is assumed
MACLIST_DISPOSITION=REJECT
#
# MAC List Log Level
#
# Specifies the logging level for connection requests that fail MAC
# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
# such connection requests will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
MACLIST_LOG_LEVEL=info
#
# TCP FLAGS Disposition
#
# This variable determins the disposition of packets having an invalid
# combination of TCP flags that are received on interfaces having the
# ''tcpflags'' option specified in /etc/shorewall/interfaces. If
not specified
# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is
assumed.
TCP_FLAGS_DISPOSITION=DROP
#
# TCP FLAGS Log Level
#
# Specifies the logging level for packets that fail TCP Flags
# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="")
then
# such packets will not be logged.
#
# See the comment at the top of this file for a description of log levels
#
TCP_FLAGS_LOG_LEVEL=info
#
# RFC1918 Log Level
#
# Specifies the logging level for packets that fail RFC 1918
# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
# RFC1918_LOG_LEVEL=info is assumed.
#
# See the comment at the top of this file for a description of log levels
#
RFC1918_LOG_LEVEL=info
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall''s external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#
# Clear Traffic Shapping/Control
#
# If this option is set to ''No'' then Shorewall won''t
clear the current
# traffic control rules during [re]start. This setting is intended
# for use by people that prefer to configure traffic shaping when
# the network interfaces come up rather than when the firewall
# is started. If that is what you want to do, set TC_ENABLED=Yes and
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
# way, your traffic shaping rules can still use the ''fwmark''
# classifier based on packet marking defined in /etc/shorewall/tcrules.
#
# If omitted, CLEAR_TC=Yes is assumed.
CLEAR_TC=Yes
#LAST LINE -- DO NOT REMOVE
-------------- next part --------------
##############################################################################
#
# Shorewall 1.3 -- Network Address Translation Table
#
# /etc/shorewall/nat
#
# This file is used to define static Network Address Translation (NAT).
#
# WARNING: If all you want to do is simple port forwarding, do NOT use this
# file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
# cases, Proxy ARP is a better solution that static NAT.
#
# Columns must be separated by white space and are:
#
# EXTERNAL External IP Address - this should NOT be the primary
# IP address of the interface named in the next
# column and must not be a DNS Name.
# INTERFACE Interface that we want to EXTERNAL address to appear
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
# follow the interface name with ":" and a digit to
# indicate that you want Shorewall to add the alias
# with this name (e.g., "eth0:0"). That allows you to
# see the alias with ifconfig. THAT IS THE ONLY THING
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
# INTERNAL Internal Address (must not be a DNS Name).
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
# from all hosts. If No or no then NAT will be effective
# only through the interface named in the INTERFACE
# column
# LOCAL If Yes or yes and the ALL INTERFACES column contains
# Yes or yes, NAT will be effective from the firewall
# system
##############################################################################
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.3 /etc/shorewall/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# Example:
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=noping,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 noping,norfc1918
#
# Variables can be used in the following places in the other configuration
# files:
#
# /etc/shorewall/interfaces:
# /etc/shorewall/hosts
#
# All except the first column.
#
# /etc/shorewall/rules
#
# First column after ":".
# All remaining columns
#
# /etc/shorewall/tunnels
# /etc/shorewall/proxyarp
# /etc/shorewall/nat
#
# All columns
##############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.3 -- RFC1918 File
#
# /etc/shorewall/rfc1918
#
# Lists the subnetworks that are blocked by the ''norfc1918''
interface option.
#
# The default list includes those IP addresses listed in RFC 1918, those listed
# as ''reserved'' by the IANA, the DHCP Autoconfig class B, and
the class C
# reserved for use in documentation and examples.
#
# Columns are:
#
# SUBNET The subnet (host addresses also allowed)
# TARGET Where to send packets to/from this subnet
# RETURN - let the packet be processed normally
# DROP - silently drop the packet
# logdrop - log then drop
#
###############################################################################
#SUBNET TARGET
255.255.255.255 RETURN # We need to allow limited broadcast
169.254.0.0/16 DROP # DHCP autoconfig
172.16.0.0/12 logdrop # RFC 1918
192.0.2.0/24 logdrop # Example addresses
192.168.0.0/16 logdrop # RFC 1918
#
# The following are generated using the Python program found at:
#
# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
#
# The program was contributed by Andy Wiggin
#
0.0.0.0/7 logdrop # Reserved
2.0.0.0/8 logdrop # Reserved
5.0.0.0/8 logdrop # Reserved
7.0.0.0/8 logdrop # Reserved
10.0.0.0/8 logdrop # Reserved
23.0.0.0/8 logdrop # Reserved
27.0.0.0/8 logdrop # Reserved
31.0.0.0/8 logdrop # Reserved
36.0.0.0/7 logdrop # Reserved
39.0.0.0/8 logdrop # Reserved
41.0.0.0/8 logdrop # Reserved
42.0.0.0/8 logdrop # Reserved
58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
83.0.0.0/8 logdrop # Reserved
84.0.0.0/6 logdrop # Reserved
88.0.0.0/5 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
197.0.0.0/8 logdrop # Reserved
222.0.0.0/7 logdrop # Reserved
240.0.0.0/4 logdrop # Reserved
#
# End of generated entries
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall version 1.3 - Traffic Control Rules File
#
# /etc/shorewall/tcrules
#
# Entries in this file cause packets to be marked as a means of
# classifying them for traffic control or policy routing.
#
# I M P O R T A N T ! ! ! !
#
# FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
# TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
#
# Columns are:
#
#
# MARK The mark value which is an
# integer in the range 1-255
#
# May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the
chain is
# determined by the setting of MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf.
#
# SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses
# and/or subnets. Use $FW if the packet originates on
# the firewall in which case the MARK column may NOT
# specify either ":P" or ":F" (marking always
occurs
# in the OUTPUT chain).
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# DEST Destination of the packet. Comma separated list of
# IP addresses and/or subnets.
#
# PROTO Protocol - Must be "tcp", "udp",
"icmp", a number,
# or "all".
#
# PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following field is supplied.
# In that case, it is suggested that this field contain
# "-"
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
##############################################################################
#MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S)
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
##############################################################################
#
# Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped
#
# /etc/shorewall/routestopped
#
# This file is used to define the hosts that are accessible when the
# firewall is stopped
#
# Columns must be separated by white space and are:
#
# INTERFACE - Interface through which host(s) communicate with
# the firewall
# HOST(S) - (Optional) Comma-separated list of IP/subnet
# addresses. If left empty or supplied as "-",
# 0.0.0.0/0 is assumed.
#
# Example:
#
# INTERFACE HOST(S)
# eth2 192.168.1.0/24
# eth0 192.0.2.44
##############################################################################
#INTERFACE HOST(S)
eth1 192.168.1.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.3 -- /etc/shorewall/tos
#
# This file defines rules for setting Type Of Service (TOS)
#
# Columns are:
#
# SOURCE Name of a zone declared in /etc/shorewall/zones, "all"
# or $FW.
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address, a MAC address, a subnet
