shorewall6-5.0.4/0000755000000000000000000000000012650243750012310 5ustar rootrootshorewall6-5.0.4/shorewallrc.cygwin0000644000000000000000000000226012650243750016057 0ustar rootroot# # Cygwin Shorewall 5.0 rc file # BUILD=cygwin HOST=cygwin PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/bin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man #Directory where manpages are installed. INITDIR=/etc/init.d #Unused on Cygwin INITFILE= #Unused on Cygwin INITSOURCE= #Unused on Cygwin ANNOTATED= #Unused on Cygwin SERVICEDIR= #Unused on Cygwin SERVICEFILE= #Unused on Cygwin SYSCONFDIR= #Unused on Cygwin SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. VARLIB=/var/lib #Unused on Cygwin shorewall6-5.0.4/shorewall6.service.debian0000644000000000000000000000120012647470621017177 0ustar rootroot# # The Shoreline Firewall (Shorewall) Packet Filtering Firewall # # Copyright 2011 Jonathan Underwood # Copyright 2015 Tom Eastep # [Unit] Description=Shorewall IPv6 firewall Wants=network-online.target After=network-online.target Conflicts=ip6tables.service firewalld.service [Service] Type=oneshot RemainAfterExit=yes EnvironmentFile=-/etc/default/shorewall6 StandardOutput=syslog ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS ExecStop=/sbin/shorewall6 $OPTIONS stop ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS [Install] WantedBy=basic.target shorewall6-5.0.4/INSTALL0000644000000000000000000000171112647470621013346 0ustar rootrootShoreline Firewall (Shorewall) Version 5 ----- ---- ----------------------------------------------------------------------------- This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. --------------------------------------------------------------------------- Please see http://www.shorewall.net/Install.htm for installation instructions. shorewall6-5.0.4/shorewallrc.slackware0000644000000000000000000000365412650243750016543 0ustar rootroot# # Slackware Shorewall 5.0 rc file # BUILD=slackware HOST=slackware PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR=${PREFIX}/man #Directory where manpages are installed. INITDIR=/etc/rc.d #Directory where SysV init scripts are installed. AUXINITSOURCE=init.slackware.firewall.sh #Name of the distributed file to be installed as the SysV init script AUXINITFILE=rc.firewall #Name of the product's installed SysV init script INITSOURCE=init.slackware.$PRODUCT.sh #Name of the distributed file to be installed as a second SysV init script INITFILE=rc.$PRODUCT #Name of the product's installed second init script SERVICEDIR= #Name of the directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR= #Name of the directory where SysV init parameter files are installed. ANNOTATED= #If non-empty, install annotated configuration files VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. shorewall6-5.0.4/action.Broadcast0000644000000000000000000000513312647470621015420 0ustar rootroot# # Shorewall 4 - Multicast/Anycast Action # # /usr/share/shorewall/action.Broadcast # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 2011 - Tom Eastep (teastep@shorewall.net) # # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # Broadcast[([|-[,{audit|-}])] # # Default action is DROP # ########################################################################################## DEFAULTS DROP,- ?begin perl; use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; my $chainref = get_action_chain; my ( $action, $audit ) = get_action_params( 2 ); my ( $level, $tag ) = get_action_logging; my $target = require_audit ( $action , $audit ); fatal_error "Invalid parameter to action Broadcast" if supplied $audit && $audit ne 'audit'; if ( have_capability( 'ADDRTYPE' ) ) { if ( $level ne '' ) { log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST '; log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST '; } add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST '; add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST '; add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST '; } else { add_commands $chainref, 'for address in $ALL_ACASTS; do'; incr_cmd_level $chainref; log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne ''; add_jump $chainref, $target, 0, "-d \$address "; decr_cmd_level $chainref; add_commands $chainref, 'done'; log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) ) if $level ne ''; add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' ); } 1; ?end perl; shorewall6-5.0.4/default.debian0000644000000000000000000000163012647470621015105 0ustar rootroot# prevent startup with default configuration # set the following varible to 1 in order to allow Shorewall6 to start startup=0 # if your Shorewall6 configuration requires detection of the ip address of a # ppp interface, you must list such interfaces in "wait_interface" to get # Shorewall6 to wait until the interface is configured. Otherwise the script # will fail because it won't be able to detect the IP address. # # Example: # wait_interface="ppp0" # or # wait_interface="ppp0 ppp1" # or, if you have defined in /etc/shorewall6/params # wait_interface= # # Startup options # OPTIONS="" # # Start options # STARTOPTIONS="" # # Restart options # RESTARTOPTIONS="" # # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf # INITLOG=/dev/null # # Set this to 1 to cause '/etc/init.d/shorewall6 stop' to place the firewall in # a safe state rather than to open it # SAFESTOP=0 # EOF shorewall6-5.0.4/init.debian.sh0000755000000000000000000000615512647470621015047 0ustar rootroot#!/bin/sh ### BEGIN INIT INFO # Provides: shorewall6 # Required-Start: $network $remote_fs # Required-Stop: $network $remote_fs # Default-Start: S # Default-Stop: 0 6 # Short-Description: Configure the firewall at boot time # Description: Configure the firewall according to the rules specified in # /etc/shorewall6 ### END INIT INFO . /lib/lsb/init-functions SRWL=/sbin/shorewall6 SRWL_OPTS="-tvv" WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup test -n ${INITLOG:=/var/log/shorewall6-init.log} test -x $SRWL || exit 0 test -x $WAIT_FOR_IFUP || exit 0 test -n "$INITLOG" || { echo "INITLOG cannot be empty, please configure $0" ; exit 1; } if [ "$(id -u)" != "0" ] then echo "You must be root to start, stop or restart \"Shorewall6 firewall\"." exit 1 fi echo_notdone () { if [ "$INITLOG" = "/dev/null" ] ; then echo "not done." else echo "not done (check $INITLOG)." fi exit 1 } not_configured () { echo "#### WARNING ####" echo "The firewall won't be started/stopped unless it is configured" if [ "$1" != "stop" ] then echo "" echo "Please read about Debian specific customization in" echo "/usr/share/doc/shorewall6/README.Debian.gz." fi echo "#################" exit 0 } # # The installer may alter this # . /usr/share/shorewall/shorewallrc # check if shorewall is configured or not if [ -f "${SYSCONFDIR}/shorewall6" ] then . ${SYSCONFDIR}/shorewall6 SRWL_OPTS="$SRWL_OPTS $OPTIONS" if [ "$startup" != "1" ] then not_configured fi else not_configured fi [ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0 export SHOREWALL_INIT_SCRIPT # wait for an unconfigured interface wait_for_pppd () { if [ "$wait_interface" != "" ] then for i in $wait_interface do $WAIT_FOR_IFUP $i 90 done fi } # start the firewall shorewall6_start () { echo -n "Starting \"Shorewall6 firewall\": " wait_for_pppd $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone return 0 } # stop the firewall shorewall6_stop () { echo -n "Stopping \"Shorewall6 firewall\": " if [ "$SAFESTOP" = 1 ]; then $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone else $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone fi return 0 } # restart the firewall shorewall6_restart () { echo -n "Restarting \"Shorewall6 firewall\": " $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone return 0 } # refresh the firewall shorewall6_refresh () { echo -n "Refreshing \"Shorewall6 firewall\": " $SRWL $SRWL_OPTS refresh >> $INITLOG 2>&1 && echo "done." || echo_notdone return 0 } # status of the firewall shorewall6_status () { $SRWL $SRWL_OPTS status && exit 0 || exit $? } case "$1" in start) shorewall6_start ;; stop) shorewall6_stop ;; refresh) shorewall6_refresh ;; force-reload|restart) shorewall6_restart ;; status) shorewall6_status ;; *) echo "Usage: /etc/init.d/shorewall6 {start|stop|refresh|restart|force-reload|status}" exit 1 esac exit 0 shorewall6-5.0.4/action.A_AllowICMPs0000644000000000000000000000334412647470621015672 0ustar rootroot# # Shorewall6 version 5 - Audited AllowICMPs Action # # /usr/share/shorewall6/action.A_AllowICMPs # # This action A_ACCEPTs needed ICMP types # ############################################################################### #TARGET SOURCE DEST PROTO DEST # PORT(S) ?comment Needed ICMP types (RFC4890) A_ACCEPT - - ipv6-icmp destination-unreachable A_ACCEPT - - ipv6-icmp packet-too-big A_ACCEPT - - ipv6-icmp time-exceeded A_ACCEPT - - ipv6-icmp parameter-problem # The following should have a ttl of 255 and must be allowed to transit a bridge A_ACCEPT - - ipv6-icmp router-solicitation A_ACCEPT - - ipv6-icmp router-advertisement A_ACCEPT - - ipv6-icmp neighbour-solicitation A_ACCEPT - - ipv6-icmp neighbour-advertisement A_ACCEPT - - ipv6-icmp 137 # Redirect A_ACCEPT - - ipv6-icmp 141 # Inverse neighbour discovery solicitation A_ACCEPT - - ipv6-icmp 142 # Inverse neighbour discovery advertisement # The following should have a link local source address and must be allowed to transit a bridge A_ACCEPT fe80::/10 - ipv6-icmp 130 # Listener query A_ACCEPT fe80::/10 - ipv6-icmp 131 # Listener report A_ACCEPT fe80::/10 - ipv6-icmp 132 # Listener done A_ACCEPT fe80::/10 - ipv6-icmp 143 # Listener report v2 # The following should be received with a ttl of 255 and must be allowed to transit a bridge A_ACCEPT - - ipv6-icmp 148 # Certificate path solicitation A_ACCEPT - - ipv6-icmp 149 # Certificate path advertisement # The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge A_ACCEPT fe80::/10 - ipv6-icmp 151 # Multicast router advertisement A_ACCEPT fe80::/10 - ipv6-icmp 152 # Multicast router solicitation A_ACCEPT fe80::/10 - ipv6-icmp 153 # Multicast router termination shorewall6-5.0.4/modules0000644000000000000000000000132512647470621013711 0ustar rootroot# # Shorewall6 version 5 - Modules File # # /usr/share/shorewall6/modules # # This file loads the modules that may be needed by the firewall. # # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in # dependency order. i.e., if M2 depends on M1 then you must load M1 # before you load M2. # # If you need to modify this file, copy it to /etc/shorewall and modify the # copy. # ############################################################################### # # Essential Modules # INCLUDE modules.essential # # Other xtables modules # INCLUDE modules.xtables # # Helpers # INCLUDE helpers # # Ipset # INCLUDE modules.ipset # # Traffic Shaping # INCLUDE modules.tc # # Extensions # INCLUDE modules.extensions shorewall6-5.0.4/helpers0000644000000000000000000000254712647470621013712 0ustar rootroot# # Shorewall6 version 5 - Helpers File # # /usr/share/shorewall6/helpers # # This file loads the modules that may be needed by the firewall. # # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in # dependency order. i.e., if M2 depends on M1 then you must load M1 # before you load M2. # # If you need to modify this file, copy it to /etc/shorewall and modify the # copy. # ############################################################################### # # Helpers # loadmodule nf_conntrack_amanda loadmodule nf_conntrack_ftp loadmodule nf_conntrack_h323 loadmodule nf_conntrack_irc loadmodule nf_conntrack_netbios_ns loadmodule nf_conntrack_netbios_ns loadmodule nf_conntrack_netlink loadmodule nf_conntrack_pptp loadmodule nf_conntrack_proto_sctp loadmodule nf_conntrack_proto_udplite loadmodule nf_conntrack_sane loadmodule nf_conntrack_sip sip_direct_media=0 loadmodule nf_conntrack_pptp loadmodule nf_conntrack_proto_gre loadmodule nf_conntrack_proto_sctp loadmodule nf_conntrack_sip loadmodule nf_conntrack_tftp loadmodule nf_conntrack_sane # # While not actually helpers, these are included here so that # LOG_BACKEND can work correctly. Not all of them will be # loaded, since at least one of them will be an alias on any # given system. # loadmodule ip6t_LOG loadmodule nf_log_ipv6 loadmodule xt_LOG loadmodule xt_NFLOG loadmodule nfnetlink_log shorewall6-5.0.4/ipsecvpn0000644000000000000000000001554012647470621014074 0ustar rootroot#!/bin/sh ################################################################################ # # ipsecvpn -- script for use on a roadwarrior to start/stop a tunnel-mode # IPSEC connection # # (c) 2004,2005,2014 - Tom Eastep (teastep@shorewall.net) # # This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 2 of the license or, at your # option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . RCDLINKS="2,S42 3,S42 6,K42" #### BEGIN INIT INFO # Provides: ipsecvpn # Required-Start: $shorewall # Required-Stop: # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Description: starts and stops a tunnel-mode VPN connection ### END INIT INFO # chkconfig: 2345 26 89 # description: IPSEC tunnel-mode connection # ################################################################################ # # External Interface # INTERFACE=eth0 # # Remote IPSEC Gateway # GATEWAY=1.2.3.4 # # Networks behind the remote gateway (space-separated list) # NETWORKS="192.168.1.0/24" # # Directory where X.509 certificates are stored. # CERTS=/etc/certs # # Certificate to be used for this connection. The cert # directory must contain: # # ${CERT}.pem - the certificate # ${CERT}_key.pem - the certificates's key # CERT=roadwarrior # # The setkey binary # SETKEY=/usr/sbin/setkey # # The racoon binary # RACOON=/usr/sbin/racoon # # Message to stderr # error_message() # $* = Error Message { echo " $@" >&2 } # # Fatal error -- stops the firewall after issuing the error message # fatal_error() # $* = Error Message { echo " Error: $@" >&2 exit 2 } # # Find interface address--returns the first IP address assigned to the passed # device # find_first_interface_address() # $1 = interface { # # get the line of output containing the first IP address # addr=$(ip -f inet addr show $1 2> /dev/null | grep inet | head -n1) # # If there wasn't one, bail out now # [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1" # # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link) # along with everything else on the line # echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' } # # Create a Racoon configuration file using the variables above # make_racoon_conf() { echo "path certificate \"$CERTS\";" echo echo "listen" echo "{" echo " isakmp $IPADDR;" echo "}" echo echo "remote $GATEWAY" echo "{" echo " exchange_mode main;" echo " certificate_type x509 \"$CERT.pem\" \"${CERT}_key.pem\";" echo " verify_cert on;" echo " my_identifier asn1dn ;" echo " peers_identifier asn1dn ;" echo " verify_identifier on ;" echo " lifetime time 24 hour ;" echo " proposal {" echo " encryption_algorithm blowfish;" echo " hash_algorithm sha1;" echo " authentication_method rsasig ;" echo " dh_group 2 ;" echo " }" echo "}" echo for network in $NETWORKS; do echo "sainfo address $IPADDR/32 any address $network any" echo "{" echo " pfs_group 2;" echo " lifetime time 12 hour ;" echo " encryption_algorithm blowfish ;" echo " authentication_algorithm hmac_sha1, hmac_md5 ;" echo " compression_algorithm deflate ;" echo "}" echo echo "sainfo address $network any address $IPADDR/32 any" echo "{" echo " pfs_group 2;" echo " lifetime time 12 hour ;" echo " encryption_algorithm blowfish ;" echo " authentication_algorithm hmac_sha1, hmac_md5 ;" echo " compression_algorithm deflate ;" echo "}" done echo "sainfo address $IPADDR/32 any address $GATEWAY/32 any" echo "{" echo " pfs_group 2;" echo " lifetime time 12 hour ;" echo " encryption_algorithm blowfish ;" echo " authentication_algorithm hmac_sha1, hmac_md5 ;" echo " compression_algorithm deflate ;" echo "}" echo echo "sainfo address $GATEWAY/32 any address $IPADDR/32 any" echo "{" echo " pfs_group 2;" echo " lifetime time 12 hour ;" echo " encryption_algorithm blowfish ;" echo " authentication_algorithm hmac_sha1, hmac_md5 ;" echo " compression_algorithm deflate ;" echo "}" } # # Make a setkey configuration file using the variables above # make_setkey_conf() { echo "flush;" echo "spdflush;" echo "spdadd $IPADDR/32 $GATEWAY/32 any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" echo "spdadd $GATEWAY/32 $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" for network in $NETWORKS; do echo "spdadd $IPADDR/32 $network any -P out ipsec esp/tunnel/${IPADDR}-${GATEWAY}/require;" echo "spdadd $network $IPADDR/32 any -P in ipsec esp/tunnel/${GATEWAY}-${IPADDR}/require;" done } # # Start the Tunnel # start() { # # Get the first IP address configured on the device in INTERFACE # IPADDR=$(find_first_interface_address $INTERFACE) # # Create the name of the setkey temporary file # TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX) [ $? -eq 0 ] || fatal_error "Can't create temporary file name" # # Create the file # make_setkey_conf > $TEMPFILE # # Create the SPD # $SETKEY -f $TEMPFILE # # We can now remove the file # rm -f $TEMPFILE # # Create another name -- make this distict to aid debugging # (just comment out the 'rm' commands) # TEMPFILE=$(mktemp /tmp/$(basename $0).XXXXXXXX) [ $? -eq 0 ] || fatal_error "Can't create temporary file name" # # Create the file # make_racoon_conf > $TEMPFILE # # Start Racoon Daemon # $RACOON -4 -f $TEMPFILE # # Once the Daemon is running, we can remove the file # rm -f $TEMPFILE } # # Stop the Tunnel # stop() { # # Kill any racoon daemons # killall racoon # # Purge the SAD and SPD # setkey -F -FP } # # Display command syntax and abend # usage() { error_message "usage: $(basename $0) [start|stop|restart]" exit 1 } ################################################################################ # C O D E S T A R T S H E R E ################################################################################ [ $# -eq 1 ] || usage case $1 in start) start ;; stop) stop ;; restart) stop sleep 2 start ;; *) usage ;; esac shorewall6-5.0.4/action.Reject0000644000000000000000000000506212647470621014733 0ustar rootroot# # Shorewall6 version 5 - Reject Action # # /usr/share/shorewall6/action.Reject # # The default REJECT action common rules # # This action is invoked before a REJECT policy is enforced. The purpose # of the action is: # # a) Avoid logging lots of useless cruft. # b) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # # The action accepts five optional parameters: # # 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin # actions. # 2 - Action to take with Auth requests. Default is REJECT or A_REJECT, # depending on the setting of the first parameter. # 3 - Action to take with SMB requests. Default is REJECT or A_REJECT, # depending on the setting of the first parameter. # 4 - Action to take with required ICMP packets. Default is ACCEPT or # A_ACCEPT depending on the first parameter. # 5 - Action to take with late UDP replies (UDP source port 53). Default # is DROP or A_DROP depending on the first parameter. # # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! ############################################################################### # # The following magic provides different defaults for $2 thru $5, when $1 is # 'audit'. # ?begin perl; use Shorewall::Config; my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 ); if ( defined $p1 ) { if ( $p1 eq 'audit' ) { set_action_param( 2, 'A_REJECT') unless supplied $p2; set_action_param( 3, 'A_REJECT') unless supplied $p3; set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4; set_action_param( 5, 'A_DROP' ) unless supplied $p5; } else { fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1; } } 1; ?end perl; DEFAULTS -,REJECT,REJECT,ACCEPT,DROP #TARGET SOURCE DEST PROTO # # Don't log 'auth' -- REJECT # Auth($2) # # Drop Multicasts so they don't clutter up the log # (broadcasts must *not* be rejected). # AllowICMPs($4) - - ipv6-icmp # # Drop Broadcasts so they don't clutter up the log # (broadcasts must *not* be rejected). # Broadcast(DROP,$1) # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log (these ICMPs cannot be # rejected). # Invalid(DROP,$1) # # Reject Microsoft noise so that it doesn't clutter up the log. # SMB($3) # # Drop 'newnotsyn' traffic so that it doesn't get logged. # NotSyn(DROP,$1) - - tcp # # Drop late-arriving DNS replies. These are just a nuisance and clutter up # the log. # DropDNSrep($5) shorewall6-5.0.4/README.txt0000644000000000000000000000006112647470621014010 0ustar rootrootThis is the Shorewall6 stable 4.4 branch of Git. shorewall6-5.0.4/shorewallrc.default0000644000000000000000000000353412650243750016210 0ustar rootroot# # Default Shorewall 5.0 rc file # HOST=linux #Generic Linux BUILD= #Default is to detect the build system PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR=${PREFIX}/man #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFFILE= #Name of the distributed file to be installed in $SYSCONFDIR SYSCONFDIR= #Directory where SysV init parameter files are installed SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. shorewall6-5.0.4/shorewallrc.openwrt0000644000000000000000000000336612650243750016265 0ustar rootroot# # Created by Shorewall Core version 5.0.2-RC1 configure - Fri, Nov 06, 2015 10:02:03 AM # # Input: host=openwrt # PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR= #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.openwrt.