# specification or the name of an interface.
#
# Example: loc:192.168.2.3
#
# MAC addresses must be prefixed with "~" and use
# "-" as a separator.
#
# Example: ~00-A0-C9-15-39-78
#
# DEST Name of a zone declared in /etc/shorewall/zones, "all"
# or $FW.
#
# If not "all" or $FW, may optionally be followed by
# ":" and an IP address or a subnet specification
#
# Example: loc:192.168.2.3
#
# PROTOCOL Protocol.
#
# SOURCE PORTS Source port or port range. If all ports, use "-".
#
# DEST PORTS Destination port or port range. If all ports, use "-"
#
# TOS Type of service. Must be one of the following:
#
# Minimize-Delay (16)
# Maximize-Throughput (8)
# Maximize-Reliability (4)
# Minimize-Cost (2)
# Normal-Service (0)
#
##############################################################################
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
all all tcp - ssh 16
all all tcp ssh - 16
all all tcp - ftp 16
all all tcp ftp - 16
all all tcp ftp-data - 8
all all tcp - ftp-data 8
#LAST LINE -- Add your entries above -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.3 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
# IPIP, GRE and OPENVPN tunnels must be configured on the
# firewall/gateway itself. IPSEC endpoints may be defined
# on the firewall/gateway or on an internal system.
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec",
"ipsecnat","ip"
# "gre", "pptpclient", "pptpserver" or
"openvpn".
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port
# of 5000 will be used
#
# ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet
# zone.
#
# GATEWAY -- The IP address of the remote tunnel gateway. If the
# remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0.
#
# GATEWAY
# ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should
# contain a comma-separated list of the names of the
# zones that the host might be in. This column only
# applies to IPSEC tunnels.
#
# Example 1:
#
# IPSec tunnel. The remote gateway is 4.33.99.124 and
# the remote subnet is 192.168.9.0/24
#
# ipsec net 4.33.99.124
#
# Example 2:
#
# Road Warrior (LapTop that may connect from anywhere)
# where the "gw" zone is used to represent the remote
# LapTop.
#
# ipsec net 0.0.0.0/0 gw
#
# Example 3:
#
# Host 4.33.99.124 is a standalone system connected
# via an ipsec tunnel to the firewall system. The host
# is in zone gw.
#
# ipsec net 4.33.99.124 gw
#
# Example 4:
#
# Road Warriors that may belong to zones vpn1, vpn2 or
# vpn3. The FreeS/Wan _updown script will add the
# host to the appropriate zone using the "shorewall add"
# command on connect and will remove the host from the
# zone at disconnect time.
#
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
#
# Example 5:
#
# You run the Linux PPTP client on your firewall and
# connect to server 192.0.2.221.
#
# pptpclient net 192.0.2.221
#
# Example 6:
#
# You run a PPTP server on your firewall.
#
# pptpserver net
#
# Example 7:
#
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
# openvpn uses port 7777.
#
# openvpn:7777 net 4.33.99.124
#
# TYPE ZONE GATEWAY GATEWAY ZONE PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
############################################################################
# Shorewall 1.3 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
It appears all your shrorewall config is in order, you mentioned you cant ping your gateway? This sounds like networking issues. When the touble occurs maybe hook a pc or laptop directly to eth1 and see if you can ping you will need crossover (make sure there is a link light). Mike ----- Original Message ----- From: "Jim Owen" <moses6602@netscape.net> To: <shorewall-users@lists.shorewall.net> Sent: Monday, March 03, 2003 9:59 AM Subject: [Shorewall-users] local network loses connection> > I wrote last night that I had trouble with losing connections behind the > firewall. I have been to the errata, faq, and reread all my files in the > quick start guide and sample files. Everything seems to be in order, I > get no error messages at start-up or shutdown. I have attached several > settings files to this email in hopes this will be enough info to at > least get a start on diagnosing the problem. It only loses the > connection if I stay unconnected from the internet for a short amount of > time. My cable modem uses DHCP for the external IP address resolution. > It remains constant unless I unplug and reset the modem. My internal > address scheme is a 192.168.1.0/24. > I have a perfect connection from the firewall to the internet at alltimes.> >---------------------------------------------------------------------------- ----> # > # Shorewall 1.3 -- Blacklist File > # > # /etc/shorewall/blacklist > # > # This file contains a list of IP addresses, MAC addresses and/orsubnetworks.> # > # Columns are: > # > # ADDRESS/SUBNET - Host address, subnetwork or MAC address > # > # MAC addresses must be prefixed with "~" and use "-" > # as a separator. > # > # Example: ~00-A0-C9-15-39-78 > # > # PROTOCOL - Optional. If specified, must be a protocol number > # or a protocol name from /etc/protocols. > # > # PORTS - Optional. May only be specified if the protocol > # is TCP (6) or UDP (17). A comma-separated list > # of port numbers or service names from /etc/services. > # > # When a packet arrives on in interface that has the ''blacklist'' option > # specified, its source IP address is checked against this file anddisposed of> # according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variablesin> # /etc/shorewall/shorewall.conf > # > # If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching > # the protocol (and one of the ports if PORTS supplied) are blocked. > # > # Example: > # > # To block DNS queries from address 192.0.2.126: > # > # ADDRESS/SUBNET PROTOCOL PORT > # 192.0.2.126 udp 53 > # >############################################################################ ###> #ADDRESS/SUBNET PROTOCOL PORT > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > >---------------------------------------------------------------------------- ----> # > # Include the standard common.def file > # > . /etc/shorewall/common.def > # > # The following rule is non-standard and compensates for tardy > # DNS replies > # > run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP > >---------------------------------------------------------------------------- ---->############################################################################> # Shorewall 1.3 -- /etc/shorewall/common.def > # > # This file defines the rules that are applied before a policy of > # DROP or REJECT is applied. In addition to the rules defined in thisfile,> # the firewall will also define a DROP rule for each subnet broadcast > # address defined in /etc/shorewall/interfaces (including "detect"). > # > # Do not modify this file -- if you wish to change these rules, create > # /etc/shorewall/common to replace it. It is suggested that you include > # the command ". /etc/shorewall/common.def" in your > # /etc/shorewall/common file so that you will continue to get the > # advantage of new releases of this file. > # > run_iptables -A common -p icmp -j icmpdef >############################################################################> # Drop invalid state TCP packets > # > run_iptables -A common -m state -p tcp --state INVALID -j DROP >############################################################################> # NETBIOS chatter > # > run_iptables -A common -p udp --dport 137:139 -j REJECT > run_iptables -A common -p udp --dport 445 -j REJECT > run_iptables -A common -p tcp --dport 135 -j reject >############################################################################> # UPnP > # > run_iptables -A common -p udp --dport 1900 -j DROP >############################################################################> # BROADCASTS > # > run_iptables -A common -d 255.255.255.255 -j DROP > run_iptables -A common -d 224.0.0.0/4 -j DROP >############################################################################> # AUTH -- Silently reject it so that connections don''t get delayed. > # > run_iptables -A common -p tcp --dport 113 -j reject > > >---------------------------------------------------------------------------- ----> # > # Shorewall 1.3 - Masquerade file > # > # /etc/shorewall/masq > # > # Use this file to define dynamic NAT (Masquerading) and to define SourceNAT> # (SNAT). > # > # Columns are: > # > # INTERFACE -- Outgoing interface. This is usually your internet > # interface. If ADD_SNAT_ALIASES=Yes in > # /etc/shorewall/shorewall.conf, you may add ":" and > # a digit to indicate that you want the alias added with > # that name (e.g., eth0:0). This will allow the aliasto> # be displayed with ifconfig. THAT IS THE ONLY USE FOR > # THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER > # PLACE IN YOUR SHOREWALL CONFIGURATION. > # > # This may be qualified by adding the character > # ":" followed by a destination host or subnet. > # > # > # SUBNET -- Subnet that you wish to masquerade. You can specify this as > # a subnet or as an interface. If you give the name of an > # interface, you must have iproute installed and the interface > # must be up before you start the firewall. > # > # In order to exclude a subset of the specified SUBNET, you > # may append "!" and a comma-separated list of IP addresses > # and/or subnets that you wish to exclude. > # > # Example: eth1!192.168.1.4,192.168.32.0/27 > # > # In that example traffic from eth1 would be masqueraded unless > # it came from 192.168.1.4 or 196.168.32.0/27 > # > # ADDRESS -- (Optional). If you specify an address here, SNAT will be > # used and this will be the source address. If > # ADD_SNAT_ALIASES is set to Yes or yes in > # /etc/shorewall/shorewall.conf then Shorewall > # will automatically add this address to the > # INTERFACE named in the first column. > # > # WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if > # the address given in this column is the primary > # IP address for the interface in the INTERFACE > # column. > # > # This column may not contain a DNS Name. > # > # Example 1: > # > # You have a simple masquerading setup where eth0 connects to > # a DSL or cable modem and eth1 connects to your local network > # with subnet 192.168.0.0/24. > # > # Your entry in the file can be either: > # > # eth0 eth1 > # > # or > # > # eth0 192.168.0.0/24 > # > # Example 2: > # > # You add a router to your local network to connect subnet > # 192.168.1.0/24 which you also want to masquerade. You then > # add a second entry for eth0 to this file: > # > # eth0 192.168.1.0/24 > # > # Example 3: > # > # You have an IPSEC tunnel through ipsec0 and you want to > # masquerade packets coming from 192.168.1.0/24 but onlyif> # these packets are destined for hosts in 10.1.1.0/24: > # > # ipsec0:10.1.1.0/24 196.168.1.0/24 > # > # Example 4: > # > # You want all outgoing traffic from 192.168.1.0/24 through > # eth0 to use source address 206.124.146.176 which is NOT the > # primary address of eth0. You want 206.124.146.176 added to > # be added to eth0 with name eth0:0. > # > # eth0:0 192.168.1.0/24 206.124.146.176 > # >############################################################################ ##> #INTERFACE SUBNET ADDRESS > eth0 192.168.1.0/24 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >---------------------------------------------------------------------------- ----> # > # Shorewall 1.3 -- Policy File > # > # /etc/shorewall/policy > # > # This file determines what to do with a new connection request if we > # don''t get a match from the /etc/shorewall/rules file or from the > # /etc/shorewall/common[.def] file. For each source/destination pair,the> # file is processed in order until a match is found ("all" will match > # any client or server). > # > # Columns are: > # > # SOURCE Source zone. Must be the name of a zone defined > # in /etc/shorewall/zones, $FW or "all". > # > # DEST Destination zone. Must be the name of a zone defined > # in /etc/shorewall/zones, $FW or "all" > # > # WARNING: Firewall->Firewall policies are not allowed; if > # you have a policy where both SOURCE and DEST are $FW, > # Shorewall will not start! > # > # POLICY Policy if no match from the rules file is found. Must > # be "ACCEPT", "DROP", "REJECT" or "CONTINUE" > # > # LOG LEVEL If supplied, each connection handled under the default > # POLICY is logged at that level. If not supplied, no > # log message is generated. See syslog.conf(5) for a > # description of log levels. > # > # Beginning with Shorewall version 1.3.12, you may > # also specify ULOG (must be in upper case). This will > # log to the ULOG target and sent to a separate log > # through use of ulogd > # (http://www.gnumonks.org/projects/ulogd). > # > # If you don''t want to log but need to specify the > # following column, place "_" here. > # > # LIMIT:BURST If passed, specifies the maximum TCP connection rate > # and the size of an acceptable burst. If not specified, > # TCP connections are not limited. > # > # As shipped, the default policies are: > # > # a) All connections from the local network to the internet are allowed > # b) All connections from the internet are ignored but logged at syslog > # level KERNEL.INFO. > # d) All other connection requests are rejected and logged at level > # KERNEL.INFO. >############################################################################ ###> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > # > # If you want open access to the internet from your firewall, uncommentthe> # following line > fw net ACCEPT > net all DROP info > all all REJECT info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE >---------------------------------------------------------------------------- ----> # > # Shorewall version 1.3 - Rules File > # > # /etc/shorewall/rules > # > # Rules in this file govern connection establishment. Requests and > # responses are automatically allowed using connection tracking. > # > # In most places where an IP address or subnet is allowed, you > # can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to > # indicate that the rule matches all addresses except the address/subnet > # given. Notice that no white space is permitted between "!" and the > # address/subnet. > # > # Columns are: > # > # > # ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT > # > # ACCEPT -- allow the connection request > # DROP -- ignore the request > # REJECT -- disallow the request and return an > # icmp-unreachable or an RST packet. > # DNAT -- Forward the request to another > # system (and optionally another > # port). > # DNAT- -- Advanced users only. > # Like DNAT but only generates the > # DNAT iptables rule and not > # the companion ACCEPT rule. > # REDIRECT -- Redirect the request to a local > # port on the firewall. > # > # May optionally be followed by ":" and a syslog log > # level (e.g, REJECT:info). This causes the packet to be > # logged at the specified level. > # > # Beginning with Shorewall version 1.3.12, you may > # also specify ULOG (must be in upper case) as a log level.\ > # This will log to the ULOG target and sent to a separate log > # through use of ulogd > # (http://www.gnumonks.org/projects/ulogd). > # > # > # SOURCE Source hosts to which the rule applies. May be a zone > # defined in /etc/shorewall/zones, $FW to indicatethe> # firewall itself, or "all" If the ACTION is DNAT or > # REDIRECT, sub-zones of the specified zone may be > # excluded from the rule by following the zone name with > # "!'' and a comma-separated list of sub-zone names. > # > # Except when "all" is specified, clients may be further > # restricted to a list of subnets and/or hosts by > # appending ":" and a comma-separated list of subnets > # and/or hosts. Hosts may be specified by IP or MAC > # address; mac addresses must begin with "~" and must use > # "-" as a separator. > # > # dmz:192.168.2.2 Host 192.168.2.2 in the DMZ > # > # net:155.186.235.0/24 Subnet 155.186.235.0/24 on the > # Internet > # > # loc:192.168.1.1,192.168.1.2 > # Hosts 192.168.1.1 and > # 192.168.1.2 in the local zone. > # loc:~00-A0-C9-15-39-78 Host in the local zone with > # MAC address00:A0:C9:15:39:78.