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFDIR=${CONFDIR}/sysconfig #Directory where SysV init parameter files are installed SYSCONFFILE=sysconfig #Name of the distributed file to be installed in $SYSCONFDIR SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SPARSE= #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. shorewall6-5.0.4/Samples6/0000755000000000000000000000000012647470621014007 5ustar rootrootshorewall6-5.0.4/Samples6/three-interfaces/0000755000000000000000000000000012650244173017232 5ustar rootrootshorewall6-5.0.4/Samples6/three-interfaces/rules.annotated0000644000000000000000000012452412650244171022271 0ustar rootroot# # Shorewall6 version 4.0 - Sample Rules File for three-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-rules" ###################################################################################################################################################################################################### # # Entries in this file govern connection establishment by defining exceptions to # the policies laid out in shorewall6-policy(5). By default, subsequent requests # and responses are automatically allowed using connection tracking. For any # particular (source,dest) pair of zones, the rules are evaluated in the order in # which they appear in this file and the first terminating match is the one that # determines the disposition of the request. All rules are terminating except LOG # and QUEUE rules. # # The rules file is divided into sections. Each section is introduced by a # "Section Header" which is a line beginning with ?SECTION and followed by the # section name. # # Sections are as follows and must appear in the order listed: # # ALL # # This section was added in Shorewall 4.4.23. rules in this section are # applied, regardless of the connection tracking state of the packet. # # ESTABLISHED # # Packets in the ESTABLISHED state are processed by rules in this section. # # The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE # # There is an implicit ACCEPT rule inserted at the end of this section. # # RELATED # # Packets in the RELATED state are processed by rules in this section. # # The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE # # There is an implicit rule added at the end of this section that invokes the # RELATED_DISPOSITION (shorewall6.conf(5)). # # INVALID # # Added in Shorewall 4.5.13. Packets in the INVALID state are processed by # rules in this section. # # The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE. # # There is an implicit rule added at the end of this section that invokes the # INVALID_DISPOSITION (shorewall6.conf(5)). # # UNTRACKED # # Added in Shorewall 4.5.13. Packets in the UNTRACKED state are processed by # rules in this section. # # The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE. # # There is an implicit rule added at the end of this section that invokes the # UNTRACKED_DISPOSITION (shorewall6.conf(5)). # # NEW # # Packets in the NEW state are processed by rules in this section. If the # INVALID and/or UNTRACKED sections are empty or not included, then the # packets in the corresponding state(s) are also processed in this section. # # Note # # If you are not familiar with Netfilter to the point where you are comfortable # with the differences between the various connection tracking states, then it is # suggested that you omit the ESTABLISHED and RELATED sections and place all of # your rules in the NEW section (That's after the line that reads ?SECTION NEW'). # # Warning # # If you specify FASTACCEPT=Yes in shorewall6.conf(5) then the ESTABLISHED and # RELATED sections must be empty. # # An except is made if you are running Shorewall 4.4.27 or later and you have # specified a non-default value for RELATED_DISPOSITION or RELATED_LOG_LEVEL. In # that case, you may have rules in the RELATED section of this file. # # You may omit any section that you don't need. If no Section Headers appear in # the file then all rules are assumed to be in the NEW section. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ACTION - target[:{log-level|none}[!][:tag]] # # Specifies the action to be taken if the connection request matches the # rule. target must be one of the following. # # ACCEPT # # Allow the connection request. # # ACCEPT+ # # like ACCEPT but also excludes the connection from any subsequent # matching DNAT[-] or REDIRECT[-] rules. Requires Shorewall 4.5.14 or # later. # # ACCEPT! # # like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # action # # The name of an action declared in shorewall6-actions(5) or in /usr/ # share/shorewall/actions.std. # # ADD(ipset:flags) # # Added in Shorewall 4.4.12. Causes addresses and/or port numbers to be # added to the named ipset. The flags specify the address or tuple to be # added to the set and must match the type of ipset involved. For # example, for an iphash ipset, either the SOURCE or DESTINATION address # can be added using flags src or dst respectively (see the -A command in # ipset (8)). # # Beginning with Shorewall 5.0.3, an optional timeout can be specified. # This is the number of seconds that the new entry in the ipset is to # remain valid and overrides any timeout specified when the ipset was # created. # # ADD is non-terminating. Even if a packet matches the rule, it is passed # on to the next rule. # # AUDIT[(accept|drop|reject)] # # Added in Shorewall 4.5.10. Audits the packet with the specified type; # if the type is omitted, then drop is assumed. Require AUDIT_TARGET # support in the kernel and iptables. # # A_ACCEPT, and A_ACCEPT! # # Added in Shorewall 4.4.20. Audited versions of ACCEPT and ACCEPT! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # A_DROP and A_DROP! # # Added in Shorewall 4.4.20. Audited versions of DROP and DROP! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # A_REJECT AND A_REJECT! # # Added in Shorewall 4.4.20. Audited versions of REJECT and REJECT! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # [?]COMMENT # # the rest of the line will be attached as a comment to the Netfilter # rule(s) generated by the following entries. The comment will appear # delimited by "/* ... */" in the output of "shorewall show ". To # stop the comment from being attached to further rules, simply include # COMMENT on a line by itself. # # Note # # Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and # is preferred. # # CONTINUE # # For experts only. # # Do not process any of the following rules for this (source # zone,destination zone). If the source and/or destination IP address # falls into a zone defined later in shorewall6-zones(5) or in a parent # zone of the source or destination zones, then this connection request # will be passed to the rules defined for that (those) zone(s). See # shorewall6-nesting(5) for additional information. # # CONTINUE! # # like CONTINUE but exempts the rule from being suppressed by OPTIMIZE=1 # in shorewall6.conf(5). # # COUNT # # Simply increment the rule's packet and byte count and pass the packet # to the next rule. # # DEL(ipset:flags) # # Added in Shorewall 4.4.12. Causes an entry to be deleted from the named # ipset. The flags specify the address or tuple to be deleted from the # set and must match the type of ipset involved. For example, for an # iphash ipset, either the SOURCE or DESTINATION address can be deleted # using flags src or dst respectively (see the -D command in ipset (8)). # # DEL is non-terminating. Even if a packet matches the rule, it is passed # on to the next rule. # # DNAT # # Forward the request to another system (and optionally another port). # Requires Shorewall 4.5.14 or later. # # DNAT- # # Advanced users only. # # Like DNAT but only generates the DNAT iptables rule and not the # companion ACCEPT rule. Requires Shorewall 4.5.14 or later. # # DROP # # Ignore the request. # # DROP! # # like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # HELPER # # Added in Shorewall 4.5.7. This action requires that the HELPER column # contains the name of the Netfilter helper to be associated with # connections matching this connection. May only be specified in the NEW # section and is useful for being able to specify a helper when the # applicable policy is ACCEPT. No destination zone should be specified in # HELPER rules. # # INLINE[(action)] # # Added in Shorewall 4.5.16. This action allows you to construct most of # the rule yourself using ip6tables syntax. The part that you specify # must follow a semicolon (';') and is completely free-form. If the # target of the rule (the part following 'j') is something that Shorewall # supports in the ACTION column, then you may enclose it in parentheses # (e.g., INLINE(ACCEPT)). Otherwise, you can include it after the # semicolon. In this case, you must declare the target as a builtin # action in shorewall6-actions(5). # # Some considerations when using INLINE: # # ☆ The p, s, d, i, o, policy, and state match (state or conntrack # --ctstate) matches will always appear in the front of the rule in # that order. # # ☆ When multiple matches are specified, the compiler will keep them in # the order in which they appear (excluding the above listed ones), # but they will not necessarily be at the end of the generated rule. # For example, if addresses are specified in the SOURCE and/or DEST # columns, their generated matches will appear after those specified # using ';'. # # IP6TABLES({ip6tables-target [option ...]) # # This action allows you to specify an ip6tables target with options # (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the ip6tables-target # is not one recognized by Shorewall, the following error message will be # issued: # # ERROR: Unknown target (ip6tables-target) # # This error message may be eliminated by adding the ip6tables-target as # a builtin action in shorewall6-actions(5). # # Important # # If you specify REJECT as the ip6tables-target, the target of the rule # will be the i6ptables REJECT target and not Shorewall's builtin # 'reject' chain which is used when REJECT (see below) is specified as # the target in the ACTION column. # # LOG:level # # Simply log the packet and continue with the next rule. # # macro[(macrotarget)] # # The name of a macro defined in a file named macro.macro. If the macro # accepts an action parameter (Look at the macro source to see if it has # PARAM in the TARGET column) then the macro name is followed by the # parenthesized macrotarget (ACCEPT, DROP, REJECT, ...) to be substituted # for the parameter. # # Example: FTP(ACCEPT). # # The older syntax where the macro name and the target are separated by a # slash (e.g. FTP/ACCEPT) is still allowed but is deprecated. # # NFLOG[(nflog-parameters)] # # Added in Shorewall 4.5.9.3. Queues matching packets to a back end # logging daemon via a netlink socket then continues to the next rule. # See http://www.shorewall.net/shorewall_logging.html. # # Similar to LOG:NFLOG[(nflog-parameters)], except that the log level is # not changed when this ACTION is used in an action or macro and the # invocation of that action or macro specifies a log level. # # NFQUEUE[([queuenumber1[:queuenumber2][,bypass]]|bypass)] # # Queues the packet to a user-space application using the nfnetlink_queue # mechanism. If a queuenumber1 is not specified, queue zero (0) is # assumed. Beginning with Shorewall 4.6.10, the keyword bypass can be # given. By default, if no userspace program is listening on an NFQUEUE, # then all packets that are to be queued are dropped. When this option is # used, the NFQUEUE rule is silently bypassed instead. The packet will # move on to the next rule. Also beginning in Shorewall 4.6.10, a second # queue number (queuenumber2) may be specified. This specifies a range of # queues to use. Packets are then balanced across the given queues. This # is useful for multicore systems: start multiple instances of the # userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets # belonging to the same connection are put into the same nfqueue. # # NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)] # # like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1 # in shorewall6.conf(5). # # NONAT # # Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] # rules but doesn't generate a rule to accept the traffic. Requires # Shorewall 4.5.14 or later. # # QUEUE # # Queue the packet to a user-space application such as ftwall (http:// # p2pwall.sf.net). The application may reinsert the packet for further # processing. # # QUEUE! # # like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # REDIRECT # # Redirect the request to a server running on the firewall. Requires # Shorewall 4.5.14 or later. # # REDIRECT- # # Advanced users only. # # Like REDIRECT but only generates the REDIRECT iptables rule and not the # companion ACCEPT rule. Requires Shorewall 4.5.14 or later. # # REJECT # # disallow the request and return an icmp-unreachable or an RST packet. # # REJECT! # # like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # TARPIT [(tarpit | honeypot | reset)] # # Added in Shorewall 4.6.6. # # TARPIT captures and holds incoming TCP connections using no local # per-connection resources. # # TARPIT only works with the PROTO column set to tcp (6), and is totally # application agnostic. This module will answer a TCP request and play # along like a listening server, but aside from sending an ACK or RST, no # data is sent. Incoming packets are ignored and dropped. The attacker # will terminate the session eventually. This module allows the initial # packets of an attack to be captured by other software for inspection. # In most cases this is sufficient to determine the nature of the attack. # # This offers similar functionality to LaBrea but does not require dedicated hardware or IPs. Any TCP port # that you would normally DROP or REJECT can instead become a tarpit. # # The target accepts a single optional parameter: # # tarpit # # This mode is the default and completes a connection with the # attacker but limits the window size to 0, thus keeping the attacker # waiting long periods of time. While he is maintaining state of the # connection and trying to continue every 60-240 seconds, we keep # none, so it is very lightweight. Attempts to close the connection # are ignored, forcing the remote side to time out the connection in # 12-24 minutes. # # honeypot # # This mode completes a connection with the attacker, but signals a # normal window size, so that the remote side will attempt to send # data, often with some very nasty exploit attempts. We can capture # these packets for decoding and further analysis. The module does # not send any data, so if the remote expects an application level # response, the game is up. # # reset # # This mode is handy because we can send an inline RST (reset). It # has no other function. # # The target may optionally be followed by ":" and a syslog log level (e.g, # REJECT:info or Web(ACCEPT):debug). This causes the packet to be logged at # the specified level. Note that if the ACTION involves destination network # address translation (DNAT, REDIRECT, etc.) then the packet is logged before # the destination address is rewritten. # # If the ACTION names an action declared in shorewall-actions(5) or in /usr/ # share/shorewall/actions.std then: # # □ If the log level is followed by "!' then all rules in the action are # logged at the log level. # # □ If the log level is not followed by "!" then only those rules in the # action that do not specify logging are logged at the specified level. # # □ The special log level none! suppresses logging by the action. # # You may also specify ULOG or NFLOG (must be in upper case) as a log # level.This will log to the ULOG or NFLOG target for routing to a separate # log through use of ulogd (http://www.netfilter.org/projects/ulogd/ # index.html). # # Actions specifying logging may be followed by a log tag (a string of # alphanumeric characters) which is appended to the string generated by the # LOGPREFIX (in shorewall6.conf(5)). # # Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log prefix # generated by the LOGPREFIX setting. # # SOURCE - {zone|zone-list[+]|{all|any}[+][-]}[:interface][:<{address-or-range[, # address-or-range]...[exclusion]>|exclusion|+ipset|^countrycode-list} # # Source hosts to which the rule applies. May be a zone declared in /etc/ # shorewall6/zones, $FW to indicate the firewall itself, all, all+, all-, # all+- or none. # # Beginning with Shorewall 4.4.13, you may use a zone-list which consists of # a comma-separated list of zones declared in shorewall6-zones (5). This # zone-list may be optionally followed by "+" to indicate that the rule is to # apply to intra-zone traffic as well as inter-zone traffic. # # When none is used either in the SOURCE or DEST column, the rule is ignored. # # all means "All Zones", including the firewall itself. all- means "All # Zones, except the firewall itself". When all[-] is used either in the # SOURCE or DEST column intra-zone traffic is not affected. When all+[-] is # "used, intra-zone traffic is affected. Beginning with Shorewall 4.4.13, # exclusion is supported -- see see shorewall6-exclusion(5). # # any is equivalent to all when there are no nested zones. When there are # nested zones, any only refers to top-level zones (those with no parent # zones). Note that any excludes all vserver zones, since those zones are # nested within the firewall zone. # # Except when all[+][-] or any[+][-] is specified, clients may be further # restricted to a list of networks and/or hosts by appending ":" and a # comma-separated list of network and/or host addresses. Hosts may be # specified by IP or MAC address; mac addresses must begin with "~" and must # use "-" as a separator. # # Hosts may also be specified as an IP address range using the syntax # lowaddress-highaddress. This requires that your kernel and ip6tables # contain iprange match support. If your kernel and ip6tables have ipset # match support then you may give the name of an ipset prefaced by "+". The # ipset name may be optionally followed by a number from 1 to 6 enclosed in # square brackets ([]) to indicate the number of levels of source bindings to # be matched. # # Beginning with Shorewall6 4.4.17, the primary IP address of a firewall # interface can be specified by an ampersand ('&') followed by the logical # name of the interface as found in the INTERFACE column of # shorewall6-interfaces (5). # # Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A # countrycode-list is a comma-separated list of up to 15 two-character # ISO-3661 country codes enclosed in square brackets ('[...]') and preceded # by a caret ('^'). When a single country code is given, the square brackets # may be omitted. A list of country codes supported by Shorewall may be found # at http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list # requires GeoIP Match support in your ip6tables and Kernel. # # When an interface is not specified, you may omit the angled brackets ('<' # and '>') around the address(es) or you may supply them to improve # readability. # # You may exclude certain hosts from the set already defined through use of # an exclusion (see shorewall6-exclusion(5)). # # Examples: # # dmz:2002:ce7c::92b4:1::2 # # Host 2002:ce7c:92b4:1::2 in the DMZ # # net:2001:4d48:ad51:24::/64 # # Subnet 2001:4d48:ad51:24::/64 on the Internet # # loc:<2002:cec792b4:1::2,2002:cec792b4:1::44> # # Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local zone. # # loc:~00-A0-C9-15-39-78 # # Host in the local zone with MAC address 00:A0:C9:15:39:78. # # net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80 # # Subnet 2001:4d48:ad51:24::/64 on the Internet except for # 2001:4d48:ad51:24:6:/80. # # $FW:ð0 # # The primary IP address of eth0 in the firewall zone (Shorewall6 4.4.17 # and later). # # Alternatively, clients may be specified by interface by appending ":" to # the zone name followed by the interface name. For example, loc:eth1 # specifies a client that communicates with the firewall system through eth1. # This may be optionally followed by another colon (":") and an IP/MAC/subnet # address as described above (e.g., loc:eth1:<2002:ce7c::92b4:1::2>). # # Examples: # # loc:eth1:<2002:cec792b4:1::2,2002:cec792b4:1::44> # # Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the Local zone, # with both originating from eth1 # # DEST - {zone|zone-list[+]|all[+][-]}[:interface][:<{address-or-range[, # address-or-range]...