> # > # Alternatively, clients may be specified by interface > # by appending ":" to the zone name followed by the > # interface name. For example, loc:eth1 specifies a > # client that communicates with the firewall system > # through eth1. This may be optionally followed by > # another colon (":") and an IP/MAC/subnet address > # as described above (e.g., loc:eth1:192.168.1.5). > # > # DEST Location of Server. May be a zone defined in > # /etc/shorewall/zones, $FW to indicate the firewall > # itself or "all" > # > # Except when "all" is specified, the server may be > # further restricted to a particular subnet, host or > # interface by appending ":" and the subnet, host or > # interface. See above. > # > # Restrictions: > # > # 1. MAC addresses are not allowed. > # 2. In DNAT rules, only IP addresses are > # allowed; no FQDNs or subnet addresses > # are permitted. > # > # The port that the server is listening on may be > # included and separated from the server''s IP address by > # ":". If omitted, the firewall will not modifiy the > # destination port. A destination port may only be > # included if the ACTION is DNAT or REDIRECT. > # > # Example: loc:192.168.1.3:3128 specifies a local > # server at IP address 192.168.1.3 and listening on port > # 3128. The port number MUST be specified as an integer > # and not as a name from /etc/services. > # > # if the ACTION is REDIRECT, this column needs only to > # contain the port number on the firewall that the > # request should be redirected to. > # > # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, > # "all" or "related". If "related", the remainder of the > # entry must be omitted and connection requests that are > # related to existing requests will be accepted. > # > # DEST PORT(S) Destination Ports. A comma-separated list of Port > # names (from /etc/services), port numbers or port > # ranges; if the protocol is "icmp", this column is > # interpreted as the destination icmp-type(s). > # > # A port range is expressed as <low port>:<high port>. > # > # This column is ignored if PROTOCOL = all but must be > # entered if any of the following ields are supplied. > # In that case, it is suggested that this field contain > # "-" > # > # If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then > # only a single Netfilter rule will be generated if in > # this list and the CLIENT PORT(S) list below: > # 1. There are 15 or less ports listed. > # 2. No port ranges are included. > # Otherwise, a separate rule will be generated for each > # port. > # > # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, > # any source port is acceptable. Specified as a comma- > # separated list of port names, port numbers or port > # ranges. > # > # If you don''t want to restrict client ports but need to > # specify an ADDRESS in the next column, then place "-" > # in this column. > # > # If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then > # only a single Netfilter rule will be generated if in > # this list and the DEST PORT(S) list above: > # 1. There are 15 or less ports listed. > # 2. No port ranges are included. > # Otherwise, a separate rule will be generated for each > # port. > # > # ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or > # REDIRECT) If included and different from the IP > # address given in the SERVER column, this is an address > # on some interface on the firewall and connections to > # that address will be forwarded to the IP and port > # specified in the DEST column. > # > # The address may optionally be followed by > # a colon (":") and a second IP address. This causes > # Shorewall to use the second IP address as the source > # address in forwarded packets. See the Shorewall > # documentation for restrictions concerning this feature. > # If no source IP address is given, the original source > # address is not altered. > # > # Example: Accept SMTP requests from the DMZ to the internet > # > # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > # # PORT PORT(S) DEST > # ACCEPT dmz net tcp smtp > # > # Example: Forward all ssh and http connection requests from theinternet> # to local system 192.168.1.3 > # > # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > # # PORT PORT(S) DEST > # DNAT net loc:192.168.1.3 tcp ssh,http > # > # Example: Redirect all locally-originating www connection requests to > # port 3128 on the firewall (Squid running on the firewall > # system) except when the destination address is 192.168.2.2 > # > # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > # # PORT PORT(S) DEST > # REDIRECT loc 3128 tcp www - !192.168.2.2 > # > # Example: All http requests from the internet to address > # 130.252.100.69 are to be forwarded to 192.168.1.3 > # > # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > # # PORT PORT(S) DEST > # DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 >############################################################################ ##> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > # PORT PORT(S) DEST > # > # Accept DNS connections from the firewall to the network > # > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > # > # Accept SSH connections from the local network for administration > # > ACCEPT loc fw tcp 22 > # > # Accept Ping Ubiquitously > # > ACCEPT loc fw icmp 8 > ACCEPT net fw icmp 8 > #ACCEPT net fw pop3 110 > # All ICMP are accepted fw->all > # > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >---------------------------------------------------------------------------- ----> # > # Shorewall 1.3 /etc/shorewall/zones > # > # This file determines your network zones. Columns are: > # > # ZONE Short name of the zone > # DISPLAY Display name of the zone > # COMMENTS Comments about the zone > # > #ZONE DISPLAY COMMENTS > net Net Internet > loc Local Local networks > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >---------------------------------------------------------------------------- ---->############################################################################ ##> # /etc/shorewall/shorewall.conf V1.3 - Change the following variables to > # match your setup > # > # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] > # > # This file should be placed in /etc/shorewall > # > # (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net) >############################################################################ ##> # > # You should not have to change the variables in this section -- they areset> # by the packager of your Shorewall distribution > # > SHARED_DIR=/usr/lib/shorewall > # >############################################################################ ##> # > # General note about log levels. Log levels are a method of describing > # to syslog (8) the importance of a message and a number of parameters > # in this file have log levels as their value. > # > # Valid levels are: > # > # 7 debug > # 6 info > # 5 notice > # 4 warning > # 3 err > # 2 crit > # 1 alert > # 0 emerg > # > # For most Shorewall logging, a level of 6 (info) is appropriate.Shorewall> # log messages are generated by NetFilter and are logged using facility > # ''kern'' and the level that you specifify. If you are unsure of the level > # to choose, 6 (info) is a safe bet. You may specify levels by name or by > # number. > # > # If you have build your kernel with ULOG target support, you may also > # specify a log level of ULOG (must be all caps). Rather than log its > # messages to syslogd, Shorewall will direct netfilter to log the messages > # via the ULOG target which will send them to a process called ''ulogd''. > # ulogd is available from http://www.gnumonks.org/projects/ulogd and canbe> # configured to log all Shorewall message to their own log file >############################################################################ ####> # > # PATH - Change this if you want to change the order in which Shorewall > # searches directories for executable files. > # > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin > > # > # NAME OF THE FIREWALL ZONE > # > # Name of the firewall zone -- if not set or if set to an empty string,"fw"> # is assumed. > # > FW=fw > > # > # SUBSYSTEM LOCK FILE > # > # Set this to the name of the lock file expected by your init scripts. For > # RedHat, this should be /var/lock/subsys/shorewall. On Debian, it > # should be /var/state/shorewall. If your init scripts don''t use lockfiles,> # set this to "". > # > > SUBSYSLOCK=/var/lock/subsys/shorewall > > # > # SHOREWALL TEMPORARY STATE DIRECTORY > # > # This is the directory where the firewall maintains state informationwhile> # it is running > # > > STATEDIR=/var/lib/shorewall > > # > # ALLOW RELATED CONNECTIONS > # > # Set this to "yes" or "Yes" if you want to accept all connection requests > # that are related to already established connections. For example, youwant> # to accept FTP data connections. If you say "no" here, then to accept > # these connections between particular zones or hosts, you must include > # explicit "related" rules in /etc/shorewall/rules. > # > > ALLOWRELATED=yes > > # > # KERNEL MODULE DIRECTORY > # > # If your netfilter kernel modules are in a directory other than > # /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that > # directory in this variable. Example: MODULESDIR=/etc/modules. > > MODULESDIR> > # > # LOG RATE LIMITING > # > # The next two variables can be used to control the amount of log output > # generated. LOGRATE is expressed as a number followed by an optional > # `/second'', `/minute'', `/hour'', or `/day'' suffix and specifies themaximum> # rate at which a particular message will occur. LOGBURST determines the > # maximum initial burst size that will be logged. If set empty, thedefault> # value of 5 will be used. > # > # Example: > # > # LOGRATE=10/minute > # LOGBURST=5 > # > # If BOTH variables are set empty then logging will not be rate-limited. > # > > LOGRATE> LOGBURST> > # > # LEVEL AT WHICH TO LOG ''UNCLEAN'' PACKETS > # > # This variable determines the level at which Mangled/Invalid packets arelogged> # under the ''dropunclean'' interface option. If you set this variable to an > # empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will bedropped> # silently. > # > # The value of this variable also determines the level at whichMangled/Invalid> # packets are logged under the ''logunclean'' interface option. If thevariable> # is empty, these packets will still be logged at the ''info'' level. > # > # See the comment at the top of this file for a description of log levels > # > > LOGUNCLEAN=info > > # > # LOG FILE LOCATION > # > # This variable tells the /sbin/shorewall program where to look forShorewall> # log messages. If not set or set to an empty string (e.g., LOGFILE="")then> # /var/log/messages is assumed. > # > # WARNING: The LOGFILE variable simply tells the ''shorewall'' program whereto> # look for Shorewall messages.It does NOT control the destinationfor> # these messages. For information about how to do that, see > # > # http://www.shorewall.net/FAQ.htm#faq6 > > LOGFILE=/var/log/messages > > # > # ENABLE NAT SUPPORT > # > # You probally want yes here. Only gateways not doing NAT in any form,like> # SNAT,DNAT masquerading, port forwading etc. should say "no" here. > # > NAT_ENABLED=Yes > > # > # ENABLE MANGLE SUPPORT > # > # If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file > # and will not initialize the mangle table when starting or stopping > # your firewall. You must enable mangling if you want Traffic Shaping > # (see TC_ENABLED below). > # > MANGLE_ENABLED=Yes > > # > # ENABLE IP FORWARDING > # > # If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you > # say "Off" or "off", packet forwarding will be disabled. You would onlywant> # to disable packet forwarding if you are installing Shorewall on a > # standalone system or if you want all traffic through the Shorewallsystem> # to be handled by proxies. > # > # If you set this variable to "Keep" or "keep", Shorewall will neither > # enable nor disable packet forwarding. > # > IP_FORWARDING=On > > # > # AUTOMATICALLY ADD NAT IP ADDRESSES > # > # If you say "Yes" or "yes" here, Shorewall will automatically add IPaddresses> # for each NAT external address that you give in /etc/shorewall/nat. Ifyou say> # "No" or "no", you must add these aliases youself. > # > ADD_IP_ALIASES=Yes > > # > # AUTOMATICALLY ADD SNAT IP ADDRESSES > # > # If you say "Yes" or "yes" here, Shorewall will automatically add IPaddresses> # for each SNAT external address that you give in /etc/shorewall/masq. Ifyou say> # "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No"unless> # you are sure that you need it -- most people don''t!!! > # > ADD_SNAT_ALIASES=No > > # > # ENABLE TRAFFIC SHAPING > # > # If you say "Yes" or "yes" here, Traffic Shaping is enabled in thefirewall. If> # you say "No" or "no" then traffic shaping is not enabled. If you enabletraffic> # shaping you must have iproute[2] installed (the "ip" and "tc" utilities)and> # you must enable packet mangling above. > # > TC_ENABLED=No > > # > # BLACKLIST DISPOSITION > # > # Set this variable to the action that you want to perform on packets from > # Blacklisted systems. Must be DROP or REJECT. If not set or set to empty, > # DROP is assumed. > # > BLACKLIST_DISPOSITION=DROP > > # > # BLACKLIST LOG LEVEL > # > # Set this variable to the syslogd level that you want blacklist packetslogged> # (beward of DOS attacks resulting from such logging). If not set, nologging> # of blacklist packets occurs. > # > # See the comment at the top of this file for a description of log levels > # > BLACKLIST_LOGLEVEL> > # > # MSS CLAMPING > # > # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS toPMTU"> # option. This option is most commonly required when your internet > # interface is some variant of PPP (PPTP or PPPoE). Your kernel must > # have CONFIG_IP_NF_TARGET_TCPMSS set. > # > # [From the kernel help: > # > # This option adds a `TCPMSS'' target, which allows you to alter the > # MSS value of TCP SYN packets, to control the maximum size for that > # connection (usually limiting it to your outgoing interface''s MTU > # minus 40). > # > # This is used to overcome criminally braindead ISPs or servers which > # block ICMP Fragmentation Needed packets. The symptoms of this > # problem are that everything works fine from your Linux > # firewall/router, but machines behind it can never exchange large > # packets: > # 1) Web browsers connect, then hang with no data received. > # 2) Small mail works fine, but large emails hang. > # 3) ssh works fine, but scp hangs after initial handshaking. > # ] > # > # If left blank, or set to "No" or "no", the option is not enabled. > # > CLAMPMSS=No > > # > # ROUTE FILTERING > # > # Set this variable to "Yes" or "yes" if you want kernel route filteringon all> # interfaces (anti-spoofing measure). > # > # If this variable is not set or is set to the empty value, "No" isassumed.> # In that case, you can still enable route filtering on individualinterfaces> # in the /etc/shorewall/interfaces file. > > ROUTE_FILTER=No > > # > # NAT BEFORE RULES > # > # Shorewall has traditionally processed static NAT rules before portforwarding> # rules. If you would like to reverse the order, set this variable to"No".> # > # If this variable is not set or is set to the empty value, "Yes" isassumed.> > NAT_BEFORE_RULES=Yes > > # MULTIPORT support > # > # If your kernel includes the multiport match option > # (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it''s use here. When this > # option is enabled by setting it''s value to "Yes" or "yes": > # > # 1) If you list more that 15 ports in a comma-seperated list in > # /etc/shorewall/rules, Shorewall will not use the multiport option > # but will generate a separate rule for each element of each port > # list. > # 2) If you include a port range (<low port>:<high port>) in the > # rule, Shorewall will not use the multiport option but will generate > # a separate rule for each element of each port list. > # > # See the /etc/shorewall/rules file for additional information on thisoption.> # > # if this variable is not set or is set to the empty value, "No" isassumed.