[exclusion]>|exclusion|+ipset|^countrycode-list}[:port # [:random]] # # Location of Server. May be a zone declared in shorewall6-zones(5), $FW to # indicate the firewall itself, all. all+ or none. # # Beginning with Shorewall 4.4.13, you may use a zone-list which consists of # a comma-separated list of zones declared in shorewall6-zones (5). Ths # zone-list may be optionally followed by "+" to indicate that the rule is to # apply to intra-zone traffic as well as inter-zone traffic. Beginning with # Shorewall-4.4.13, exclusion is supported -- see see shorewall6-exclusion # (5). # # Beginning with Shorewall6 4.4.17, the primary IP address of a firewall # interface can be specified by an ampersand ('&') followed by the logical # name of the interface as found in the INTERFACE column of # shorewall6-interfaces (5). # # Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A # countrycode-list is a comma-separated list of up to 15 two-character # ISO-3661 country codes enclosed in square brackets ('[...]') and preceded # by a caret ('^'). When a single country code is given, the square brackets # may be omitted. A list of country codes supported by Shorewall may be found # at http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list # requires GeoIP Match support in your ip6tables and Kernel. # # When none is used either in the SOURCE or DEST column, the rule is ignored. # # When all is used either in the SOURCE or DEST column intra-zone traffic is # not affected. When all+ is used, intra-zone traffic is affected. # # If the DEST zone is a bport zone, then either: # # a. the SOURCE must be all[+][-], or # # b. the SOURCE zone must be another bport zone associated with the same # bridge, or # # c. the SOURCE zone must be an ipv4 zone that is associated with only the # same bridge. # # Except when all[+]|[-] is specified, the server may be further restricted # to a particular network, host or interface by appending ":" and the # network, host or interface. See SOURCE above. # # You may exclude certain hosts from the set already defined through use of # an exclusion (see shorewall6-exclusion(5)). # # Restriction: MAC addresses are not allowed (this is a Netfilter # restriction). # # If your kernel and ip6tables have ipset match support then you may give the # name of an ipset prefaced by "+". The ipset name may be optionally followed # by a number from 1 to 6 enclosed in square brackets ([]) to indicate the # number of levels of destination bindings to be matched. Only one of the # SOURCE and DEST columns may specify an ipset name. # # The port that the server is listening on may be included and separated from # the server's IP address by ":". If omitted, the firewall will not modify # the destination port. A destination port may only be included if the ACTION # is DNAT or REDIRECT. # # Example 1: # # loc:[2001:470:b:227::44]:3128 specifies a local server at IP address # 2001:470:b:227::44 and listening on port 3128. # # Example 2: # # loc:[]:3128 specifies that the destination port should be changed to # 3128 but the IP address should remain the same. # # The port may be specified as a service name. You may specify a port range # in the form lowport-highport to cause connections to be assigned to ports # in the range in round-robin fashion. When a port range is specified, # lowport and highport must be given as integers; service names are not # permitted. Additionally, the port range may be optionally followed by # :random which causes assignment to ports in the list to be random. # # If the ACTION is REDIRECT or REDIRECT-, this column needs only to contain # the port number on the firewall that the request should be redirected to. # That is equivalent to specifying $FW::port. # # PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all} # # Optional protocol - ipp2p* requires ipp2p match support in your kernel and # ip6tables. tcp:syn implies tcp plus the SYN flag must be set and the # RST,ACK and FIN flags must be reset. # # Beginning with Shorewall6 4.4.19, this column can contain a comma-separated # list of protocol-numbers and/or protocol names (e.g., tcp,udp). # # DPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} # # Optional destination Ports. A comma-separated list of Port names (from # services(5)), port numbers or port ranges; if the protocol is icmp, this # column is interpreted as the destination icmp-type(s). ICMP types may be # specified as a numeric type, a numeric type and code separated by a slash # (e.g., 3/4), or a typename. See http://www.shorewall.net/ # configuration_file_basics.htm#ICMP. Note that prior to Shorewall6 4.4.19, # only a single ICMP type may be listed. # # If the protocol is ipp2p, this column is interpreted as an ipp2p option # without the leading "--" (example bit for bit-torrent). If no port is # given, ipp2p is assumed. # # A port range is expressed as lowport:highport. # # This column is ignored if PROTO = all but must be entered if any of the # following columns are supplied. In that case, it is suggested that this # field contain a dash (-). # # If your kernel contains multi-port match support, then only a single # Netfilter rule will be generated in this list and the SPORT list below if: # # 1. There are 15 or less ports listed. # # 2. No port ranges are included or your kernel and ip6tables contain # extended multi-port match support. # # Beginning with Shorewall 4.6.0, an ipset name can be specified in this # column. This is intended to be used with bitmap:port ipsets. # # This column was formerly labelled DEST PORT(S). # # SPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} # # Optional source port(s). If omitted, any source port is acceptable. # Specified as a comma- separated list of port names, port numbers or port # ranges. # # Beginning with Shorewall 4.5.15, you may place '=' in this column, provided # that the DPORT column is non-empty. This causes the rule to match when # either the source port or the destination port in a packet matches one of # the ports specified in DPORT. Use of '=' requires multi-port match in your # iptables and kernel. # # Warning # # Unless you really understand IP, you should leave this column empty or # place a dash (-) in the column. Most people who try to use this column get # it wrong. # # If you don't want to restrict client ports but need to specify a later # column, then place "-" in this column. # # If your kernel contains multi-port match support, then only a single # Netfilter rule will be generated if in this list and the DPORT list above: # # 1. There are 15 or less ports listed. # # 2. No port ranges are included or your kernel and ip6tables contain # extended multi-port match support. # # Beginning with Shorewall 4.6.0, an ipset name can be specified in this # column. This is intended to be used with bitmap:port ipsets. # # This column was formerly labelled SOURCE PORT(S). # # ORIGDEST - [-] # # Included for compatibility with Shorewall. Enter '-' in this column if you # need to specify one of the later columns. # # This column was formerly labelled ORIGINAL DEST. # # RATE - limit # # where limit is one of: # # [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst] # [name1]:rate1/{sec|min|hour|day}[:burst1],[name2]:rate2/{sec|min|hour|day} # [:burst2] # # You may optionally rate-limit the rule by placing a value in this column: # # rate* is the number of connections per interval (sec or min) and burst* is # the largest burst permitted. If no burst is given, a value of 5 is assumed. # There may be no no white-space embedded in the specification. # # Example: 10/sec:20 # # When s: or d: is specified, the rate applies per source IP address or per # destination IP address respectively. The names may be chosen by the user # and specifiy a hash table to be used to count matching connections. If not # given, the name shorewallN (where N is a unique integer) is assumed. Where # more than one rule or POLICY specifies the same name, the connections # counts for the rules are aggregated and the individual rates apply to the # aggregated count. # # Beginning with Shorewall 4.6.5, two limits may be specified, separated by a # comma. In this case, the first limit (name1, rate1, burst1) specifies the # per-source IP limit and the second limit specifies the per-destination IP # limit. # # Example: client:10/sec:20,:60/sec:100 # # In this example, the 'client' hash table will be used to enforce the # per-source limit and the compiler will pick a unique name for the hash # table that tracks the per-destination limit. # # This column was formerly labelled RATE LIMIT. # # USER - [!][user-name-or-number-or-range][:group-name-or-number-or-range] # # This optional column may only be non-empty if the SOURCE is the firewall # itself. # # When this column is non-empty, the rule applies only if the program # generating the output is running under the effective user and/or group # specified (or is NOT running under that id if "!" is given). # # Beginning with Shorewall 4.5.8, multiple user or group names/ids separated # by commas may be specified. # # Examples: # # joe # # program must be run by joe # # :kids # # program must be run by a member of the 'kids' group # # !:kids # # program must not be run by a member of the 'kids' group # # 2001-2099 # # UIDs 2001 through 2099 (Shorewall 4.5.6 and later) # # This column was formerly labelled USER/GROUP. # # MARK - [!]value[/mask][:C] # # Defines a test on the existing packet or connection mark. The rule will # match only if the test returns true. # # If you don't want to define a test but need to specify anything in the # following columns, place a "-" in this field. # # ! # # Inverts the test (not equal) # # value # # Value of the packet or connection mark. # # mask # # A mask to be applied to the mark before testing. # # :C # # Designates a connection mark. If omitted, the packet mark's value is # tested. # # CONNLIMIT - [d:][!]limit[:mask] # # May be used to limit the number of simultaneous connections to/from each # individual host or network to limit connections. Requires connlimit match # in your kernel and iptables. While the limit is only checked on rules # specifying CONNLIMIT, the number of current connections is calculated over # all current connections from the SOURCE or DESTINATION host. By default, # limiting is done by SOURCE host or net, but if the specification begins # with d:, then limiting will be donw by destination host or net. # # By default, the limit is applied to each host but can be made to apply to # networks of hosts by specifying a mask. The mask specifies the width of a # VLSM mask to be applied to the source address; the number of current # connections is then taken over all hosts in the subnet source-address/mask. # When ! is specified, the rule matches when the number of connection exceeds # the limit. # # TIME - timeelement[&timeelement...] # # May be used to limit the rule to a particular time period each day, to # particular days of the week or month, or to a range defined by dates and # times. Requires time match support in your kernel and ip6tables. # # timeelement may be: # # timestart=hh:mm[:ss] # # Defines the starting time of day. # # timestop=hh:mm[:ss] # # Defines the ending time of day. # # utc # # Times are expressed in Greenwich Mean Time. # # localtz # # Deprecated by the Netfilter team in favor of kerneltz. Times are # expressed in Local Civil Time (default). # # kerneltz # # Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time # (requires iptables 1.4.12 or later). # # weekdays=ddd[,ddd]... # # where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun # # monthdays=dd[,dd],... # # where dd is an ordinal day of the month # # datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] # # Defines the starting date and time. # # datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] # # Defines the ending date and time. # # HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall 4.4.15) # # The header-list consists of a comma-separated list of headers from the # following list. # # auth, ah, or 51 # # Authentication Headers extension header. # # esp, or 50 # # Encrypted Security Payload extension header. # # hop, hop-by-hop or 0 # # Hop-by-hop options extension header. # # route, ipv6-route or 41 # # IPv6 Route extension header. # # frag, ipv6-frag or 44 # # IPv6 fragmentation extension header. # # none, ipv6-nonxt or 59 # # No next header # # proto, protocol or 255 # # Any protocol header. # # If any: is specified, the rule will match if any of the listed headers are # present. If exactly: is specified, the will match packets that exactly # include all specified headers. If neither is given, any: is assumed. # # If ! is entered, the rule will match those packets which would not be # matched when ! is omitted. # # SWITCH - [!]switch-name[={0|1}] # # Added in Shorewall6 4.4.24 and allows enabling and disabling the rule # without requiring shorewall6 restart. # # Enables the rule if the value stored in /proc/net/nf_condition/switch-name # is 1. Disables the rule if that file contains 0 (the default). If '!' is # supplied, the test is inverted such that the rule is enabled if the file # contains 0. # # Within the switch-name, '@0' and '@{0}' are replaced by the name of the # chain to which the rule is a added. The switch-name (after '@...' # expansion) must begin with a letter and be composed of letters, decimal # digits, underscores or hyphens. Switch names must be 30 characters or less # in length. # # Switches are normally off. To turn a switch on: # # echo 1 > /proc/net/nf_condition/switch-name # # To turn it off again: # # echo 0 > /proc/net/nf_condition/switch-name # # Switch settings are retained over shorewall6 restart. # # Beginning with Shorewall 4.5.10, when the switch-name is followed by =0 or # =1, then the switch is initialized to off or on respectively by the start # command. Other commands do not affect the switch setting. # # HELPER - [helper] # # Added in Shorewall 4.5.7. # # In the NEW section, causes the named conntrack helper to be associated with # this connection; the contents of this column are ignored unless ACTION is # ACCEPT*, DNAT* or REDIRECT*. # # In the RELATED section, will only match if the related connection has the # named helper associated with it. # # The helper may be one of: # # amanda # ftp # irc # netbios-ns # pptp # Q.931 # RAS # sane # sip # snmp # tftp # # If the HELPERS option is specified in shorewall6.conf(5), then any module # specified in this column must be listed in the HELPERS setting. # # Example # # Example 1: # # Accept SMTP requests from the DMZ to the internet # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST # ACCEPT dmz net tcp smtp # # Example 4: # # You want to accept SSH connections to your firewall only from internet IP # addresses 2002:ce7c::92b4:1::2 and 2002:ce7c::92b4:1::22 # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST # ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \ # $FW tcp 22 # # Example 5: # # You wish to limit SSH connections from remote systems to 1/min with a burst # of three (to allow for limited retry): # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE # SSH(ACCEPT) net all - - - - s:1/min:3 # # Example 6: # # Forward port 80 to dmz host $BACKUP if switch 'primary_down' is set. # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH # DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down # # Example 7: # # Drop all email from IP addresses in the country whose ISO-3661 country code # is ZZ. # # #ACTION SOURCE DEST PROTO DPORT # DROP net:^ZZ fw tcp 25 # # Example 8: # # You want to generate your own rule involving ip6tables targets and matches # not supported by Shorewall. # # #ACTION SOURCE DEST PROTO DPORT # INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 # # The above will generate the following ip6tables-restore input: # # -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 # # Note that SECCTX must be defined as a builtin action in shorewall6-actions # (5): # # #ACTION OPTIONS # SECCTX builtin # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Don't allow connection pickup from the net # Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the Internet # DNS(ACCEPT) $FW net # # # Accept SSH connections from the local network to the firewall and DMZ # SSH(ACCEPT) loc $FW SSH(ACCEPT) loc dmz # # DMZ DNS access to the Internet # DNS(ACCEPT) dmz net # Drop Ping from the "bad" net zone. Ping(DROP) net $FW # # Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). # Ping(ACCEPT) loc $FW Ping(ACCEPT) dmz $FW Ping(ACCEPT) loc dmz Ping(ACCEPT) dmz loc Ping(ACCEPT) dmz net ACCEPT $FW net ipv6-icmp ACCEPT $FW loc ipv6-icmp ACCEPT $FW dmz ipv6-icmp # Uncomment this if using Proxy ARP and static NAT and you want to allow ping from # the net zone to the dmz and loc #Ping(ACCEPT) net dmz #Ping(ACCEPT) net loc shorewall6-5.0.4/Samples6/three-interfaces/policy0000644000000000000000000000141412647470621020461 0ustar rootroot# # Shorewall6 Version 4 - Sample Policy File for three-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-policy" ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info all all REJECT info shorewall6-5.0.4/Samples6/three-interfaces/stoppedrules0000644000000000000000000000145712647470621021722 0ustar rootroot# # Shorewall6 version 4.5 Sample Stoppedrules File for three-interface configuration. # Copyright (C) 2012-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-stoppedrules" ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT eth1 - ACCEPT - eth1 ACCEPT eth2 - ACCEPT - eth2 shorewall6-5.0.4/Samples6/three-interfaces/zones0000644000000000000000000000137512647470621020326 0ustar rootroot# # Shorewall6 version 4 - Sample Zones File for three-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-zones" # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv6 loc ipv6 dmz ipv6 shorewall6-5.0.4/Samples6/three-interfaces/policy.annotated0000644000000000000000000002106112650244171022426 0ustar rootroot# # Shorewall6 Version 4 - Sample Policy File for three-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-policy" ############################################################################### # # This file defines the high-level policy for connections between zones defined # in shorewall6-zones(5). # # Important # # The order of entries in this file is important # # This file determines what to do with a new connection request if we don't get a # match from the /etc/shorewall6/rules file . For each source/destination pair, # the file is processed in order until a match is found ("all" will match any # client or server). # # Important # # Intra-zone policies are pre-defined # # For $FW and for all of the zones defined in /etc/shorewall6/zones, the POLICY # for connections from the zone to itself is ACCEPT (with no logging or TCP # connection rate limiting but may be overridden by an entry in this file. The # overriding entry must be explicit (specifying the zone name on both SOURCE and # DEST) or it must use "all+ or it must use "all+" (Shorewall 4.5.17 or later). # # Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall6.conf, then the # implicit policy to/from any sub-zone is CONTINUE. These implicit CONTINUE # policies may also be overridden by an explicit entry in this file. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # SOURCE - zone|$FW|all|all+ # # Source zone. Must be the name of a zone defined in shorewall6-zones(5), # $FW, "all" or "all+". # # Support for "all+" was added in Shorewall 4.5.17. "all" does not override # the implicit intra-zone ACCEPT policy while "all+" does. # # DEST - zone|$FW|all|all+ # # Destination zone. Must be the name of a zone defined in shorewall6-zones # (5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE # must be "all", "all+", another bport zone associated with the same bridge, # or it must be an ipv4 zone that is associated with only the same bridge. # # Support for "all+" was added in Shorewall 4.5.17. "all" does not override # the implicit intra-zone ACCEPT policy while "all+" does. # # POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2 # ])]|NONE}[:{default-action-or-macro[:level]|None}] # # Policy if no match from the rules file is found. # # If the policy is neither CONTINUE nor NONE then the policy may be followed # by ":" and one of the following: # # a. The word "None" or "none". This causes any default action defined in # shorewall6.conf(5) to be omitted for this policy. # # b. The name of an action. The action will be invoked before the policy is # enforced. # # Actions can have parameters specified. # # Beginning with Shorewall 4.5.10, the action name can be followed optionally # by a colon and a log level. The level will be applied to each rule in the # action or body that does not already have a log level. # # Possible actions are: # # ACCEPT # # Accept the connection. # # DROP # # Ignore the connection request. # # REJECT # # For TCP, send RST. For all other, send an "unreachable" ICMP. # # QUEUE # # Queue the request for a user-space application such as Snort-inline. # # NFQUEUE # # Queue the request for a user-space application using the # nfnetlink_queue mechanism. If a queuenumber1 is not given, queue zero # (0) is assumed. Beginning with Shorewall 4.6.10, a second queue number # (queuenumber2) may be given. This specifies a range of queues to use. # Packets are then balanced across the given queues. This is useful for # multicore systems: start multiple instances of the userspace program on # queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the same # connection are put into the same nfqueue. # # CONTINUE # # Pass the connection request past any other rules that it might also # match (where the source or destination zone in those rules is a # superset of the SOURCE or DEST in this policy). See shorewall6-nesting # (5) for additional information. # # NONE # # Assume that there will never be any packets from this SOURCE to this # DEST. shorewall6 will not create any infrastructure to handle such # packets and you may not have any rules with this SOURCE and DEST in the # /etc/shorewall6/rules file. If such a packet is received, the result is # undefined. NONE may not be used if the SOURCE or DEST columns contain # the firewall zone ($FW) or "all". # # LOG LEVEL (loglevel) - [log-level|NFLOG] # # Optional - if supplied, each connection handled under the default POLICY is # logged at that level. If not supplied, no log message is generated. See # syslog.conf(5) for a description of log levels. # # You may also specify NFLOG (must be in upper case). This will log to the # NFLOG target and will send to a separate log through use of ulogd (http:// # www.netfilter.org/projects/ulogd/index.html). # # For a description of log levels, see http://www.shorewall.net/ # shorewall_logging.html. # # If you don't want to log but need to specify the following column, place # "-" here. # # BURST:LIMIT (limit) - [-|limit] # # where limit is one of: # # [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst] # [name1]:rate1/{sec|min|hour|day}[:burst1],[name2]:rate2/{sec|min|hour|day} # [:burst2] # # If passed, specifies the maximum TCP connection rate and the size of an # acceptable burst. If not specified, TCP connections are not limited. If the # burst parameter is omitted, a value of 5 is assumed. # # When s: or d: is specified, the rate applies per source IP address or per # destination IP address respectively. The name may be chosen by the user and # specifies a hash table to be used to count matching connections. If not # give, the name shorewall is assumed. Where more than one POLICY or rule # specifies the same name, the connections counts for the policies are # aggregated and the individual rates apply to the aggregated count. # # Beginning with Shorewall 4.6.5, two limits may be specified, separated by a # comma. In this case, the first limit (name1, rate1, burst1) specifies the # per-source IP limit and the second limit specifies the per-destination IP # limit. # # Example: client:10/sec:20,:60/sec:100 # # CONNLIMIT - limit[:mask] # # May be used to limit the number of simultaneous connections from each # individual host to limit connections. While the limit is only checked on # connections to which this policy could apply, the number of current # connections is calculated over all current connections from the SOURCE # host. By default, the limit is applied to each host individually but can be # made to apply to networks of hosts by specifying a mask. The mask specifies # the width of a VLSM mask to be applied to the source address; the number of # current connections is then taken over all hosts in the subnet # source-address/mask. # # Example # # a. All connections from the local network to the internet are allowed # # b. All connections from the internet are ignored but logged at syslog level # KERNEL.INFO. # # c. All other connection requests are rejected and logged at level KERNEL.INFO. # # #SOURCE DEST POLICY LOG BURST:LIMIT # # LEVEL # loc net ACCEPT # net all DROP info # # # # THE FOLLOWING POLICY MUST BE LAST # # # all all REJECT info # ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info all all REJECT info shorewall6-5.0.4/Samples6/three-interfaces/README.txt0000644000000000000000000000216212647470621020736 0ustar rootrootFor instructions on using these sample configurations, please see http://www.shorewall.net/three-interface.htm Shorewall Samples Copyright (C) 2006-2014 by the following authors: Thomas M. Eastep Paul D. Gear Cristian Rodriguez Francesca Smith This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Sample files are licensed under the LGPL, please see the LICENSE file or http://www.gnu.org/licenses/lgpl.html for more details. shorewall6-5.0.4/Samples6/three-interfaces/rules0000644000000000000000000000411412647470621020314 0ustar rootroot# # Shorewall6 version 4.0 - Sample Rules File for three-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-rules" ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Don't allow connection pickup from the net # Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the Internet # DNS(ACCEPT) $FW net # # # Accept SSH connections from the local network to the firewall and DMZ # SSH(ACCEPT) loc $FW SSH(ACCEPT) loc dmz # # DMZ DNS access to the Internet # DNS(ACCEPT) dmz net # Drop Ping from the "bad" net zone. Ping(DROP) net $FW # # Make ping work bi-directionally between the dmz, net, Firewall and local zone # (assumes that the loc-> net policy is ACCEPT). # Ping(ACCEPT) loc $FW Ping(ACCEPT) dmz $FW Ping(ACCEPT) loc dmz Ping(ACCEPT) dmz loc Ping(ACCEPT) dmz net ACCEPT $FW net ipv6-icmp ACCEPT $FW loc ipv6-icmp ACCEPT $FW dmz ipv6-icmp # Uncomment this if using Proxy ARP and static NAT and you want to allow ping from # the net zone to the dmz and loc #Ping(ACCEPT) net dmz #Ping(ACCEPT) net loc shorewall6-5.0.4/Samples6/three-interfaces/shorewall6.conf0000644000000000000000000001055112647470621022176 0ustar rootroot############################################################################### # # Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf # # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at # http://www.shorewall.net/manpages6/shorewall6.