> > MULTIPORT=No > > # DNAT IP ADDRESS DETECTION > # > # Normally when Shorewall encounters the following rule: > # > # DNAT net loc:192.168.1.3 tcp 80 > # > # it will forward TCP port 80 connections from the net to 192.168.1.3 > # REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is > # convenient for two reasons: > # > # a) If the the network interface has a dynamic IP address, the > # firewall configuration will work even when the address > # changes. > # > # b) It saves having to configure the IP address in the rule > # while still allowing the firewall to be started before the > # internet interface is brought up. > # > # This default behavior can also have a negative effect. If the > # internet interface has more than one IP address then the above > # rule will forward connection requests on all of these addresses; > # that may not be what is desired. > # > # By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply > # only if the original destination address is the primary IP address of > # one of the interfaces associated with the source zone. Note that this > # requires all interfaces to the source zone to be up when the firewall > # is [re]started. > > DETECT_DNAT_IPADDRS=No > > # > # MERGE HOSTS FILE > # > # The traditional behavior of the /etc/shorewall/hosts file has been that > # if that file has ANY entry for a zone then the zone must be defined > # entirely in the hosts file. This is counter-intuitive and has caused > # people some problems. > # > # By setting MERGE_HOSTS=Yes, a more intuitive behavior of the hosts file > # is enabled. With MERGE_HOSTS=Yes, the zone contents in the hosts file > # are added to the contents described in the /etc/shorewall/interfacesfile.> # > # Example: Suppose that we have the following interfaces and hosts files: > # > # Interfaces: > # > # net eth0 > # loc eth1 > # - ppp+ > # > # Hosts: > # > # loc ppp+:192.168.1.0/24 > # wrk ppp+:!192.168.1.0/24 > # > # With MERGE_HOSTS=No, the contents of the ''loc'' zone would be just > # ppp+:192.168.1.0/24. With MERGE_HOSTS=Yes, the contents would be > # ppp+:192.168.1.0 and eth1:0.0.0.0/0 > # > # If this variable is not set or is set to the empty value, "No" isassumed.> > MERGE_HOSTS=Yes > > # > # MUTEX TIMEOUT > # > # The value of this variable determines the number of seconds thatprograms> # will wait for exclusive access to the Shorewall lock file. After thenumber> # of seconds corresponding to the value of this variable, programs willassume> # that the last program to hold the lock died without releasing the lock. > # > # If not set or set to the empty value, a value of 60 (60 seconds) isassumed.> # > # An appropriate value for this parameter would be twice the length oftime> # that it takes your firewall system to process a "shorewall restart"command.> > MUTEX_TIMEOUT=60 > > # > # LOGGING ''New not SYN'' rejects > # > # This variable only has an effect when NEWNOTSYN=No (see below). > # > # When a TCP packet that does not have the SYN flag set and the ACK andRST> # flags clear then unless the packet is part of an established connection, > # it will be rejected by the firewall. If you want these rejects logged, > # then set LOGNEWNOTSYN to the syslog log level at which you want themlogged.> # > # See the comment at the top of this file for a description of log levels > # > # Example: LOGNEWNOTSYN=debug > > > LOGNEWNOTSYN> > # > # Old Ping Handling > # > # If this option is set to "Yes" then Shorewall will use its old pinghandling> # facility including the FORWARDPING option in this file and the ''noping''and> # ''filterping'' interface options. If this option is set to ''No'' then ping > # is handled via policy and rules just like any other connection request. > # > # If you are a new Shorewall user DON''T CHANGE THE VALUE OF THIS OPTIONAND> # DON''T DELETE IT!!!!!! > # > OLD_PING_HANDLING=No > > # > # NEWNOTSYN > # > # If this variable is set to "No" or "no", then When a TCP packet thatdoes> # not have the SYN flag set and the ACK and RST flags clear then unlessthe> # packet is part of an established connection, it will be dropped by the > # firewall > # > # If this variable is set to "Yes" or "yes" then such packets will not be > # dropped but will pass through the normal rule processing. > # > # Users with a High-availability setup with two firewall''s and one acting > # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may > # also need to select NEWNOTSYN=Yes. > > NEWNOTSYN=No > > # > # MAC List Disposition > # > # This variable determines the disposition of connection requests arriving > # on interfaces that have the ''maclist'' option and that are from a device > # that is not listed for that interface in /etc/shorewall/maclist. Valid > # values are ACCEPT, DROP and REJECT. If not specified or specified as > # empty (MACLIST_DISPOSITION="") then REJECT is assumed > > MACLIST_DISPOSITION=REJECT > > # > # MAC List Log Level > # > # Specifies the logging level for connection requests that fail MAC > # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then > # such connection requests will not be logged. > # > # See the comment at the top of this file for a description of log levels> # > > MACLIST_LOG_LEVEL=info > > # > # TCP FLAGS Disposition > # > # This variable determins the disposition of packets having an invalid > # combination of TCP flags that are received on interfaces having the > # ''tcpflags'' option specified in /etc/shorewall/interfaces. If notspecified> # or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed. > > TCP_FLAGS_DISPOSITION=DROP > > # > # TCP FLAGS Log Level > # > # Specifies the logging level for packets that fail TCP Flags > # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then > # such packets will not be logged. > # > # See the comment at the top of this file for a description of log levels > # > > TCP_FLAGS_LOG_LEVEL=info > > # > # RFC1918 Log Level > # > # Specifies the logging level for packets that fail RFC 1918 > # verification. If set to the empty value (RFC1918_LOG_LEVEL="") then > # RFC1918_LOG_LEVEL=info is assumed. > # > # See the comment at the top of this file for a description of log levels > # > > RFC1918_LOG_LEVEL=info > > # > # Mark Packets in the forward chain > # > # When processing the tcrules file, Shorewall normally marks packets inthe> # PREROUTING chain. To cause Shorewall to use the FORWARD chain instead,set> # this to "Yes". If not specified or if set to the empty value (e.g., > # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. > # > # Marking packets in the FORWARD chain has the advantage that inbound > # packets destined for Masqueraded/SNATed local hosts have had theirdestination> # address rewritten so they can be marked based on their destination. When > # packets are marked in the PREROUTING chain, packets destined for > # Masqueraded/SNATed local hosts still have a destination addresscorresponding> # to the firewall''s external interface. > # > # Note: Older kernels do not support marking packets in the FORWARD chainand> # setting this variable to Yes may cause startup problems. > > MARK_IN_FORWARD_CHAIN=No > > # > # Clear Traffic Shapping/Control > # > # If this option is set to ''No'' then Shorewall won''t clear the current > # traffic control rules during [re]start. This setting is intended > # for use by people that prefer to configure traffic shaping when > # the network interfaces come up rather than when the firewall > # is started. If that is what you want to do, set TC_ENABLED=Yes and > # CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That > # way, your traffic shaping rules can still use the ''fwmark'' > # classifier based on packet marking defined in /etc/shorewall/tcrules. > # > # If omitted, CLEAR_TC=Yes is assumed. > > CLEAR_TC=Yes > > #LAST LINE -- DO NOT REMOVE >---------------------------------------------------------------------------- ---->############################################################################ ##> # > # Shorewall 1.3 -- Network Address Translation Table > # > # /etc/shorewall/nat > # > # This file is used to define static Network Address Translation (NAT). > # > # WARNING: If all you want to do is simple port forwarding, do NOT usethis> # file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most > # cases, Proxy ARP is a better solution that static NAT. > # > # Columns must be separated by white space and