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=No ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 ############################################################################### # L O G G I N G ############################################################################### BLACKLIST_LOG_LEVEL= INVALID_LOG_LEVEL= LOG_BACKEND= LOG_VERBOSITY=2 LOGALLNEW= LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGLIMIT= LOGTAGONLY=No MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= RPFILTER_LOG_LEVEL=info SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL=info UNTRACKED_LOG_LEVEL= ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall GEOIPDIR=/usr/share/xt_geoip/LE IP6TABLES= IP= IPSET= LOCKFILE= MODULESDIR= NFACCT= PERL=/usr/bin/perl PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin RESTOREFILE= SHOREWALL_SHELL=/bin/sh SUBSYSLOCK= TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT="Reject" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes ACCOUNTING_TABLE=filter ADMINISABSENTMINDED=Yes BASIC_FILTERS=No IGNOREUNKNOWNVARIABLES=No AUTOCOMMENT=Yes AUTOHELPERS=Yes AUTOMAKE=No BLACKLIST="NEW,INVALID,UNTRACKED" CHAIN_SCRIPTS=No CLAMPMSS=No CLEAR_TC=Yes COMPLETE=No DEFER_DNS_RESOLUTION=Yes DELETE_THEN_ADD=Yes DONT_LOAD= DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=No FORWARD_CLEAR_MARK= HELPERS= IMPLICIT_CONTINUE=No INLINE_MATCHES=Yes IPSET_WARNINGS=Yes IP_FORWARDING=keep KEEP_RT_TABLES=Yes LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX="ko ko.xz" MUTEX_TIMEOUT=60 OPTIMIZE=All OPTIMIZE_ACCOUNTING=No REJECT_ACTION= REQUIRE_INTERFACE=No RESTART=restart RESTORE_ROUTEMARKS=Yes SAVE_IPSETS=No TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No USE_RT_NAMES=No WARNOLDCAPVERSION=Yes WORKAROUNDS=No ZONE2ZONE=- ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=CONTINUE ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS= PROVIDER_BITS= PROVIDER_OFFSET= MASK_BITS= ZONE_BITS=0 #LAST LINE -- DO NOT REMOVE shorewall6-5.0.4/Samples6/three-interfaces/interfaces0000644000000000000000000000165012647470621021307 0ustar rootroot# # Shorewall6 version 4 - Sample Interfaces File for three-interface configuration. # Copyright (C) 2006-2014by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-interfaces" ############################################################################### ?FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS net eth0 tcpflags,forward=1,sourceroute=0 loc eth1 tcpflags,forward=1 dmz eth2 tcpflags,forward=1 shorewall6-5.0.4/Samples6/three-interfaces/stoppedrules.annotated0000644000000000000000000001022312650244173023660 0ustar rootroot# # Shorewall6 version 4.5 Sample Stoppedrules File for three-interface configuration. # Copyright (C) 2012-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-stoppedrules" ############################################################################### # # This file is used to define the hosts that are accessible when the firewall is # stopped or is being stopped. # # Warning # # Changes to this file do not take effect until after the next shorewall6 start, # shorewall6 reload, shorewall6 restart, or shorewall6 compile command. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ACTION - ACCEPT|NOTRACK # # Determines the disposition of the packet. # # ACCEPT means that the packet will be accepted. # # NOTRACK indicates that no conntrack entry should be created for the packet. # NOTRACK does not imply ACCEPT. # # DROP was added in Shorewall 4.6.0 and causes the packet to be dropped in # the raw table's PREROUTING chain. # # SOURCE - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[, # address]...] # # $FW matches packets originating on the firewall itself, while interface # specifies packets arriving on the named interface. # # This column may also include a comma-separated list of IP/subnet addresses. # If your kernel and iptables include iprange match support, IP address # ranges are also allowed. Ipsets and exclusion are also supported. When $FW # or interface are specified, the list must be preceded by a colon (":"). # # If left empty or supplied as "-", ::/0 is assumed. # # DEST - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[, # address]...] # # $FW matches packets addressed the firewall itself, while interface # specifies packets arriving on the named interface. Neither may be specified # if the target is NOTRACK or DROP. # # This column may also include a comma-separated list of IP/subnet addresses. # If your kernel and iptables include iprange match support, IP address # ranges are also allowed. Ipsets and exclusion are also supported. When $FW # or interface are specified, the list must be preceded by a colon (":"). # # If left empty or supplied as "-", ::/0 is assumed. # # PROTO (Optional) ‒ protocol-name-or-number[,...] # # Protocol. # # Beginning with Shorewall 4.5.12, this column can accept a comma-separated # list of protocols. # # DPORT ‒ service-name/port-number-list # # Optional. A comma-separated list of port numbers and/or service names from # /etc/services. May also include port ranges of the form low-port:high-port # if your kernel and iptables include port range support. # # This column was formerly labelled DEST PORT(S). # # SPORT ‒ service-name/port-number-list # # Optional. A comma-separated list of port numbers and/or service names from # /etc/services. May also include port ranges of the form low-port:high-port # if your kernel and iptables include port range support. # # Beginning with Shorewall 4.5.15, you may place '=' in this column, provided # that the DPORT column is non-empty. This causes the rule to match when # either the source port or the destination port in a packet matches one of # the ports specified in DPORT. Use of '=' requires multi-port match in your # iptables and kernel. # # This column was formerly labelled SOURCE PORT(S). # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT eth1 - ACCEPT - eth1 ACCEPT eth2 - ACCEPT - eth2 shorewall6-5.0.4/Samples6/three-interfaces/zones.annotated0000644000000000000000000002110712650244173022270 0ustar rootroot# # Shorewall6 version 4 - Sample Zones File for three-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-zones" # ############################################################################### # # The /etc/shorewall6/zones file declares your network zones. You specify the # hosts in each zone through entries in /etc/shorewall6/interfaces or /etc/ # shorewall6/hosts. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ZONE - zone[:parent-zone[,parent-zone]...] # # Name of the zone. The names "all", "none", "SOURCE" and "DEST" are reserved # and may not be used as zone names. The maximum length of a zone name is # determined by the setting of the LOGFORMAT option in shorewall6.conf(5). # With the default LOGFORMAT, zone names can be at most 5 characters long. # # The maximum length of an iptables log prefix is 29 bytes. As explained # in shorewall6.conf (5), the default LOGPREFIX formatting string is # “Shorewall:%s:%s:” where the first %s is replaced by the chain name and # the second is replaced by the disposition. # # ☆ The default formatting string has 12 fixed characters ("Shorewall" # and three colons). # # ☆ The longest of the standard dispositions are ACCEPT and REJECT # which have 6 characters each. # # ☆ The canonical name for the chain containing the rules for traffic # going from zone 1 to zone 2 is "2". # # ☆ So if M is the maximum zone name length, such chains can have # length 2*M + 1. # # 12 + 6 + 2*M + 1 = 29 which reduces to # 2*M = 29 - 12 - 6 - 1 = 10 or # M = 5 # # The order in which Shorewall6 matches addresses from packets to zones is # determined by the order of zone declarations. Where a zone is nested in one # or more other zones, you may either ensure that the nested zone precedes # its parents in this file, or you may follow the (sub)zone name by ":" and a # comma-separated list of the parent zones. The parent zones must have been # declared in earlier records in this file. See shorewall6-nesting(5) for # additional information. # # Example: # # #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS # a ipv6 # b ipv6 # c:a,b ipv6 # # Currently, Shorewall6 uses this information to reorder the zone list so # that parent zones appear after their subzones in the list. The # IMPLICIT_CONTINUE option in shorewall6.conf(5) can also create implicit # CONTINUE policies to/from the subzone. # # Where an ipsec zone is explicitly included as a child of an ipv6 zone, the # ruleset allows CONTINUE policies (explicit or implicit) to work as # expected. # # In the future, Shorewall6 may make additional use of nesting information. # # TYPE # # ipv6 # # This is the standard Shorewall6 zone type and is the default if you # leave this column empty or if you enter "-" in the column. # Communication with some zone hosts may be encrypted. Encrypted hosts # are designated using the 'ipsec' option in shorewall6-hosts(5). # # ipsec (or ipsec6) # # Communication with all zone hosts is encrypted. Your kernel and # ip6tables must include policy match support. # # firewall # # Designates the firewall itself. You must have exactly one 'firewall' # zone. No options are permitted with a 'firewall' zone. The name that # you enter in the ZONE column will be stored in the shell variable $FW # which you may use in other configuration files to designate the # firewall zone. # # bport (or bport6) # # The zone is associated with one or more ports on a single bridge. # # vserver # # Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver # guests. The zone contents must be defined in shorewall6-hosts (5). # # Vserver zones are implicitly handled as subzones of the firewall zone. # # loopback # # Added in Shorewall 4.5.17. # # Normally, Shorewall treats the loopback interface (lo) in the following # way: # # ☆ By default, all traffic through the interface is ACCEPTed. # # ☆ If a $FW -> $FW policy is defined or $FW -> $FW rules are defined, # they are placed in a chain named ${FW}2${F2} or ${FW}-${FW} (e.g., # 'fw2fw' or 'fw-fw' ) depending on the ZONE2ZONE setting in # shorewall6.conf(5). # # ☆ $FW -> $FW traffic is only filtered in the OUTPUT chain. # # By defining a loopback zone and associating it with the loopback # interface in shorewall-interfaces(5), you can effect a slightly # different model. Suppose that the loopback zone name is 'local'; then: # # ☆ Both $FW -> local and local -> $FW chains are created. # # ☆ The $FW -> local and local -> $FW policies may be different. # # ☆ Both $FW -> local and local -> $FW rules may be specified. # # Rules to/from the loopback zone and any zone other than the firewall # zone are ignored with a warning. # # loopback zones may be nested within other loopback zones. # # local # # Added in Shorewall 4.5.17. local is the same as ipv6 with the exception # that the zone is only accessible from the firewall and vserver zones. # # OPTIONS, IN OPTIONS and OUT OPTIONS (options, in_options, out_options) - [ # option[,option]...] # # A comma-separated list of options. With the exception of the mss and # blacklist options, these only apply to TYPE ipsec zones. # # blacklist # # Added in Shorewall 4.4.13. May not be specified for firewall or vserver # zones. # # When specified in the IN_OPTIONS column, causes all traffic from this # zone to be passed against the src entries in shorewall6-blacklist(5). # # When specified in the OUT_OPTIONS column, causes all traffic to this # zone to be passed against the dst entries in shorewall6-blacklist(5). # # Specifying this option in the OPTIONS column is equivalent to entering # it in both of the IN_OPTIONS and OUT_OPTIONS column. # # dynamic_shared # # Added in Shorewall 4.5.9. May only be specified in the OPTIONS column # and indicates that only a single ipset should be created for this zone # if it has multiple dynamic entries in shorewall6-hosts(5). Without this # option, a separate ipset is created for each interface. # # reqid=number # # where number is specified using setkey(8) using the 'unique:number # option for the SPD level. # # spi= # # where number is the SPI of the SA used to encrypt/decrypt packets. # # proto=ah|esp|ipcomp # # IPSEC Encapsulation Protocol # # mss=number # # sets the MSS field in TCP packets. If you supply this option, you # should also set FASTACCEPT=No in shorewall6.conf(5) to insure that both # the SYN and SYN,ACK packets have their MSS field adjusted. # # mode=transport|tunnel # # IPSEC mode # # tunnel-src=address[/mask] # # only available with mode=tunnel # # tunnel-dst=address[/mask] # # only available with mode=tunnel # # strict # # Means that packets must match all rules. # # next # # Separates rules; can only be used with strict # # The options in the OPTIONS column are applied to both incoming and outgoing # traffic. The IN OPTIONS are applied to incoming traffic (in addition to # OPTIONS) and the OUT OPTIONS are applied to outgoing traffic. # # If you wish to leave a column empty but need to make an entry in a # following column, use "-". # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv6 loc ipv6 dmz ipv6 shorewall6-5.0.4/Samples6/three-interfaces/shorewall6.conf.annotated0000644000000000000000000020074512650244172024152 0ustar rootroot############################################################################### # # Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf # # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at # http://www.shorewall.net/manpages6/shorewall6.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### # # OPTIONS # # Many options have as their value a log-level. Log levels are a method of # describing to syslog (8) the importance of a message and a number of parameters # in this file have log levels as their value. # # These levels are defined by syslog and are used to determine the destination of # the messages through entries in /etc/syslog.conf (5). The syslog documentation # refers to these as "priorities"; Netfilter calls them "levels" and Shorewall6 # also uses that term. # # Valid levels are: # # 7 debug # 6 info # 5 notice # 4 warning # 3 err # 2 crit # 1 alert # 0 emerg # # For most Shorewall6 logging, a level of 6 (info) is appropriate. Shorewall6 log # messages are generated by NetFilter and are logged using facility 'kern' and # the level that you specify. If you are unsure of the level to choose, 6 (info) # is a safe bet. You may specify levels by name or by number. # # If you have built your kernel with NFLOG target support, you may also specify a # log level of NFLOG (must be all caps). Rather than log its messages to syslogd, # Shorewall6 will direct netfilter to log the messages via the NFLOG target which # will send them to a process called 'ulogd'. ulogd is available with most Linux # distributions (although it probably isn't installed by default). Ulogd is also # available from http://www.netfilter.org/projects/ulogd/index.html and can be # configured to log all Shorewall6 message to their own log file # # Note # # If you want to specify parameters to ULOG or NFLOG (e.g., NFLOG(1,0,1)), then # you must quote the setting. # # Example: # STARTUP_ENABLED=No # # STARTUP_ENABLED={Yes|No} # # Determines if Shorewall6 is allowed to start. As released from # shorewall.net, this option is set to No. When set to Yes or yes, Shorewall6 # may be started. Used as a guard against Shorewall6 being accidentally # started before it has been configured. # ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 # # VERBOSITY=[number] # # Shorewall6 has traditionally been very noisy (produced lots of output). You # may set the default level of verbosity using the VERBOSITY OPTION. # # Values are: # # 0 - Silent. You may make it more verbose using the -v option # 1 - Major progress messages displayed # 2 - All progress messages displayed (pre Shorewall6-3.2.0 behavior) # # If not specified, then 2 is assumed. # ############################################################################### # L O G G I N G ############################################################################### BLACKLIST_LOG_LEVEL= # # BLACKLIST_LOG_LEVEL=[log-level[:log-tag]] # # Formerly named BLACKLIST_LOGLEVEL. This parameter determines if packets # from blacklisted hosts are logged and it determines the syslog level that # they are to be logged at. Its value is a syslog level (Example: # BLACKLIST_LOG_LEVEL=debug). If you do not assign a value or if you assign # an empty value then packets from blacklisted hosts are not logged. The # setting determines the log level of packets sent to the blacklog target of # shorewall6-blrules(5). # INVALID_LOG_LEVEL= # # INVALID_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.5.13. Packets in the INVALID state that do not match # any rule in the INVALID section of shorewall6-rules (5) are logged at this # level. The default value is empty which means no logging is performed. # LOG_BACKEND= # # LOG_BACKEND=[backend] # # Added in Shorewall 4.6.4. LOG_BACKEND determines the logging backend to be # used for the iptrace command (see shorewall6(8)). # # backend is one of: # # LOG # # Use standard kernel logging. # # netlink # # Use netlink logging to ulogd version 2 or later. # LOG_VERBOSITY=2 # # LOG_VERBOSITY=[number] # # This option controls the amount of information logged to the file specified # in the STARTUP_LOG option. # # Values are: # # -1 - Logging is disabled # 0 - Silent. Only error messages are logged. # 1 - Major progress messages logged. # 2 - All progress messages logged # # If not specified, then -1 is assumed. # LOGALLNEW= # # LOGALLNEW=[log-level] # # This option is intended for use as a debugging aid. When set to a log # level, this option causes Shorewall6 to generate a logging rule as the # first rule in each builtin chain. # # □ The table name is used as the chain name in the log prefix. # # □ The chain name is used as the target in the log prefix. # # For example, using the default LOGFORMAT, the log prefix for logging # from the nat table's PREROUTING chain is: # # Shorewall:nat:PREROUTING # # Important # # To help insure that all packets in the NEW state are logged, rate # limiting (LOGLIMIT) should be disabled when using LOGALLNEW. Use # LOGALLNEW at your own risk; it may cause high CPU and disk utilization # and you may not be able to control your firewall after you enable this # option. # # Caution # # Do not use this option if the resulting log messages will be sent to # another system. # LOGFILE=/var/log/messages # # LOGFILE=[pathname] # # This parameter tells the /sbin/shorewall6 program where to look for # Shorewall6 messages when processing the dump, logwatch, show log, and hits # commands. If not assigned or if assigned an empty value, /var/log/messages # is assumed. # LOGFORMAT="Shorewall:%s:%s:" # # LOGFORMAT=["formattemplate"] # # The value of this variable generate the --log-prefix setting for Shorewall6 # logging rules. It contains a “printf” formatting template which accepts # three arguments (the chain name, logging rule number (optional) and the # disposition). To use LOGFORMAT with fireparse, set it as: # # LOGFORMAT="fp=%s:%d a=%s " # # If the LOGFORMAT value contains the substring “%d” then the logging rule # number is calculated and formatted in that position; if that substring is # not included then the rule number is not included. If not supplied or # supplied as empty (LOGFORMAT="") then “Shorewall6:%s:%s:” is assumed. # # Note # # The setting of LOGFORMAT has an effect of the permitted length of zone # names. See shorewall6-zones (5). # LOGLIMIT= # # LOGLIMIT=[[{s|d}:]rate/{sec|second|min|minute|hour|day}[:burst]] # # Added in Shorewall 4.4.12. Limits the logging rate, either overall, or by # source or destination IP address. # # If the value starts with 's:' then logging is limited per source IP. If the # value starts with 'd:', then logging is limited per destination IP. # Otherwise, the overall logging rate is limited. # # If burst is not specified, then a value of 5 is assumed. # # The keywords second and minute are accepted beginning with Shorewall # 4.6.13. # LOGTAGONLY=No # # LOGTAGONLY=[Yes|No] # # Using the default LOGFORMAT, chain names may not exceed 11 characters or # truncation of the log prefix may occur. Longer chain names may be used with # log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is # specified then the tag is included in the log prefix in place of the chain # name. # # Beginning with Shorewall 4.5.12, when LOGTAGONLY=Yes, you have more control # over the generated log prefix. Beginning with that release, the tag is # interpreted as a chain name and a disposition separated by a comma. So this # rule: # # #ACTION SOURCE DEST # LOG:info:foo,bar net fw # # would generate the following log prefix when using the default LOGFORMAT # setting: # # Shorewall:foo:bar: # # Similarly, # # #ACTION SOURCE DEST # LOG:info:,bar net fw # # would generate # # Shorewall:net2fw:bar: # MACLIST_LOG_LEVEL=info # # MACLIST_LOG_LEVEL=[log-level[:log-tag]] # # Determines the syslog level for logging connection requests that fail MAC # Verification. The value must be a valid syslogd log level. If you don't # want to log these connection requests, set to the empty value (e.g., # MACLIST_LOG_LEVEL=""). # RELATED_LOG_LEVEL= # # RELATED_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.4.27. Packets in the related state that do not match # any rule in the RELATED section of shorewall6-rules (5) are logged at this # level. The default value is empty which means no logging is performed. # RPFILTER_LOG_LEVEL=info # # RPFILTER_LOG_LEVEL=log-level[:log-tag] # # Added in shorewall 4.5.7. Determines the logging of packets disposed via # the RPFILTER_DISPOSITION. The default value is info. # SFILTER_LOG_LEVEL=info # # SFILTER_LOG_LEVEL=log-level[:log-tag] # # Added on Shorewall 4.4.20. Determines the logging of packets matching the # sfilter option (see shorewall6-interfaces(5)) and of hairpin packets on # interfaces without the routeback option.