are: > # > # EXTERNAL External IP Address - this should NOT be the primary > # IP address of the interface named in the next > # column and must not be a DNS Name. > # INTERFACE Interface that we want to EXTERNAL address to appear > # on. If ADD_IP_ALIASES=Yes in shorewall.conf, youmay> # follow the interface name with ":" and a digit to > # indicate that you want Shorewall to add the alias > # with this name (e.g., "eth0:0"). That allows you to > # see the alias with ifconfig. THAT IS THE ONLY THING > # THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT > # ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION. > # INTERNAL Internal Address (must not be a DNS Name). > # ALL INTERFACES If Yes or yes (or left empty), NAT will beeffective> # from all hosts. If No or no then NAT will beeffective> # only through the interface named in the INTERFACE > # column > # LOCAL If Yes or yes and the ALL INTERFACES columncontains> # Yes or yes, NAT will be effective from thefirewall> # system >############################################################################ ##> #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >---------------------------------------------------------------------------- ----> # > # Shorewall 1.3 /etc/shorewall/params > # > # Assign any variables that you need here. > # > # It is suggested that variable names begin with an upper case letter > # to distinguish them from variables used internally within the > # Shorewall programs > # > # Example: > # > # NET_IF=eth0 > # NET_BCAST=130.252.100.255 > # NET_OPTIONS=noping,norfc1918 > # > # Example (/etc/shorewall/interfaces record): > # > # net $NET_IF $NET_BCAST $NET_OPTIONS > # > # The result will be the same as if the record had been written > # > # net eth0 130.252.100.255 noping,norfc1918 > # > # Variables can be used in the following places in the other configuration > # files: > # > # /etc/shorewall/interfaces: > # /etc/shorewall/hosts > # > # All except the first column. > # > # /etc/shorewall/rules > # > # First column after ":". > # All remaining columns > # > # /etc/shorewall/tunnels > # /etc/shorewall/proxyarp > # /etc/shorewall/nat > # > # All columns >############################################################################ ##> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE >---------------------------------------------------------------------------- ----> # > # Shorewall 1.3 -- RFC1918 File > # > # /etc/shorewall/rfc1918 > # > # Lists the subnetworks that are blocked by the ''norfc1918'' interfaceoption.> # > # The default list includes those IP addresses listed in RFC 1918, thoselisted> # as ''reserved'' by the IANA, the DHCP Autoconfig class B, and the class C > # reserved for use in documentation and examples. > # > # Columns are: > # > # SUBNET The subnet (host addresses also allowed) > # TARGET Where to send packets to/from this subnet > # RETURN - let the packet be processed normally > # DROP - silently drop the packet > # logdrop - log then drop > # >############################################################################ ###> #SUBNET TARGET > 255.255.255.255 RETURN # We need to allow limited broadcast > 169.254.0.0/16 DROP # DHCP autoconfig > 172.16.0.0/12 logdrop # RFC 1918 > 192.0.2.0/24 logdrop # Example addresses > 192.168.0.0/16 logdrop # RFC 1918 > # > # The following are generated using the Python program found at: > # > # http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ > # > # The program was contributed by Andy Wiggin > # > 0.0.0.0/7 logdrop # Reserved > 2.0.0.0/8 logdrop # Reserved > 5.0.0.0/8 logdrop # Reserved > 7.0.0.0/8 logdrop # Reserved > 10.0.0.0/8 logdrop # Reserved > 23.0.0.0/8 logdrop # Reserved > 27.0.0.0/8 logdrop # Reserved > 31.0.0.0/8 logdrop # Reserved > 36.0.0.0/7 logdrop # Reserved > 39.0.0.0/8 logdrop # Reserved > 41.0.0.0/8 logdrop # Reserved > 42.0.0.0/8 logdrop # Reserved > 58.0.0.0/7 logdrop # Reserved > 60.0.0.0/8 logdrop # Reserved > 70.0.0.0/7 logdrop # Reserved > 72.0.0.0/5 logdrop # Reserved > 83.0.0.0/8 logdrop # Reserved > 84.0.0.0/6 logdrop # Reserved > 88.0.0.0/5 logdrop # Reserved > 96.0.0.0/3 logdrop # Reserved > 127.0.0.0/8 logdrop # Loopback > 197.0.0.0/8 logdrop # Reserved > 222.0.0.0/7 logdrop # Reserved > 240.0.0.0/4 logdrop # Reserved > # > # End of generated entries > # > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >---------------------------------------------------------------------------- ----> # > # Shorewall version 1.3 - Traffic Control Rules File > # > # /etc/shorewall/tcrules > # > # Entries in this file cause packets to be marked as a means of > # classifying them for traffic control or policy routing. > # > # I M P O R T A N T ! ! ! ! > # > # FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET > # TC_ENABLED=Yes in /etc/shorewall/shorewall.conf > # > # Columns are: > # > # > # MARK The mark value which is an > # integer in the range 1-255 > # > # May optionally be followed by ":P" or ":F" > # where ":P" indicates that marking should occur in > # the PREROUTING chain and ":F" indicates that marking > # should occur in the FORWARD chain. If neither > # ":P" nor ":F" follow the mark value then the chain is > # determined by the setting of MARK_IN_FORWARD_CHAIN in > # /etc/shorewall/shorewall.conf. > # > # SOURCE Source of the packet. A comma-separated list of > # interface names, IP addresses, MAC addresses > # and/or subnets. Use $FW if the packet originates on > # the firewall in which case the MARK column may NOT > # specify either ":P" or ":F" (marking always occurs > # in the OUTPUT chain). > # > # MAC addresses must be prefixed with "~" and use > # "-" as a separator. > # > # Example: ~00-A0-C9-15-39-78 > # > # DEST Destination of the packet. Comma separated list of > # IP addresses and/or subnets. > # > # PROTO Protocol - Must be "tcp", "udp", "icmp", a number, > # or "all". > # > # PORT(S) Destination Ports. A comma-separated list of Port > # names (from /etc/services), port numbers or port > # ranges; if the protocol is "icmp", this column is > # interpreted as the destination icmp-type(s). > # > # This column is ignored if PROTOCOL = all but must be > # entered if any of the following field is supplied. > # In that case, it is suggested that this field contain > # "-" > # > # CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted, > # any source port is acceptable. Specified as a comma- > # separated list of port names, port numbers or port > # ranges. >############################################################################ ##> #MARK SOURCE DEST PROTO PORT(S) CLIENT PORT(S) > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >---------------------------------------------------------------------------- ---->############################################################################ ##> # > # Shorewall 1.3 -- Hosts Accessible when the Firewall is Stopped > # > # /etc/shorewall/routestopped > # > # This file is used to define the hosts that are accessible when the > # firewall is stopped > # > # Columns must be separated by white space and are: > # > # INTERFACE - Interface through which host(s) communicate with > # the firewall > # HOST(S) - (Optional) Comma-separated list of IP/subnet > # addresses. If left empty or supplied as "-", > # 0.0.0.0/0 is assumed. > # > # Example: > # > # INTERFACE HOST(S) > # eth2 192.168.1.0/24 > # eth0 192.0.2.44 >############################################################################ ##> #INTERFACE HOST(S) > eth1 192.168.1.0/24 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >---------------------------------------------------------------------------- ----> # > # Shorewall 1.3 -- /etc/shorewall/tos > # > # This file defines rules for setting Type Of Service (TOS) > # > # Columns are: > # > # SOURCE Name of a zone declared in /etc/shorewall/zones, "all" > # or $FW. > # > # If not "all" or $FW, may optionally be followed by > # ":" and an IP address, a MAC address, a subnet > # specification or the name of an interface. > # > # Example: loc:192.168.2.3 > # > # MAC addresses must be prefixed with "~" and use > # "-" as a separator. > # > # Example: ~00-A0-C9-15-39-78 > # > # DEST Name of a zone declared in /etc/shorewall/zones, "all" > # or $FW. > # > # If not "all" or $FW, may optionally be followed by > # ":" and an IP address or a subnet specification > # > # Example: loc:192.168.2.3 > # > # PROTOCOL Protocol. > # > # SOURCE PORTS Source port or port range. If all ports, use "-". > # > # DEST PORTS Destination port or port range. If all ports, use "-" > # > # TOS Type of service. Must be one of the following: > # > # Minimize-Delay (16) > # Maximize-Throughput (8) > # Maximize-Reliability (4) > # Minimize-Cost (2) > # Normal-Service (0) > # >############################################################################ ##> #SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS > all all tcp - ssh 16 > all all tcp ssh - 16 > all all tcp - ftp 16 > all all tcp ftp - 16 > all all tcp ftp-data - 8 > all all tcp - ftp-data 8 > #LAST LINE -- Add your entries above -- DO NOT REMOVE >---------------------------------------------------------------------------- ----> # > # Shorewall 1.3 - /etc/shorewall/tunnels > # > # This file defines IPSEC, GRE, IPIP and OPENVPN tunnels. > # > # IPIP, GRE and OPENVPN tunnels must be configured on the > # firewall/gateway itself. IPSEC endpoints may be defined > # on the firewall/gateway or on an internal system. > # > # The columns are: > # > # TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip" > # "gre", "pptpclient", "pptpserver" or "openvpn". > # > # If type is "openvpn", it may optionally be followed > # by ":" and the port number used by the tunnel. if no > # ":" and port number are included, then the default port > # of 5000 will be used > # > # ZONE -- The zone of the physical interface through which > # tunnel traffic passes. This is normally your internet > # zone. > # > # GATEWAY -- The IP address of the remote tunnel gateway. If the > # remote getway has no fixed address (Road Warrior) > # then specify the gateway as 0.0.0.0/0. > # > # GATEWAY > # ZONES -- Optional. If the gateway system specified in the third > # column is a standalone host then this column should > # contain a comma-separated list of the names of the > # zones that the host might be in. This column only > # applies to IPSEC tunnels. > # > # Example 1: > # > # IPSec tunnel. The remote gateway is 4.33.99.124 and > # the remote subnet is 192.168.9.0/24 > # > # ipsec net 4.33.99.124 > # > # Example 2: > # > # Road Warrior (LapTop that may connect from anywhere) > # where the "gw" zone is used to represent the remote > # LapTop. > # > # ipsec net 0.0.0.0/0 gw > # > # Example 3: > # > # Host 4.33.99.124 is a standalone system connected > # via an ipsec tunnel to the firewall system. The host > # is in zone gw. > # > # ipsec net 4.33.99.124 gw > # > # Example 4: > # > # Road Warriors that may belong to zones vpn1, vpn2 or > # vpn3. The FreeS/Wan _updown script will add the > # host to the appropriate zone using the "shorewall add" > # command on connect and will remove the host from the > # zone at disconnect time. > # > # ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3 > # > # Example 5: > # > # You run the Linux PPTP client on your firewall and > # connect to server 192.0.2.221. > # > # pptpclient net 192.0.2.221 > # > # Example 6: > # > # You run a PPTP server on your firewall. > # > # pptpserver net > # > # Example 7: > # > # OPENVPN tunnel. The remote gateway is 4.33.99.124 and > # openvpn uses port 7777. > # > # openvpn:7777 net 4.33.99.124 > # > # TYPE ZONE GATEWAY GATEWAY ZONE PORT > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >---------------------------------------------------------------------------- ---->############################################################################> # Shorewall 1.3 -- /etc/shorewall/init > # > # Add commands below that you want to be executed at the beginning of > # a "shorewall start" or "shorewall restart" command. > # >---------------------------------------------------------------------------- ----> _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
--On Monday, March 03, 2003 12:59:25 PM -0500 Jim Owen <moses6602@netscape.net> wrote:> > I wrote last night that I had trouble with losing connections behind the > firewall. I have been to the errata, faq, and reread all my files in the > quick start guide and sample files. Everything seems to be in order, I > get no error messages at start-up or shutdown. I have attached several > settings files to this email in hopes this will be enough info to at > least get a start on diagnosing the problem. It only loses the connection > if I stay unconnected from the internet for a short amount of time.What is "it" as in "It only loses the connection..."? And what does "..stay unconnected from the internet..." mean? Does that you are disconnecting your cable modem?> My > cable modem uses DHCP for the external IP address resolution. It remains > constant unless I unplug and reset the modem. My internal address scheme > is a 192.168.1.0/24. I have a perfect connection from the firewall to the > internet at all times.So now I''m confused. In your original post, you reported that you lost connectivity with the local system after approximately two hours of being connected. That would NOT be a Shorewall problem since Shorewall statically configures NetFilter and the NetFilter rules don''t change by themselves once they are in place. Shorewall has no daemon or other running code that could somehow change the configuration after some period of time. Now you seem to be reporting that there is another factor ("...I stay unconnected..."). Please clarify. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Monday, March 03, 2003 04:40:36 PM -0900 John Andersen <jsa@norcomix.dyndns.org> wrote:> > Tom: > I asked him if he uses DHCP, wondering if he had not configured > dhcp into the interfaces correctly. Some cable companies give > two hour leases to get around a bug in Mac Tcp stack. (Ours here > does this). If he gets a new ip frequently, and has not configured > shorewall with the DHCP option, would this not appear as > he described? > > Why a different IP would be given is beyond me, but if you google > up dhcp and "abandoned leases" you will find that it has been quite > a problem over time. >If he gets another IP address, then all existing masqueraded connections will be broken. New masqueraded connections should be able to be established though and the OP notes that not even ''ping'' is possible. Although I guess now that I think of it, I''m not sure what MASQUERADE rules do if the external IP is changed -- may need a "shorewall restart" done when the IP changes (dhcp client script). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
cheers Tom and folks,> > Why a different IP would be given is beyond me, but if you google > > up dhcp and "abandoned leases" you will find that it has been quite > > a problem over time. > > If he gets another IP address, then all existing masqueraded connections > will be broken. New masqueraded connections should be able to be > established though and the OP notes that not even ''ping'' is possible. > > Although I guess now that I think of it, I''m not sure what MASQUERADE rules > do if the external IP is changed -- may need a "shorewall restart" done > when the IP changes (dhcp client script).I hope, I got your point. I''m pretty sure, your great firewall is _completely_ transparent to that. I have some DSL routers set up (of course with masqueraded local network) and all of these lines are cut after 24 hours by the access provider to prevent ''static IPs'' -- or better, to have a reason to sell static IPs for extra cash... ;-) Never had problems. The router just runs round the clock, internet access is always possible without a ''shorewall restart''. Now as I think about it: My father never complained, and to him the router just is a black box that gets him to the net... :-) Wow, seems like shorewall is even better than _you_ thought... karsten btw: I hope I will get to check the German translation tomorrow. Don''t have forgotten about it, and I really wanna do that. -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!