^[2] interfaces without the # routeback option. The default is info. If you don't wish for these packets # to be logged, use SFILTER_LOG_LEVEL=none. # SMURF_LOG_LEVEL=info # # SMURF_LOG_LEVEL=[log-level[:log-tag]] # # Specifies the logging level for smurf packets (see the nosmurfs option in # shorewall6-interfaces(5)). If set to the empty value ( SMURF_LOG_LEVEL="" ) # then smurfs are not logged. # STARTUP_LOG=/var/log/shorewall6-init.log # # STARTUP_LOG=[pathname] # # If specified, determines where Shorewall6 will log the details of each # start, reload, restart and refresh command. Logging verbosity is determined # by the setting of LOG_VERBOSITY above. # TCP_FLAGS_LOG_LEVEL=info # # TCP_FLAGS_LOG_LEVEL=[log-level[:log-tag]] # # Determines the syslog level for logging packets that fail the checks # enabled by the tcpflags interface option. The value must be a valid syslogd # log level. If you don't want to log these packets, set to the empty value # (e.g., TCP_FLAGS_LOG_LEVEL=""). # UNTRACKED_LOG_LEVEL= # # UNTRACKED_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.5.13. Packets in the UNTRACKED state that do not match # any rule in the UNTRACKED section of shorewall6-rules (5) are logged at # this level. The default value is empty which means no logging is performed. # ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall # # CONFIG_PATH=[directory[:directory]...] # # Specifies where configuration files other than shorewall6.conf may be # found. CONFIG_PATH is specifies as a list of directory names separated by # colons (":"). When looking for a configuration file: # # □ If the command is "try" or a "" was specified # in the command (e.g., shorewall6 check ./gateway) then the directory # given in the command is searched first. # # □ Next, each directory in the CONFIG_PATH setting is searched in # sequence. # # If CONFIG_PATH is not given or if it is set to the empty value then the # contents of /usr/share/shorewall6/configpath are used. As released from # shorewall.net, that file sets the CONFIG_PATH to /etc/shorewall6:/usr/share # /shorewall6:/usr/share/shorewall but your particular distribution may set # it differently. See the output of shorewall6 show config for the default on # your system. # GEOIPDIR=/usr/share/xt_geoip/LE # # GEOIPDIR=[pathname] # # Added in Shorewall 4.5.4. Specifies the pathname of the directory # containing the GeoIP Match database. See http://www.shorewall.net/ # ISO-3661.html. If not specified, the default value is /usr/share/xt_geoip/ # LE which is the default location of the little-endian database. # IP6TABLES= # # IP6TABLES=[pathname] # # This parameter names the ip6tables executable to be used by Shorewall6. If # not specified or if specified as a null value, then the ip6tables # executable located using the PATH option is used. # # Regardless of how the ip6tables utility is located (specified via IP6TABLES # = or located via PATH), Shorewall6 uses the ip6tables-restore and # ip6tables-save utilities from that same directory. # IP= # # IP=[pathname] # # If specified, gives the pathname of the 'ip' executable. If not specified, # 'ip' is assumed and the utility will be located using the current PATH # setting. # IPSET= # # IPSET=[pathname] # # If specified, gives the pathname of the 'ipset' executable. If not # specified, 'ipset' is assumed and the utility will be located using the # current PATH setting. # LOCKFILE= # # LOCKFILE=[pathname] # # Specifies the name of the Shorewall6 lock file, used to prevent # simultaneous state-changing commands. If not specified, ${VARDIR}/ # shorewall6/lock is assumed (${VARDIR} is normally /var/lib but can be # changed when Shorewall-core is installed -- see the output of shorewall6 # show vardir). # MODULESDIR= # # MODULESDIR=[pathname[:pathname]...] # # This parameter specifies the directory/directories where your kernel # netfilter modules may be found. If you leave the variable empty, Shorewall # will supply the value "/lib/modules/$uname/kernel/net/ipv${g_family}/ # netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/ # kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset" # where uname holds the output of 'uname -r' and g_family holds '6'. # NFACCT= # # NFACCT=[pathname] # # Added in Shorewall 4.5.7. Specifies the pathname of the nfacct utility. If # not specified, Shorewall will use the PATH setting to find the program. # PERL=/usr/bin/perl # # PERL=pathname # # Added in Shorewall 4.4.11 RC1. Specifies the path name of the Perl # executable. Default is /usr/bin/perl. If the pathname specified by this # option does not exist or the named file is not executable, then Shorewall6 # falls back to /usr/bin/perl # PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # # PATH=pathname[:pathname]... # # Determines the order in which Shorewall6 searches directories for # executable files. # RESTOREFILE= # # RESTOREFILE=filename # # Specifies the simple name of a file in /var/lib/shorewall6 to be used as # the default restore script in the shorewall6 save, shorewall6 restore, # shorewall6 forget and shorewall6 -f start commands. # SHOREWALL_SHELL=/bin/sh # # SHOREWALL_SHELL=[pathname] # # This option is used to specify the shell program to be used to interpret # the compiled script. If not specified or specified as a null value, /bin/sh # is assumed. Using a light-weight shell such as ash or dash can # significantly improve performance. # SUBSYSLOCK= # # SUBSYSLOCK=[pathname] # # This parameter should be set to the name of a file that the firewall should # create if it starts successfully and remove when it stops. Creating and # removing this file allows Shorewall6 to work with your distribution's # initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall6. # For Debian, the value is /var/lock/shorewall6 and in LEAF it is /var/run/ # shorewall. # TC= # # TC=[pathname] # # If specified, gives the pathname of the 'tc' executable. If not specified, # 'tc' is assumed and the utility will be located using the current PATH # setting. # ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" # # ACCEPT_DEFAULT={action[(parameters)][:level]|none} # DROP_DEFAULT="Drop" # # DROP_DEFAULT={action[(parameters)][:level]|none} # NFQUEUE_DEFAULT="none" # # NFQUEUE_DEFAULT={action[(parameters)][:level]|none} # QUEUE_DEFAULT="none" # # QUEUE_DEFAULT={action[(parameters)][:level]|none} # REJECT_DEFAULT="Reject" # # REJECT_DEFAULT={action[(parameters)][:level]|none} # # DROP_DEFAULT describes the rules to be applied before a connection request # is dropped by a DROP policy; REJECT_DEFAULT describes the rules to be # applied if a connection request is rejected by a REJECT policy. The other # three are similar for ACCEPT, QUEUE and NFQUEUE policies. # # The value applied to these may be: # # a) The name of an action. The name may optionally be followed by a # comma-separated list of parameters enclosed in parentheses if the specified # action accepts parameters (e.g., 'Drop(audit)'). # c) None or none # # The default values are: # # DROP_DEFAULT="Drop" # REJECT_DEFAULT="Reject" # ACCEPT_DEFAULT="none" # QUEUE_DEFAULT="none" # NFQUEUE_DEFAULT="None" # # If you set the value of either option to "None" then no default action will # be used and the default action or macro must be specified in # shorewall6-policy(5). # # You can pass parameters to the specified action or macro (e.g., myaction # (audit,DROP)). # # Beginning with Shorewall 4.5.10, the action name can be followed optionally # by a colon and a log level. The level will be applied to each rule in the # action or macro body that does not already have a log level. # ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' # # RCP_COMMAND="command" # RSH_COMMAND='ssh ${root}@${system} ${command}' # # RSH_COMMAND="command" # # Earlier generations of Shorewall6 Lite required that remote root login via # ssh be enabled in order to use the load and reload commands. Beginning with # release 3.9.5, you may define an alternative means for accessing the remote # firewall system. In that release, two new options were added to # shorewall6.conf: # # RSH_COMMAND # RCP_COMMAND # # The default values for these are as follows: # # RSH_COMMAND: ssh ${root}@${system} ${command} # RCP_COMMAND: scp ${files} ${root}@${system}:${destination} # # Shell variables that will be set when the commands are invoked are as # follows: # # root - root user. Normally root but may be overridden using the '-r' # option. # system - The name/IP address of the remote firewall system. # command - For RSH_COMMAND, the command to be executed on the firewall # system. # files - For RCP_COMMAND, a space-separated list of files to be copied to # the remote firewall system. # destination - The directory on the remote system that the files are to be # copied into. # ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes # # ACCOUNTING=[Yes|No] # # Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting is enabled # (see shorewall6-accounting(5)). If not specified or set to the empty value, # ACCOUNTING=Yes is assumed. # ACCOUNTING_TABLE=filter # # ACCOUNTING_TABLE=[filter|mangle] # # Added in Shorewall 4.4.20. This setting determines which Netfilter table # the accounting rules are added in. By default, ACCOUNTING_TABLE=filter is # assumed. See also shorewall6-accounting(5). # ADMINISABSENTMINDED=Yes # # ADMINISABSENTMINDED=[Yes|No] # # The value of this variable affects Shorewall's stopped state. The behavior # differs depending on whether shorewall-routestopped(5) or # shorewall-stoppedrules(5) is used: # # routestopped # # When ADMINISABSENTMINDED=No, only traffic to/from those addresses # listed in routestopped is accepted when Shorewall is stopped. When # ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in # routestopped, connections that were active when Shorewall stopped # continue to work and all new connections from the firewall system # itself are allowed. # # stoppedrules # # All existing connections continue to work. To sever all existing # connections when the firewall is stopped, install the conntrack utility # and place the command conntrack -F in the stopped user exit (/etc/ # shorewall6/stopped). # # If ADMINISABSENTMINDED=No, only new connections matching entries in # stoppedrules are accepted when Shorewall is stopped. Response packets # and related connections are automatically accepted. # # If ADMINISABSENTMINDED=Yes, in addition to connections matching entries # in stoppedrules, all new connections from the firewall system itself # are allowed when the firewall is stopped. Response packets and related # connections are automatically accepted. # # If this variable is not set or is given the empty value then # ADMINISABSENTMINDED=No is assumed. # BASIC_FILTERS=No # # BASIC_FILTERS=[Yes|No] # # Added in Shorewall-4.6.0. When set to Yes, causes entries in # shorewall6-tcfilters(5) to generate a basic filter rather than a u32 # filter. This setting requires the Basic Ematch capability in your kernel # and iptables. # # Note # # One of the advantages of basic filters is that ipset matches are supported # in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably # detect this capability, use of basic filters is controlled by this option. # # The default value is No which causes u32 filters to be generated. # IGNOREUNKNOWNVARIABLES=No # # IGNOREUNKNOWNVARIABLES=[Yes|No] # # Added in Shorewall 4.5.11. Normally, if an unknown shell variable is # encountered in a configuration file (except in ?IF and ?ELSIF directives), # the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes, # then such variables simply expand to an empty string. Default is No. # AUTOCOMMENT=Yes # # AUTOCOMMENT=[Yes|No] # # Formerly named AUTO_COMMENT. If set, if there is not a current comment when # a macro is invoked, the behavior is as if the first line of the macro file # was "COMMENT ". The AUTO_COMMENT option has a default value of # 'Yes'. # AUTOHELPERS=Yes # # AUTOHELPERS=[Yes|No] # # Added in Shorewall 4.5.7. When set to Yes (the default), the generated # ruleset will automatically associate helpers with applications that require # them (FTP, IRC, etc.). When configuring your firewall on systems running # kernel 3.5 or later, it is recommended that you: # # 1. Set AUTOHELPERS=No. # # 2. Modify the HELPERS setting (see below) to list the helpers that you # need. # # 3. Either: # # a. Modify shorewall6-conntrack (5) to only apply helpers where they # are required; or # # b. Specify the appropriate helper in the HELPER column in # shorewall6-rules (5). # # Note # # The macros for those applications requiring a helper automatically # specify the appropriate HELPER where required. # AUTOMAKE=No # # AUTOMAKE=[Yes|No] # # If set, the behavior of the start, reload and restart commands is changed; # if no files in the CONFIG_PATH (see below) have been changed since the last # successful start, reload or restart command, then the compilation step is # skipped and the compiled script that executed the last start, reload or # restart command is used. The default is AUTOMAKE=No. # # The setting of the AUTOMAKE option is ignored if the start, reload or # restart command includes a directory name (e.g., shorewall6 restart /etc/ # shorewall.new). # BLACKLIST="NEW,INVALID,UNTRACKED" # # BLACKLIST=[{ALL|state[,...]}] # # where state is one of NEW, ESTABLISHED, RELATED, INVALID,or UNTRACKED. # # Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY option. Specifies # the connection tracking states that are to be subject to blacklist # screening. If BLACKLIST is not specified then the states subject to # blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED. # # Note: The ESTABLISHED state may not be specified if FASTACCEPT is # specified. # CHAIN_SCRIPTS=No # # CHAIN_SCRIPTS={Yes|No} # # Added in Shorewall 4.5.16. Prior to the availability of BEGIN PERL....END # PERL in configuration files, the only way to execute a chain-specific # script was to create a script file with the same name as the chain and # place it in a directory on the CONFIG_PATH. That facility has the drawback # that the compiler will attempt to run a non-script file just because it has # the same name as a chain. To disable this facility, set CHAIN_SCRIPTS=No. # If not specified or specified as the empty value, CHAIN_SCRIPTS=Yes is # assumed. # CLAMPMSS=No # # CLAMPMSS=[Yes|No|value] # # This parameter enables the TCP Clamp MSS to PMTU feature of Netfilter and # is usually required when your internet connection is through PPPoE or PPTP. # If set to Yes or yes, the feature is enabled. If left blank or set to No or # no, the feature is not enabled. # # Important: This option requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel. # # You may also set CLAMPMSS to a numeric value (e.g., CLAMPMSS=1400). This # will set the MSS field in TCP SYN packets going through the firewall to the # value that you specify. # CLEAR_TC=Yes # # CLEAR_TC=[Yes|No] # # If this option is set to No then Shorewall6 won't clear the current traffic # control rules during [re]start. This setting is intended for use by people # that prefer to configure traffic shaping when the network interfaces come # up rather than when the firewall is started. If that is what you want to # do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6 # /tcstart file. That way, your traffic shaping rules can still use the # “fwmark” classifier based on packet marking defined in shorewall6-tcrules # (5). If not specified, CLEAR_TC=No is assumed. # # Warning # # If you also run Shorewall and if you have TC_ENABLED=Internal in your # shorewall-conf(5), then you will want CLEAR_TC=No in this file. # COMPLETE=No # # COMPLETE=[Yes|No] # # Added in Shorewall6 4.4.12. When you set this option to Yes, you are # asserting that the configuration is complete so that your set of zones # encompasses any hosts that can send or receive traffic to/from/through the # firewall. This causes Shorewall6 to omit the rules that catch packets in # which the source or destination IP address is outside of any of your zones. # Default is No. It is recommended that this option only be set to Yes if: # # □ You have defined an interface whose effective physical setting is '+'. # # □ That interface is assigned to a zone. # # □ You have no CONTINUE policies or rules. # DEFER_DNS_RESOLUTION=Yes # # DEFER_DNS_RESOLUTION=[Yes|No] # # Added in Shorewall 4.5.12. When set to 'Yes' (the default), DNS names are # validated in the compiler and then passed on to the generated script where # they are resolved by ip6tables-restore. This is an advantage if you use # AUTOMAKE=Yes and the IP address associated with the DNS name is subject to # change. When DEFER_DNS_RESOLUTION=No, DNS names are converted into IP # addresses by the compiler. This has the advantage that when AUTOMAKE=Yes # the start, reload and restart commands will succeed even if no DNS server # is reachable (assuming that the configuration hasn't changed since the # compiled script was last generated). # DELETE_THEN_ADD=Yes # # DELETE_THEN_ADD={Yes|No} # # If set to Yes (the default value), entries in the /etc/shorewall6/ # route_stopped files cause an 'ip rule del' command to be generated in # addition to an 'ip rule add' command. Setting this option to No, causes the # 'ip rule del' command to be omitted. # DONT_LOAD= # # DONT_LOAD=[module[,module]...] # # Causes Shorewall6 to not load the listed kernel modules. # DYNAMIC_BLACKLIST=Yes # # DYNAMIC_BLACKLIST={Yes|No} # # Added in Shorewall 4.4.7. When set to No or no, dynamic blacklisting using # the shorewall6 drop, shorewall6 reject, shorewall6 logdrop and shorewall6 # logreject is disabled. Default is Yes. # EXPAND_POLICIES=Yes # # EXPAND_POLICIES={Yes|No} # # Normally, when the SOURCE or DEST columns in shorewall-policy(5) contains # 'all', a single policy chain is created and the policy is enforced in that # chain. For example, if the policy entry is # # #SOURCE DEST POLICY LOG # # LEVEL # net all DROP info # # then the chain name is 'net-all' ("net2all" if ZONE2ZONE=2) which is also # the chain named in Shorewall log messages generated as a result of the # policy. If EXPAND_POLICIES=Yes, then Shorewall will create a separate chain # for each pair of zones covered by the policy. This makes the resulting log # messages easier to interpret since the chain in the messages will have a # name of the form 'a2b' where 'a' is the SOURCE zone and 'b' is the DEST # zone. # EXPORTMODULES=Yes # # EXPORTMODULES=[Yes|No] # # Added in Shorewall 4.4.17. When set to Yes when compiling for use by # Shorewall6 Lite (shorewall6 load, shorewall6 reload or shorewall6 export # commands), the compiler will copy the modules or helpers file from the # administrative system into the script. When set to No or not specified, the # compiler will not copy the modules or helpers file from /usr/share/ # shorewall6 but will copy the found in another location on the CONFIG_PATH. # # When compiling for direct use by Shorewall6, causes the contents of the # local module or helpers file to be copied into the compiled script. When # set to No or not set, the compiled script reads the file itself. # FASTACCEPT=No # # FASTACCEPT={Yes|No} # # Normally, Shorewall6 defers accepting ESTABLISHED/RELATED packets until # these packets reach the chain in which the original connection was # accepted. So for packets going from the 'loc' zone to the 'net' zone, # ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net' chain. # # If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets are accepted # early in the INPUT, FORWARD and OUTPUT chains. If you set FASTACCEPT=Yes # then you may not include rules in the ESTABLISHED or RELATED sections of # shorewall6-rules(5). # FORWARD_CLEAR_MARK= # # FORWARD_CLEAR_MARK={Yes|No} # # Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the # packet mark in the first rule in the mangle FORWARD chain. This behavior is # maintained with the default setting of this option (FORWARD_CLEAR_MARK= # Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle # PREROUTING chain are retained in the FORWARD chains. # HELPERS= # # HELPERS=[helper[,helper...]] # # Added in Shorewall 4.5.7. This option specifies a comma-separated list # naming the Netfilter application helpers that are to be enabled. If not # specified, the default is to enable all helpers. # # Possible values for helper are: # # □ amanda # # □ ftp # # □ h323 # # □ irc # # □ netbios-ns # # □ none - This special value was added in Shorewall 4.5.16 and indicates # that no helpers are to be enabled. It also prevents the compiler for # probing for helper support; such probing generates messages on the # system log of the form "xt_CT: No such helper XXX" where XXX is the # helper name. When used, none must be the only helper specified. # # □ pptp # # □ sane # # □ sip # # □ snmp # # □ tftp # # When HELPERS is specified on a system running Kernel 3.5.0 or later, # automatic association of helpers to connections is disabled. # IMPLICIT_CONTINUE=No # # IMPLICIT_CONTINUE={Yes|No} # # When this option is set to Yes, it causes subzones to be treated # differently with respect to policies. # # Subzones are defined by following their name with ":" and a list of parent # zones (in shorewall6-zones(5)). Normally, you want to have a set of special # rules for the subzone and if a connection doesn't match any of those # subzone-specific rules then you want the parent zone rules and policies to # be applied; see shorewall6-nesting(5). With IMPLICIT_CONTINUE=Yes, that # happens automatically. # # If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then subzones # are not subject to this special treatment. With IMPLICIT_CONTINUE=Yes, an # implicit CONTINUE policy may be overridden by including an explicit policy # (one that does not specify "all" in either the SOURCE or the DEST columns). # INLINE_MATCHES=Yes # # INLINE_MATCHES={Yes|No} # # Added in Shorewall 4.6.0. Traditionally in shorewall6-rules(5), a semicolon # separates column-oriented specifications on the left from alternative # specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the # specifications on the right are interpreted as if INLINE had been specified # in the ACTION column. This also applies to shorewall6-masq(5) and # shorewall6-mangle(5) which also support INLINE. If not specified or if # specified as the empty value, the value 'No' is assumed for backward # compatibility. # # Beginning with Shorewall 5.0.0, it is no longer necessary to set # INLINE_MATCHES=Yes in order to be able to specify your own iptables text in # a rule. You may simply preface that text with a pair of semicolons (";;"). # If alternate input is also specified in the rule, it should appear before # the semicolons and may be seperated from normal column input by a single # semicolon. # IPSET_WARNINGS=Yes # # IPSET_WARNINGS={Yes|No} # # Added in Shorewall 4.5.2. Default is Yes. When set, causes the rules # compiler to issue a warning when: # # □ The compiler is being run by root and an ipset specified in the # configuration does not exists. Only one warning is issued for each # missing ipset. # # □ When [src] is specified in a destination column and when [dst] is # specified in a source column. # IP_FORWARDING=keep # # IP_FORWARDING=[On|Off|Keep] # # This rather useless parameter determines whether Shorewall6 enables or # disables IPV6 Packet Forwarding on all interfaces (/proc/sys/net/ipv6/ # config/all/forwarding). Possible values are: # # On or on # # packet forwarding will be enabled. # # Off or off # # packet forwarding will be disabled. # # Keep or keep # # Shorewall6 will neither enable nor disable packet forwarding # # If this variable is not set or is given an empty value (IP_FORWARD="") # then IP_FORWARD=On is assumed. # KEEP_RT_TABLES=Yes # # KEEP_RT_TABLES={Yes|No} # # When set to Yes, this option prevents scripts generated by Shorewall6 from # altering the /etc/iproute2/rt_tables database when there are entries in / # etc/shorewall6/providers. If you set this option to Yes while Shorewall6 # (Shorewall6-lite) is running, you should remove the file /var/lib/ # shorewall6/rt_tables (/var/lib/shorewall6-lite/rt_tables) before your next # stop, refresh, restore, reload or restart command. # # The default is KEEP_RT_TABLES=No. # LOAD_HELPERS_ONLY=Yes # # LOAD_HELPERS_ONLY={Yes|No} # # Added in Shorewall 4.4.7. When set to Yes, restricts the set of modules # loaded by shorewall to those listed in /var/lib/shorewall6/helpers and # those that are actually used. When not set, or set to the empty value, # LOAD_HELPERS_ONLY=No is assumed. # MACLIST_TABLE=filter # # MACLIST_TABLE=[filter|mangle] # # Normally, MAC verification occurs in the filter table (INPUT and FORWARD) # chains. When forwarding a packet from an interface with MAC verification to # a bridge interface, that doesn't work. # # This problem can be worked around by setting MACLIST_TABLE=mangle which # will cause Mac verification to occur out of the PREROUTING chain. Because # REJECT isn't available in that environment, you may not specify # MACLIST_DISPOSITION=REJECT with MACLIST_TABLE=mangle. # MACLIST_TTL= # # MACLIST_TTL=[number] # # The performance of configurations with a large numbers of entries in # shorewall6-maclist(5) can be improved by setting the MACLIST_TTL variable # in shorewall6.conf(5). # # If your iptables and kernel support the "Recent Match" (see the output of # "shorewall check" near the top), you can cache the results of a 'maclist' # file lookup and thus reduce the overhead associated with MAC Verification. # # When a new connection arrives from a 'maclist' interface, the packet passes # through then list of entries for that interface in shorewall6-maclist(5). # If there is a match then the source IP address is added to the 'Recent' set # for that interface. Subsequent connection attempts from that IP address # occurring within $MACLIST_TTL seconds will be accepted without having to # scan all of the entries. After $MACLIST_TTL from the first accepted # connection request from an IP address, the next connection request from # that IP address will be checked against the entire list. # # If MACLIST_TTL is not specified or is specified as empty (e.g, MACLIST_TTL= # "" or is specified as zero then 'maclist' lookups will not be cached). # MANGLE_ENABLED=Yes # # MANGLE_ENABLED=[Yes|No] # # Determines whether Shorewall will generate rules in the Netfilter mangle # table. Setting MANGLE_ENABLED=No disables all Shorewall features that # require the mangle table. The default is MANGLE_ENABLED=Yes. # MARK_IN_FORWARD_CHAIN=No # # MARK_IN_FORWARD_CHAIN=[Yes|No] # # If your kernel has a FORWARD chain in the mangle table, you may set # MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in the tcrules # file to occur in that chain rather than in the PREROUTING chain. This # permits you to mark inbound traffic based on its destination address when # DNAT is in use. To determine if your kernel has a FORWARD chain in the # mangle table, use the /shorewall6 show mangle command; if a FORWARD chain # is displayed then your kernel will support this option. If this option is # not specified or if it is given the empty value (e.g., # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # MODULE_SUFFIX="ko ko.xz" # # MODULE_SUFFIX=["extension ..."] # # The value of this option determines the possible file extensions of kernel # modules. The default value is "ko ko.gz ko.xz o o.gz o.xz gz xz". # MUTEX_TIMEOUT=60 # # MUTEX_TIMEOUT=[seconds] # # The value of this variable determines the number of seconds that programs # will wait for exclusive access to the Shorewall6 lock file. After the # number of seconds corresponding to the value of this variable, programs # will assume that the last program to hold the lock died without releasing # the lock. # # If not set or set to the empty value, a value of 60 (60 seconds) is # assumed. # # An appropriate value for this parameter would be twice the length of time # that it takes your firewall system to process a shorewall6 restart command. # OPTIMIZE=All # # OPTIMIZE=[value] # # The specified value enables certain optimizations. Each optimization # category is associated with a power of two. To enable multiple optimization # categories, simply add their corresponding numbers together. # # Beginning with Shorewall 4.5.20, you may specify OPTIMIZE=All to enable all # optimization categories, and you may also specify OPTIMIZE=None to disable # optimization. # # □ Optimization category 1 - Traditionally, Shorewall has created rules # for the complete matrix of host groups defined by the zones, interfaces # and hosts files. Any traffic that didn't correspond to an element of # that matrix was rejected in one of the built-in chains. When the matrix # is sparse, this results in lots of largely useless rules. # # These extra rules can be eliminated by setting the 1 bit in OPTIMIZE. # # The 1 bit setting also controls the suppression of redundant wildcard # rules (those specifying "all" in the SOURCE or DEST column). A wildcard # rule is considered to be redundant when it has the same ACTION and Log # Level as the applicable policy. # # Note # # Optimization level 1 is ignored when optimization level 4 is also # selected, since level 4 performs similar optimizations in a more robust # way. # # □ Optimization category 2 - Added in Shorewall 4.4.7. When set, # suppresses superfluous ACCEPT rules in a policy chain that implements # an ACCEPT policy. Any ACCEPT rules that immediately precede the final # blanket ACCEPT rule in the chain are now omitted. # # □ Optimization category 4 - Added in Shorewall 4.4.7. When set, causes # short chains (those with less than 2 rules) to be optimized away. The # following chains are excluded from optimization: # # ☆ accounting chains (unless OPTIMIZE_ACCOUNTING=Yes) # # ☆ action chains (user-defined) # # ☆ 'blacklst' chain # # ☆ dynamic # # Additionally: # # ☆ If a built-in chain has a single rule that branches to a second # chain, then the rules from the second chain are moved to the # built-in chain and the target chain is omitted. # # ☆ Chains with no references are deleted. # # ☆ Accounting chains are subject to optimization if the # OPTIMIZE_ACCOUNTING option is set to 'Yes'. # # ☆ If a chain ends with an unconditional branch to a second chain # (other than to 'reject'), then the branch is deleted from the first # chain and the rules from the second chain are appended to it. # # An additional optimization was added in Shorewall 4.5.4. If the last # rule in a chain is an unqualified jump to a simple target, then all # immediately preceding rules with the same simple target are omitted. # # For example, consider this chain: # # -A fw-net -p udp --dport 67:68 -j ACCEPT # -A fw-net -p udp --sport 1194 -j ACCEPT # -A fw-net -p 41 -j ACCEPT # -A fw-net -j ACCEPT # # Since all of the rules are jumps to the simple target ACCEPT, this # chain is totally optimized away and jumps to the chain are replace with # jumps to ACCEPT. # # □ Optimization category 8 - Added in Shorewall 4.4.9. When set, causes # chains with identical rules to be collapsed into a single chain. # # □ Optimization category 16 - Added in Shorewall 4.4.26. When set, causes # sequences of compatible rules to be combined into a single rule. Rules # are considered compatible if they differ only in their destination # ports and comments. # # A sequence of compatible rules is often generated when macros are # invoked in sequence. # # The ability to combine adjacent rules is limited by two factors: # # ☆ Destination port lists may only be combined up to a maximum of 15 # ports, where a port-pair counts as two ports. # # ☆ Rules may only be combined until the length of their concatenated # comment reaches 255 characters. # # When either of these limits would be exceeded, the current combined # rule is emitted and the compiler attempts to combine rules beginning # with the one that would have exceeded the limit. Adjacent combined # comments are separated by ', '. Empty comments at the front of a group # of combined comments are replaced by 'Others and'. Empty comments at # the end of a group of combined comments are replaced by 'and others'. # # Beginning in Shorewall 4.5.10, this option also suppresses duplicate # adjacent rules and duplicate non-adjacent rules that don't include mark # , connmark, dscp, ecn, set, tos or u32 matches. # # Example 1: # # Rules with comments "FOO", and "BAR" would result in the # combined comment "FOO and others, BAR". # # Example 2: # # Rules with comments , "FOO" and "BAR" would result in the # combined comment "Others and FOO, BAR". Note: Optimize level 16 # requires "Extended Multi-port Match" in your iptables and kernel. # # The default value is zero which disables all optimizations. # OPTIMIZE_ACCOUNTING=No # # OPTIMIZE_ACCOUNTING=[Yes|No] # # Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting changes are # subject to optimization (OPTIMIZE=4,5,6 or 7). If not specified or set to # the empty value, OPTIMIZE_ACCOUNTING=No is assumed. # REJECT_ACTION= # # REJECT_ACTION=action # # Added in Shorewall 4.5.21. When a REJECT target is specified, Shorewall # normally handles the response as follows: # # □ If the destination address of the packet is a broadcast or multicast # address, the packet is dropped. # # □ if the protocol is ICMP (58) then the packet is dropped. # # □ if the protocol is TCP (6) then the packet is rejected with an RST. # # □ if the protocol is UDP (17) then the packet is rejected with an # 'port-unreachable' ICMP (ICMP6). # # □ if the protocol is ICMP (1) then the packet is rejected with a # 'addr-unreachable' ICMP. # # □ otherwise, the packet is rejected with a 'adm-prohibited' ICMP. # # You can modify this behavior by implementing your own action that handles # REJECT and specifying it's name in this option. The nolog and inline # options will automatically be assumed for the specified action. # # The following action implements the standard behavior: # # ?format 2 # #TARGET SOURCE DEST PROTO # Broadcast(DROP) - - - # DROP - - 2 # INLINE - - 6 ; -j REJECT --reject-with tcp-reset # ?if __ENHANCED_REJECT # INLINE - - 17 ; -j REJECT # ?if __IPV4 # INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable # INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited # ?else # INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable # INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited # ?endif # ?else # INLINE - - - ; -j REJECT # ?endif # REQUIRE_INTERFACE=No # # REQUIRE_INTERFACE=[Yes|No] # # Added in Shorewall 4.4.10. The default is No. If set to Yes, at least one # optional interface must be up in order for the firewall to be in the # started state. Intended to be used with the Shorewall Init Package. # RESTART=restart # # RESTART=[restart|reload] # # Added in Shorewall 5.0.1 to replace LEGACY_RESTART which was added in # Shorewall 5.0.0. In that release, the reload command was redefined to do # what restart had done in earlier releases and restart became a true restart # (equivalent to stop followed by start). When RESTART=reload, the restart # command performs the same operation as the reload command making it # compatible with earlier releases. If not specified, RESTART=reload is # assumed. # RESTORE_ROUTEMARKS=Yes # # RESTORE_ROUTEMARKS=[Yes|No] # # Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are # restored unconditionally at the top of the mangle OUTPUT and PREROUTING # chains, even if the saved mark is zero. When this option is set to No, the # mark is restored even when it is zero. If you have problems with IPSEC ESP # packets not being routed correctly on output, try setting this option to No # . # SAVE_IPSETS=No # # SAVE_IPSETS={Yes|No|setlist} # # Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the current # contents of your ipsets will be saved by the shorewall stop and shorewall # save commands and restored by the shorewall start and shorewall restore # commands. # # Beginning with Shorewall 4.6.4, you can restrict the set of ipsets saved by # specifying a setlist (a comma-separated list of ipv6 ipset names). # TC_ENABLED=No # # TC_ENABLED=[Yes|No|Internal|Simple|Shared] # # If you say Yes or yes here, Shorewall6 will use a script that you supply to # configure traffic shaping. The script must be named 'tcstart' and must be # placed in a directory on your CONFIG_PATH. # # If you say No or no then traffic shaping is not enabled. # # If you set TC_ENABLED=Internal or internal or leave the option empty then # Shorewall6 will use its builtin traffic shaper (tc4shorewall6 written by # Arne Bernin. # # If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later), simple traffic # shaping using shorewall-tcinterfaces(5) and shorewall-tcpri(5) is enabled. # # Beginning with Shorewall 4.4.15, if you set TC_ENABLED=Shared or shared, # then you should create symbolic links from your Shorewall6 configuration # directory (normally /etc/shorewall6/) to your Shorewall tcdevices and # tcclasses files. This allows the compiler to have access to your Shorewall # traffic shaping configuration so that it can validate CLASSIFY rules in # shorewall6-tcrules (5). # # Warning # # If you also run Shorewall and if you have TC_ENABLED=Internal in your # shorewall-conf(5), then you will want TC_ENABLED=No or TC_ENABLED=Shared in # this file. # TC_EXPERT=No # # TC_EXPERT={Yes|No} # # Normally, Shorewall6 tries to protect users from themselves by preventing # PREROUTING and OUTPUT tcrules from being applied to packets that have been # marked by the 'track' option in shorewall6-providers(5). # # If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall6 # will not include these cautionary checks. # TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" # # TC_PRIOMAP=map # # Added in Shorewall 4.4.6. Determines the mapping of a packet's TOS field to # priority bands. See shorewall6-tcpri(5). The map consists of 16 # space-separated digits with values 1, 2 or 3. A value of 1 corresponds to # Linux priority 0, 2 to Linux priority 1, and 3 to Linux Priority 2. The # first entry gives the priority of TOS value 0, the second of TOS value 1, # and so on. See tc-prio(8) for additional information. # # The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2". # TRACK_PROVIDERS=Yes # # TRACK_PROVIDERS={Yes|No} # # Added in Shorewall 4.4.3. When set to Yes, causes the track option to be # assumed on all providers defined in shorewall6-providers(5). May be # overridden on an individual provider through use of the notrack option. The # default value is 'No'. # # Beginning in Shorewall 4.4.6, setting this option to 'Yes' also simplifies # PREROUTING rules in shorewall6-tcrules(5). Previously, when TC_EXPERT=No, # packets arriving through 'tracked' provider interfaces were unconditionally # passed to the PREROUTING tcrules. This was done so that tcrules could reset # the packet mark to zero, thus allowing the packet to be routed using the # 'main' routing table. Using the main table allowed dynamic routes (such as # those added for VPNs) to be effective. The shorewall6-rtrules(5) file was # created to provide a better alternative to clearing the packet mark. As a # consequence, passing these packets to PREROUTING complicates things without # providing any real benefit. Beginning with Shorewall 4.4.6, when # TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through 'tracked' # interfaces will not be passed to the PREROUTING rules. Since # TRACK_PROVIDERS was just introduced in 4.4.3, this change should be # transparent to most, if not all, users. # TRACK_RULES=No # # TRACK_RULES={Yes|No} # # Added in Shorewall 4.5.20. If set to Yes, causes the compiler to add a # comment to iptables rules to indicate the file name and line number of the # configuration entry that generated the rule. If set to No (the default), # then no such comments are added. # # Setting this option to Yes requires the Comments capability in ip6tables # and kernel. # USE_DEFAULT_RT=Yes # # USE_DEFAULT_RT=[Yes|No] # # Added in Shorewall6 4.4.25. When set to 'Yes', this option causes the # Shorewall6 multi-ISP feature to create a set of routing rules which are # resilient to changes in the main routing table. Such changes can occur for # a number of reasons, VPNs going up and down being an example. The idea is # to send packets through the main table prior to applying any of the # Shorewall6-generated routing rules. So changes to the main table will # affect the routing of packets by default. # # When USE_DEFAULT_RT=Yes: # # 1. Both the DUPLICATE and the COPY columns in shorewall6-providers(5) file # must remain empty (or contain "-"). # # 2. The default route is added to the the 'default' table rather than to # the main table. # # 3. balance is assumed unless loose is specified. # # 4. Packets are sent through the main routing table by a rule with priority # 999. In shorewall6-routing_rules(5), the range 1-998 may be used for # inserting rules that bypass the main table. # # 5. All provider gateways must be specified explicitly in the GATEWAY # column. detect may not be specified. # # 6. You should disable all default route management outside of Shorewall6. # If a default route is added to the main table while Shorewall is # started, then all policy routing will stop working (except for those # routing rules in the priority range 1-998). # # Prior to Shorewall 4.6.0, if USE_DEFAULT_RT was not set or if it was set to # the empty string then USE_DEFAULT_RT=No was assumed. Beginning with # Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes and use of # USE_DEFAULT_RT=No is deprecated. # USE_PHYSICAL_NAMES=No # # USE_PHYSICAL_NAMES=[Yes|No] # # Added in Shorewall 4.4.27. Normally, when Shorewall creates a Netfilter # chain that relates to an interface, it uses the interface's logical name as # the base of the chain name. For example, if the logical name for an # interface is OAKLAND, then the input chain for traffic arriving on that # interface would be 'OAKLAND_in'. If this option is set to Yes, then the # physical name of the interface will be used the base of the chain name. # USE_RT_NAMES=No # # USE_RT_NAMES=[Yes|No] # # Added in Shorewall 4.5.15. When set to 'Yes', Shorewall will use routing # table (provider) names in the generated script rather than table numbers. # When set to 'No' (the default), routing table numbers will be used. # # Caution # # If you set USE_RT_NAMES=Yes and KEEP_RT_TABLES=Yes, then you must insure # that all of your providers have entries in /etc/iproute2/rt_tables as well # as the following entries: # # 255 local # 254 main # 253 default # 250 balance # 0 unspec # # Without these entries, the firewall will fail to start. # WARNOLDCAPVERSION=Yes # # WARNOLDCAPVERSION=[Yes|No] # # Added in Shorewall 4.5.12. When set to Yes (the default), the compiler # issues a warning when it finds a capabilities file that doesn't specify all # of the capabilities supported by the compiler. When WARNOLDCAPVERSION is # set to No, no warning is issued. # WORKAROUNDS=No # # WORKAROUNDS=[Yes|No] # # Added in Shorewall 4.6.11. Over time, there have been a number of changes # in Shorewall that work around defects in other products such as iptables # and ipset. When WORKAROUNDS=Yes, these workarounds are enabled; when # WORKAROUNDS=No, they are disabled. If not specified or if specified as # empty, WORKAROUNDS=Yes is assumed. # # Warning # # Do not set WORKAROUNDS=Yes if you need to be able to use # Shorewall-generated scripts (such as created by the save command) built by # Shorewall 4.4.7 or older. # ZONE2ZONE=- # # ZONE2ZONE={2|-} # # Added in Shorewall 4.4.4. This option determines how Shorewall constructs # chain names involving zone names and/or 'all'. Beginning with Shorewall # 4.6.0, the default is '-' (e.g., fw-net); prior to that release, the # default was '2' (e.g., fw2net). # ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP # # BLACKLIST_DISPOSITION=[DROP|A_DROP|REJECT|A_REJECT] # # This parameter determines the disposition of packets from blacklisted # hosts. It may have the value DROP if the packets are to be dropped or # REJECT if the packets are to be replied with an ICMP port unreachable reply # or a TCP RST (tcp only). If you do not assign a value or if you assign an # empty value then DROP is assumed. The setting determines the disposition of # packets sent to the blacklog target of shorewall6-blrules(5). # INVALID_DISPOSITION=CONTINUE # # INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.5.13. Shorewall has traditionally passed INVALID # packets through the NEW section of shorewall-rules (5). When a packet in # INVALID state fails to match any rule in the INVALID section, the packet is # disposed of based on this setting. The default value is CONTINUE for # compatibility with earlier versions. # MACLIST_DISPOSITION=REJECT # # MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT|A_DROP|A_REJECT] # # Determines the disposition of connections requests that fail MAC # Verification and must have the value ACCEPT (accept the connection request # anyway), REJECT (reject the connection request) or DROP (ignore the # connection request). If not set or if set to the empty value (e.g., # MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT is assumed. # # A_DROP and A_REJECT are audited versions of DROP and REJECT respectively # and were added in Shorewall 4.4.20. They require AUDIT_TARGET in the kernel # and ip6tables. # RELATED_DISPOSITION=ACCEPT # # RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.4.27. Shorewall has traditionally ACCEPTed RELATED # packets that don't match any rule in the RELATED section of # shorewall6-rules (5). Concern about the safety of this practice resulted in # the addition of this option. When a packet in RELATED state fails to match # any rule in the RELATED section, the packet is disposed of based on this # setting. The default value is ACCEPT for compatibility with earlier # versions. # SFILTER_DISPOSITION=DROP # # SFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] # # Added in Shorewall 4.4.20. Determines the disposition of packets matching # the sfilter option (see shorewall6-interfaces(5)) and of hairpin packets on # interfaces without the routeback option.^[1] interfaces without the # routeback option. # RPFILTER_DISPOSITION=DROP # # RPFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] # # Added in Shorewall 4.5.7. Determines the disposition of packets entering # from interfaces with the rpfilter option (see shorewall6-interfaces(5)). # Packets disposed of by this option are those whose response packets would # not be sent through the same interface receiving the packet. # SMURF_DISPOSITION=DROP # # SMURF_DISPOSITION=[DROP|A_DROP] # # Added in Shorewall 4.4.20. The default setting is DROP which causes smurf # packets (see the nosmurfs option in shorewall6-interfaces(5)) to be # dropped. A_DROP causes the packets to be audited prior to being dropped and # requires AUDIT_TARGET support in the kernel and ip6tables. # TCP_FLAGS_DISPOSITION=DROP # # TCP_FLAGS_DISPOSITION=[ACCEPT|DROP|REJECT] # # Determines the disposition of TCP packets that fail the checks enabled by # the tcpflags interface option (see shorewall6-interfaces(5)) and must have # a value of ACCEPT (accept the packet), REJECT (send an RST response) or # DROP (ignore the packet). If not set or if set to the empty value (e.g., # TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed. # UNTRACKED_DISPOSITION=CONTINUE # # UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.5.13. Shorewall has traditionally passed UNTRACKED # packets through the NEW section of shorewall6-rules (5). When a packet in # UNTRACKED state fails to match any rule in the UNTRACKED section, the # packet is disposed of based on this setting. The default value is CONTINUE # for compatibility with earlier versions. # ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS= # # TC_BITS=[number] # # Added in Shorewall 4.4.26. The number of bits at the low end of the 32-bit # packet mark to be used for traffic shaping marking. May be zero. See # MASK_BITS above for default value. # PROVIDER_BITS= # # PROVIDER_BITS=[number] # # Added in Shorewall 4.4.26. The number of bits in the 32-bit packet mark to # be used for provider numbers. May be zero. See MASK_BITS above for default # value. # PROVIDER_OFFSET= # # PROVIDER_OFFSET=[number] # # Added in Shorewall 4.4.26. The offset from the right (low-order end) of the # provider number field in the 32-bit packet mark. If non-zero, must be >= # TC_BITS (Shorewall automatically adjusts PROVIDER_OFFSET's value). # PROVIDER_OFFSET + PROVIDER_BITS + ZONE_BITS must be < 32. See MASK_BITS # above for default value. # MASK_BITS= # # MASK_BITS=[number] # # Added in Shorewall 4.4.26. Number of bits on the right of the 32-bit packet # mark to be masked when clearing the traffic shaping mark. Must be >= # TC_BITS and <= PROVIDER_OFFSET (if PROVIDER_OFFSET > 0). Prior to Shorewall # 5.0.0, default value and the default values of the other mark layout # options is determined as follows: # # Table 1. Default Packet Mark Layout # # WIDE_TC_MARKS=No, TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=No 0, MASK_BITS=8 # WIDE_TC_MARKS=No, TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=Yes 8, MASK_BITS=8 # WIDE_TC_MARKS=Yes, TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=No 0, MASK_BITS=16 # WIDE_TC_MARKS=Yes, TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=Yes 16, MASK_BITS=16 # # # From 5.0.0 onward, the default value of MASK_BITS is 8, the default value # of PROVIDER_BITS, TC_BITS, MASK_BITS and PROVIDER_OFFSET is 8. # ZONE_BITS=0 # # ZONE_BITS=[number] # # Added in Shorewall 4.4.26. When non-zero, enables automatic packet marking # by source zone and determines the number of bits in the 32-bit packet mark # to be used for the zone mark. Default value is 0. # #LAST LINE -- DO NOT REMOVE shorewall6-5.0.4/Samples6/three-interfaces/interfaces.annotated0000644000000000000000000003171612650244170023261 0ustar rootroot# # Shorewall6 version 4 - Sample Interfaces File for three-interface configuration. # Copyright (C) 2006-2014by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-interfaces" ############################################################################### # # The interfaces file serves to define the firewall's network interfaces to # shorewall6. The order of entries in this file is not significant in determining # zone composition. # # Beginning with Shorewall 4.5.3, the interfaces file supports two different # formats: # # FORMAT 1 (default - deprecated) # # There is a ANYCAST column which provides compatibility with older versions # of Shorewall.. # # FORMAT 2 # # The BROADCAST column is omitted. # # The format is specified by a line as follows: # # ?FORMAT {1|2} # # The columns in the file are as follows. # # ZONE - zone-name # # Zone for this interface. Must match the name of a zone declared in /etc/ # shorewall6/zones. You may not list the firewall zone in this column. # # If the interface serves multiple zones that will be defined in the # shorewall6-hosts(5) file, you should place "-" in this column. # # If there are multiple interfaces to the same zone, you must list them in # separate entries. # # Example: # # #ZONE INTERFACE BROADCAST # loc eth1 - # loc eth2 - # # Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo' # interface, then that zone must be defined as type local in shorewall6-zones # (5). # # INTERFACE - interface[:port] # # Logical name of interface. Each interface may be listed only once in this # file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0) # here; see http://www.shorewall.net/FAQ.htm#faq18. If the physical option is # not specified, then the logical name is also the name of the actual # interface. # # You may use wildcards here by specifying a prefix followed by the plus sign # ("+"). For example, if you want to make an entry that applies to all PPP # interfaces, use 'ppp+'; that would match ppp0, ppp1, ppp2, …Please note # that the '+' means 'one or more additional characters' so 'ppp' does not # match 'ppp+'. # # Care must be exercised when using wildcards where there is another zone # that uses a matching specific interface. See shorewall6-nesting(5) for a # discussion of this problem. # # Shorewall6 allows '+' as an interface name. # # There is no need to define the loopback interface (lo) in this file. # # If a port is given, then the interface must have been defined previously # with the bridge option. The OPTIONS column must be empty when a port is # given. # # ANYCAST - - # # Enter '-' in this column. It is here for compatibility between Shorewall6 # and Shorewall and is omitted if FORMAT is 2. # # OPTIONS (Optional) - [option[,option]...] # # A comma-separated list of options from the following list. The order in # which you list the options is not significant but the list should have no # embedded white-space. # # accept_ra[={0|1|2}] # # Added in Shorewall 4.5.16. Values are: # # 0 # # Do not accept Router Advertisements. # # 1 # # Accept Route Advertisements if forwarding is disabled. # # 2 # # Overrule forwarding behavior. Accept Route Advertisements even if # forwarding is enabled. # # If the option is specified without a value, then the value 1 is # assumed. # # blacklist # # Check packets arriving on this interface against the # shorewall6-blacklist(5) file. # # Beginning with Shorewall 4.4.13: # # ☆ If a zone is given in the ZONES column, then the behavior is as if # blacklist had been specified in the IN_OPTIONS column of # shorewall6-zones(5). # # ☆ Otherwise, the option is ignored with a warning: # # WARNING: The 'blacklist' option is ignored on multi-zone # interfaces # # bridge # # Designates the interface as a bridge. Beginning with Shorewall 4.4.7, # setting this option also sets routeback. # # destonly # # Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle # traffic from this interface. # # dhcp # # Specify this option when any of the following are true: # # 1. the interface gets its IP address via DHCP # # 2. the interface is used by a DHCP server running on the firewall # # 3. the interface has a static IP but is on a LAN segment with lots of # DHCP clients. # # 4. the interface is a simple bridge with a DHCP server on one port and # DHCP clients on another port. # # Note # # If you use Shorewall-perl for firewall/bridging, then you need to # include DHCP-specific rules in shorewall-rules(8). DHCP uses UDP # ports 546 and 547. # # This option allows DHCP datagrams to enter and leave the interface. # # forward[={0|1}] # # Sets the /proc/sys/net/ipv6/conf/interface/forwarding option to the # specified value. If no value is supplied, then 1 is assumed. # # ignore[=1] # # When specified, causes the generated script to ignore up/down events # from Shorewall-init for this device. Additionally, the option exempts # the interface from hairpin filtering. When '=1' is omitted, the ZONE # column must contain '-' and ignore must be the only OPTION. # # Beginning with Shorewall 4.5.5, may be specified as 'ignore=1' which # only causes the generated script to ignore up/down events from # Shorewall-init; hairpin filtering is still applied. In this case, the # above restrictions on the ZONE and OPTIONS columns are lifted. # # loopback # # Added in Shorewall 4.6.6. Designates the interface as the loopback # interface. This option is assumed if the interface's physical name is # 'lo'. Only one interface man have the loopback option specified. # # mss=number # # Causes forwarded TCP SYN packets entering or leaving on this interface # to have their MSS field set to the specified number. # # nets=(net[,...]) # # Limit the zone named in the ZONE column to only the listed networks. If # you specify this option, be sure to include the link-local network # (ff80::/10). # # nets=dynamic # # Added in Shorewall 4.4.21. Defines the zone as dynamic. Requires ipset # match support in your iptables and kernel. See http://www.shorewall.net # /Dynamic.html for further information. # # optional # # When optional is specified for an interface, shorewall6 will be silent # when: # # ☆ a /proc/sys/net/ipv6/conf/ entry for the interface cannot be # modified. # # ☆ The first global IPv6 address of the interface cannot be obtained. # # This option may not be specified together with required. # # physical=name # # Added in Shorewall 4.4.4. When specified, the interface or port name in # the INTERFACE column is a logical name that refers to the name given in # this option. It is useful when you want to specify the same wildcard # port name on two or more bridges. See http://www.shorewall.net/ # bridge-Shorewall-perl.html#Multiple. # # If the interface name is a wildcard name (ends with '+'), then the # physical name must also end in '+'. # # If physical is not specified, then it's value defaults to the interface # name. # # required # # Added in Shorewall 4.4.10. When specified, the firewall will fail to # start if the interface named in the INTERFACE column is not usable. May # not be specified together with optional. # # routeback[={0|1}] # # If specified, indicates that shorewall6 should include rules that allow # traffic arriving on this interface to be routed back out that same # interface. This option is also required when you have used a wildcard # in the INTERFACE column if you want to allow traffic between the # interfaces that match the wildcard. # # If you specify this option, then you should also specify rpfilter (see # below) if you are running Shorewall 4.5.7 or later; otherwise, you # should specify sfilter (see below). # # Beginning with Shorewall 4.5.18, you may specify this option to # explicitly reset (e.g., routeback=0). This can be used to override # Shorewall's default setting for bridge devices which is routeback=1. # # rpfilter # # Added in Shorewall 4.5.7. This is an anti-spoofing measure that # requires the 'RPFilter Match' capability in your iptables and kernel. # It provides a more efficient alternative to the sfilter option below. # # sourceroute[={0|1}] # # If this option is not specified for an interface, then source-routed # packets will not be accepted from that interface unless explicitly # enabled via sysconf. Only set this option to 1 (enable source routing) # if you know what you are doing. This might represent a security risk # and is not usually needed. # # Only those interfaces with the sourceroute option will have their # setting changed; the value assigned to the setting will be the value # specified (if any) or 1 if no value is given. # # Note # # This option does not work with a wild-card interface name (e.g., # eth0.+) in the INTERFACE column. # # sfilter=(net[,...]) # # Added in Shorewall 4.4.20. At this writing (spring 2011), Linux does # not support reverse path filtering (RFC3704) for IPv6. In its absence, # sfilter may be used as an anti-spoofing measure. # # This option should be used on bridges or other interfaces with the # routeback option. On these interfaces, sfilter should list those local # networks that are connected to the firewall through other interfaces. # # tcpflags[={0|1}] # # Packets arriving on this interface are checked for certain illegal # combinations of TCP flags. Packets found to have such a combination of # flags are handled according to the setting of TCP_FLAGS_DISPOSITION # after having been logged according to the setting of # TCP_FLAGS_LOG_LEVEL. # # Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To disable # this option, specify tcpflags=0. # # proxyndp[={0|1}] # # Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp. # # Note: This option does not work with a wild-card interface name (e.g., # eth0.+) in the INTERFACE column. # # Only those interfaces with the proxyndp option will have their setting # changed; the value assigned to the setting will be the value specified # (if any) or 1 if no value is given. # # unmanaged # # Added in Shorewall 4.5.18. Causes all traffic between the firewall and # hosts on the interface to be accepted. When this option is given: # # ☆ The ZONE column must contain '-'. # # ☆ Only the following other options are allowed with unmanaged: # # accept_ra # forward # ignore # optional # physical # sourceroute # proxyndp # # wait=seconds # # Added in Shorewall 4.4.10. Causes the generated script to wait up to # seconds seconds for the interface to become usable before applying the # required or optional options. # # Example # # Example 1: # # Suppose you have eth0 connected to a DSL modem and eth1 connected to your # local network You have a DMZ using eth2. # # Your entries for this setup would look like: # # FORMAT 2 # #ZONE INTERFACE OPTIONS # net eth0 - # loc eth1 - # dmz eth2 - # # Example 4 (Shorewall 4.4.9 and later): # # You have a bridge with no IP address and you want to allow traffic through # the bridge. # # FORMAT 2 # #ZONE INTERFACE OPTIONS # - br0 bridge # ############################################################################### ?FORMAT 2 ############################################################################### shorewall6-5.0.4/Samples6/two-interfaces/0000755000000000000000000000000012650244177016740 5ustar rootrootshorewall6-5.0.4/Samples6/two-interfaces/rules.annotated0000644000000000000000000012340012650244175021767 0ustar rootroot# # Shorewall6 version 4.0 - Sample Rules File for two-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-rules" ###################################################################################################################################################################################################### # # Entries in this file govern connection establishment by defining exceptions to # the policies laid out in shorewall6-policy(5). By default, subsequent requests # and responses are automatically allowed using connection tracking. For any # particular (source,dest) pair of zones, the rules are evaluated in the order in # which they appear in this file and the first terminating match is the one that # determines the disposition of the request. All rules are terminating except LOG # and QUEUE rules. # # The rules file is divided into sections. Each section is introduced by a # "Section Header" which is a line beginning with ?SECTION and followed by the # section name. # # Sections are as follows and must appear in the order listed: # # ALL # # This section was added in Shorewall 4.4.23. rules in this section are # applied, regardless of the connection tracking state of the packet. # # ESTABLISHED # # Packets in the ESTABLISHED state are processed by rules in this section. # # The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE # # There is an implicit ACCEPT rule inserted at the end of this section. # # RELATED # # Packets in the RELATED state are processed by rules in this section. # # The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE # # There is an implicit rule added at the end of this section that invokes the # RELATED_DISPOSITION (shorewall6.conf(5)). # # INVALID # # Added in Shorewall 4.5.13. Packets in the INVALID state are processed by # rules in this section. # # The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE. # # There is an implicit rule added at the end of this section that invokes the # INVALID_DISPOSITION (shorewall6.conf(5)). # # UNTRACKED # # Added in Shorewall 4.5.13. Packets in the UNTRACKED state are processed by # rules in this section. # # The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE. # # There is an implicit rule added at the end of this section that invokes the # UNTRACKED_DISPOSITION (shorewall6.conf(5)). # # NEW # # Packets in the NEW state are processed by rules in this section. If the # INVALID and/or UNTRACKED sections are empty or not included, then the # packets in the corresponding state(s) are also processed in this section. # # Note # # If you are not familiar with Netfilter to the point where you are comfortable # with the differences between the various connection tracking states, then it is # suggested that you omit the ESTABLISHED and RELATED sections and place all of # your rules in the NEW section (That's after the line that reads ?SECTION NEW'). # # Warning # # If you specify FASTACCEPT=Yes in shorewall6.conf(5) then the ESTABLISHED and # RELATED sections must be empty. # # An except is made if you are running Shorewall 4.4.27 or later and you have # specified a non-default value for RELATED_DISPOSITION or RELATED_LOG_LEVEL. In # that case, you may have rules in the RELATED section of this file. # # You may omit any section that you don't need. If no Section Headers appear in # the file then all rules are assumed to be in the NEW section. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ACTION - target[:{log-level|none}[!][:tag]] # # Specifies the action to be taken if the connection request matches the # rule. target must be one of the following. # # ACCEPT # # Allow the connection request. # # ACCEPT+ # # like ACCEPT but also excludes the connection from any subsequent # matching DNAT[-] or REDIRECT[-] rules. Requires Shorewall 4.5.14 or # later. # # ACCEPT! # # like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # action # # The name of an action declared in shorewall6-actions(5) or in /usr/ # share/shorewall/actions.std. # # ADD(ipset:flags) # # Added in Shorewall 4.4.12. Causes addresses and/or port numbers to be # added to the named ipset. The flags specify the address or tuple to be # added to the set and must match the type of ipset involved. For # example, for an iphash ipset, either the SOURCE or DESTINATION address # can be added using flags src or dst respectively (see the -A command in # ipset (8)). # # Beginning with Shorewall 5.0.3, an optional timeout can be specified. # This is the number of seconds that the new entry in the ipset is to # remain valid and overrides any timeout specified when the ipset was # created. # # ADD is non-terminating. Even if a packet matches the rule, it is passed # on to the next rule. # # AUDIT[(accept|drop|reject)] # # Added in Shorewall 4.5.10. Audits the packet with the specified type; # if the type is omitted, then drop is assumed. Require AUDIT_TARGET # support in the kernel and iptables. # # A_ACCEPT, and A_ACCEPT! # # Added in Shorewall 4.4.20. Audited versions of ACCEPT and ACCEPT! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # A_DROP and A_DROP! # # Added in Shorewall 4.4.20. Audited versions of DROP and DROP! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # A_REJECT AND A_REJECT! # # Added in Shorewall 4.4.20. Audited versions of REJECT and REJECT! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # [?]COMMENT # # the rest of the line will be attached as a comment to the Netfilter # rule(s) generated by the following entries. The comment will appear # delimited by "/* ... */" in the output of "shorewall show ". To # stop the comment from being attached to further rules, simply include # COMMENT on a line by itself. # # Note # # Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and # is preferred. # # CONTINUE # # For experts only. # # Do not process any of the following rules for this (source # zone,destination zone). If the source and/or destination IP address # falls into a zone defined later in shorewall6-zones(5) or in a parent # zone of the source or destination zones, then this connection request # will be passed to the rules defined for that (those) zone(s). See # shorewall6-nesting(5) for additional information. # # CONTINUE! # # like CONTINUE but exempts the rule from being suppressed by OPTIMIZE=1 # in shorewall6.conf(5). # # COUNT # # Simply increment the rule's packet and byte count and pass the packet # to the next rule. # # DEL(ipset:flags) # # Added in Shorewall 4.4.12. Causes an entry to be deleted from the named # ipset. The flags specify the address or tuple to be deleted from the # set and must match the type of ipset involved. For example, for an # iphash ipset, either the SOURCE or DESTINATION address can be deleted # using flags src or dst respectively (see the -D command in ipset (8)). # # DEL is non-terminating. Even if a packet matches the rule, it is passed # on to the next rule. # # DNAT # # Forward the request to another system (and optionally another port). # Requires Shorewall 4.5.14 or later. # # DNAT- # # Advanced users only. # # Like DNAT but only generates the DNAT iptables rule and not the # companion ACCEPT rule. Requires Shorewall 4.5.14 or later. # # DROP # # Ignore the request. # # DROP! # # like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # HELPER # # Added in Shorewall 4.5.7. This action requires that the HELPER column # contains the name of the Netfilter helper to be associated with # connections matching this connection. May only be specified in the NEW # section and is useful for being able to specify a helper when the # applicable policy is ACCEPT. No destination zone should be specified in # HELPER rules. # # INLINE[(action)] # # Added in Shorewall 4.5.16. This action allows you to construct most of # the rule yourself using ip6tables syntax. The part that you specify # must follow a semicolon (';') and is completely free-form. If the # target of the rule (the part following 'j') is something that Shorewall # supports in the ACTION column, then you may enclose it in parentheses # (e.g., INLINE(ACCEPT)). Otherwise, you can include it after the # semicolon. In this case, you must declare the target as a builtin # action in shorewall6-actions(5). # # Some considerations when using INLINE: # # ☆ The p, s, d, i, o, policy, and state match (state or conntrack # --ctstate) matches will always appear in the front of the rule in # that order. # # ☆ When multiple matches are specified, the compiler will keep them in # the order in which they appear (excluding the above listed ones), # but they will not necessarily be at the end of the generated rule. # For example, if addresses are specified in the SOURCE and/or DEST # columns, their generated matches will appear after those specified # using ';'. # # IP6TABLES({ip6tables-target [option ...]) # # This action allows you to specify an ip6tables target with options # (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the ip6tables-target # is not one recognized by Shorewall, the following error message will be # issued: # # ERROR: Unknown target (ip6tables-target) # # This error message may be eliminated by adding the ip6tables-target as # a builtin action in shorewall6-actions(5). # # Important # # If you specify REJECT as the ip6tables-target, the target of the rule # will be the i6ptables REJECT target and not Shorewall's builtin # 'reject' chain which is used when REJECT (see below) is specified as # the target in the ACTION column. # # LOG:level # # Simply log the packet and continue with the next rule. # # macro[(macrotarget)] # # The name of a macro defined in a file named macro.macro. If the macro # accepts an action parameter (Look at the macro source to see if it has # PARAM in the TARGET column) then the macro name is followed by the # parenthesized macrotarget (ACCEPT, DROP, REJECT, ...) to be substituted # for the parameter. # # Example: FTP(ACCEPT). # # The older syntax where the macro name and the target are separated by a # slash (e.g. FTP/ACCEPT) is still allowed but is deprecated. # # NFLOG[(nflog-parameters)] # # Added in Shorewall 4.5.9.3. Queues matching packets to a back end # logging daemon via a netlink socket then continues to the next rule. # See http://www.shorewall.net/shorewall_logging.html. # # Similar to LOG:NFLOG[(nflog-parameters)], except that the log level is # not changed when this ACTION is used in an action or macro and the # invocation of that action or macro specifies a log level. # # NFQUEUE[([queuenumber1[:queuenumber2][,bypass]]|bypass)] # # Queues the packet to a user-space application using the nfnetlink_queue # mechanism. If a queuenumber1 is not specified, queue zero (0) is # assumed. Beginning with Shorewall 4.6.10, the keyword bypass can be # given. By default, if no userspace program is listening on an NFQUEUE, # then all packets that are to be queued are dropped. When this option is # used, the NFQUEUE rule is silently bypassed instead. The packet will # move on to the next rule. Also beginning in Shorewall 4.6.10, a second # queue number (queuenumber2) may be specified. This specifies a range of # queues to use. Packets are then balanced across the given queues. This # is useful for multicore systems: start multiple instances of the # userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets # belonging to the same connection are put into the same nfqueue. # # NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)] # # like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1 # in shorewall6.conf(5). # # NONAT # # Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] # rules but doesn't generate a rule to accept the traffic. Requires # Shorewall 4.5.14 or later. # # QUEUE # # Queue the packet to a user-space application such as ftwall (http:// # p2pwall.sf.net). The application may reinsert the packet for further # processing. # # QUEUE! # # like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # REDIRECT # # Redirect the request to a server running on the firewall. Requires # Shorewall 4.5.14 or later. # # REDIRECT- # # Advanced users only. # # Like REDIRECT but only generates the REDIRECT iptables rule and not the # companion ACCEPT rule. Requires Shorewall 4.5.14 or later. # # REJECT # # disallow the request and return an icmp-unreachable or an RST packet. # # REJECT! # # like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # TARPIT [(tarpit | honeypot | reset)] # # Added in Shorewall 4.6.6. # # TARPIT captures and holds incoming TCP connections using no local # per-connection resources. # # TARPIT only works with the PROTO column set to tcp (6), and is totally # application agnostic. This module will answer a TCP request and play # along like a listening server, but aside from sending an ACK or RST, no # data is sent. Incoming packets are ignored and dropped. The attacker # will terminate the session eventually. This module allows the initial # packets of an attack to be captured by other software for inspection. # In most cases this is sufficient to determine the nature of the attack. # # This offers similar functionality to LaBrea but does not require dedicated hardware or IPs. Any TCP port # that you would normally DROP or REJECT can instead become a tarpit. # # The target accepts a single optional parameter: # # tarpit # # This mode is the default and completes a connection with the # attacker but limits the window size to 0, thus keeping the attacker # waiting long periods of time. While he is maintaining state of the # connection and trying to continue every 60-240 seconds, we keep # none, so it is very lightweight. Attempts to close the connection # are ignored, forcing the remote side to time out the connection in # 12-24 minutes. # # honeypot # # This mode completes a connection with the attacker, but signals a # normal window size, so that the remote side will attempt to send # data, often with some very nasty exploit attempts. We can capture # these packets for decoding and further analysis. The module does # not send any data, so if the remote expects an application level # response, the game is up. # # reset # # This mode is handy because we can send an inline RST (reset). It # has no other function. # # The target may optionally be followed by ":" and a syslog log level (e.g, # REJECT:info or Web(ACCEPT):debug). This causes the packet to be logged at # the specified level. Note that if the ACTION involves destination network # address translation (DNAT, REDIRECT, etc.) then the packet is logged before # the destination address is rewritten. # # If the ACTION names an action declared in shorewall-actions(5) or in /usr/ # share/shorewall/actions.std then: # # □ If the log level is followed by "!' then all rules in the action are # logged at the log level. # # □ If the log level is not followed by "!" then only those rules in the # action that do not specify logging are logged at the specified level. # # □ The special log level none! suppresses logging by the action. # # You may also specify ULOG or NFLOG (must be in upper case) as a log # level.This will log to the ULOG or NFLOG target for routing to a separate # log through use of ulogd (http://www.netfilter.org/projects/ulogd/ # index.html). # # Actions specifying logging may be followed by a log tag (a string of # alphanumeric characters) which is appended to the string generated by the # LOGPREFIX (in shorewall6.conf(5)). # # Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log prefix # generated by the LOGPREFIX setting. # # SOURCE - {zone|zone-list[+]|{all|any}[+][-]}[:interface][:<{address-or-range[, # address-or-range]...[exclusion]>|exclusion|+ipset|^countrycode-list} # # Source hosts to which the rule applies. May be a zone declared in /etc/ # shorewall6/zones, $FW to indicate the firewall itself, all, all+, all-, # all+- or none. # # Beginning with Shorewall 4.4.13, you may use a zone-list which consists of # a comma-separated list of zones declared in shorewall6-zones (5). This # zone-list may be optionally followed by "+" to indicate that the rule is to # apply to intra-zone traffic as well as inter-zone traffic. # # When none is used either in the SOURCE or DEST column, the rule is ignored. # # all means "All Zones", including the firewall itself. all- means "All # Zones, except the firewall itself". When all[-] is used either in the # SOURCE or DEST column intra-zone traffic is not affected. When all+[-] is # "used, intra-zone traffic is affected. Beginning with Shorewall 4.4.13, # exclusion is supported -- see see shorewall6-exclusion(5). # # any is equivalent to all when there are no nested zones. When there are # nested zones, any only refers to top-level zones (those with no parent # zones). Note that any excludes all vserver zones, since those zones are # nested within the firewall zone. # # Except when all[+][-] or any[+][-] is specified, clients may be further # restricted to a list of networks and/or hosts by appending ":" and a # comma-separated list of network and/or host addresses. Hosts may be # specified by IP or MAC address; mac addresses must begin with "~" and must # use "-" as a separator. # # Hosts may also be specified as an IP address range using the syntax # lowaddress-highaddress. This requires that your kernel and ip6tables # contain iprange match support. If your kernel and ip6tables have ipset # match support then you may give the name of an ipset prefaced by "+". The # ipset name may be optionally followed by a number from 1 to 6 enclosed in # square brackets ([]) to indicate the number of levels of source bindings to # be matched. # # Beginning with Shorewall6 4.4.17, the primary IP address of a firewall # interface can be specified by an ampersand ('&') followed by the logical # name of the interface as found in the INTERFACE column of # shorewall6-interfaces (5). # # Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A # countrycode-list is a comma-separated list of up to 15 two-character # ISO-3661 country codes enclosed in square brackets ('[...]') and preceded # by a caret ('^'). When a single country code is given, the square brackets # may be omitted. A list of country codes supported by Shorewall may be found # at http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list # requires GeoIP Match support in your ip6tables and Kernel. # # When an interface is not specified, you may omit the angled brackets ('<' # and '>') around the address(es) or you may supply them to improve # readability. # # You may exclude certain hosts from the set already defined through use of # an exclusion (see shorewall6-exclusion(5)). # # Examples: # # dmz:2002:ce7c::92b4:1::2 # # Host 2002:ce7c:92b4:1::2 in the DMZ # # net:2001:4d48:ad51:24::/64 # # Subnet 2001:4d48:ad51:24::/64 on the Internet # # loc:<2002:cec792b4:1::2,2002:cec792b4:1::44> # # Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local zone. # # loc:~00-A0-C9-15-39-78 # # Host in the local zone with MAC address 00:A0:C9:15:39:78. # # net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80 # # Subnet 2001:4d48:ad51:24::/64 on the Internet except for # 2001:4d48:ad51:24:6:/80. # # $FW:ð0 # # The primary IP address of eth0 in the firewall zone (Shorewall6 4.4.17 # and later). # # Alternatively, clients may be specified by interface by appending ":" to # the zone name followed by the interface name. For example, loc:eth1 # specifies a client that communicates with the firewall system through eth1. # This may be optionally followed by another colon (":") and an IP/MAC/subnet # address as described above (e.g., loc:eth1:<2002:ce7c::92b4:1::2>). # # Examples: # # loc:eth1:<2002:cec792b4:1::2,2002:cec792b4:1::44> # # Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the Local zone, # with both originating from eth1 # # DEST - {zone|zone-list[+]|all[+][-]}[:interface][:<{address-or-range[, # address-or-range]...[exclusion]>|exclusion|+ipset|^countrycode-list}[:port # [:random]] # # Location of Server. May be a zone declared in shorewall6-zones(5), $FW to # indicate the firewall itself, all. all+ or none. # # Beginning with Shorewall 4.4.13, you may use a zone-list which consists of # a comma-separated list of zones declared in shorewall6-zones (5). Ths # zone-list may be optionally followed by "+" to indicate that the rule is to # apply to intra-zone traffic as well as inter-zone traffic. Beginning with # Shorewall-4.4.13, exclusion is supported -- see see shorewall6-exclusion # (5). # # Beginning with Shorewall6 4.4.17, the primary IP address of a firewall # interface can be specified by an ampersand ('&') followed by the logical # name of the interface as found in the INTERFACE column of # shorewall6-interfaces (5). # # Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A # countrycode-list is a comma-separated list of up to 15 two-character # ISO-3661 country codes enclosed in square brackets ('[...]') and preceded # by a caret ('^'). When a single country code is given, the square brackets # may be omitted. A list of country codes supported by Shorewall may be found # at http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list # requires GeoIP Match support in your ip6tables and Kernel. # # When none is used either in the SOURCE or DEST column, the rule is ignored. # # When all is used either in the SOURCE or DEST column intra-zone traffic is # not affected. When all+ is used, intra-zone traffic is affected. # # If the DEST zone is a bport zone, then either: # # a. the SOURCE must be all[+][-], or # # b. the SOURCE zone must be another bport zone associated with the same # bridge, or # # c. the SOURCE zone must be an ipv4 zone that is associated with only the # same bridge. # # Except when all[+]|[-] is specified, the server may be further restricted # to a particular network, host or interface by appending ":" and the # network, host or interface. See SOURCE above. # # You may exclude certain hosts from the set already defined through use of # an exclusion (see shorewall6-exclusion(5)). # # Restriction: MAC addresses are not allowed (this is a Netfilter # restriction). # # If your kernel and ip6tables have ipset match support then you may give the # name of an ipset prefaced by "+". The ipset name may be optionally followed # by a number from 1 to 6 enclosed in square brackets ([]) to indicate the # number of levels of destination bindings to be matched. Only one of the # SOURCE and DEST columns may specify an ipset name. # # The port that the server is listening on may be included and separated from # the server's IP address by ":". If omitted, the firewall will not modify # the destination port. A destination port may only be included if the ACTION # is DNAT or REDIRECT. # # Example 1: # # loc:[2001:470:b:227::44]:3128 specifies a local server at IP address # 2001:470:b:227::44 and listening on port 3128. # # Example 2: # # loc:[]:3128 specifies that the destination port should be changed to # 3128 but the IP address should remain the same. # # The port may be specified as a service name. You may specify a port range # in the form lowport-highport to cause connections to be assigned to ports # in the range in round-robin fashion. When a port range is specified, # lowport and highport must be given as integers; service names are not # permitted. Additionally, the port range may be optionally followed by # :random which causes assignment to ports in the list to be random. # # If the ACTION is REDIRECT or REDIRECT-, this column needs only to contain # the port number on the firewall that the request should be redirected to. # That is equivalent to specifying $FW::port. # # PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all} # # Optional protocol - ipp2p* requires ipp2p match support in your kernel and # ip6tables. tcp:syn implies tcp plus the SYN flag must be set and the # RST,ACK and FIN flags must be reset. # # Beginning with Shorewall6 4.4.19, this column can contain a comma-separated # list of protocol-numbers and/or protocol names (e.g., tcp,udp). # # DPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} # # Optional destination Ports. A comma-separated list of Port names (from # services(5)), port numbers or port ranges; if the protocol is icmp, this # column is interpreted as the destination icmp-type(s). ICMP types may be # specified as a numeric type, a numeric type and code separated by a slash # (e.g., 3/4), or a typename. See http://www.shorewall.net/ # configuration_file_basics.htm#ICMP. Note that prior to Shorewall6 4.4.19, # only a single ICMP type may be listed. # # If the protocol is ipp2p, this column is interpreted as an ipp2p option # without the leading "--" (example bit for bit-torrent). If no port is # given, ipp2p is assumed. # # A port range is expressed as lowport:highport. # # This column is ignored if PROTO = all but must be entered if any of the # following columns are supplied. In that case, it is suggested that this # field contain a dash (-). # # If your kernel contains multi-port match support, then only a single # Netfilter rule will be generated in this list and the SPORT list below if: # # 1. There are 15 or less ports listed. # # 2. No port ranges are included or your kernel and ip6tables contain # extended multi-port match support. # # Beginning with Shorewall 4.6.0, an ipset name can be specified in this # column. This is intended to be used with bitmap:port ipsets. # # This column was formerly labelled DEST PORT(S). # # SPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} # # Optional source port(s). If omitted, any source port is acceptable. # Specified as a comma- separated list of port names, port numbers or port # ranges. # # Beginning with Shorewall 4.5.15, you may place '=' in this column, provided # that the DPORT column is non-empty. This causes the rule to match when # either the source port or the destination port in a packet matches one of # the ports specified in DPORT. Use of '=' requires multi-port match in your # iptables and kernel. # # Warning # # Unless you really understand IP, you should leave this column empty or # place a dash (-) in the column. Most people who try to use this column get # it wrong. # # If you don't want to restrict client ports but need to specify a later # column, then place "-" in this column. # # If your kernel contains multi-port match support, then only a single # Netfilter rule will be generated if in this list and the DPORT list above: # # 1. There are 15 or less ports listed. # # 2. No port ranges are included or your kernel and ip6tables contain # extended multi-port match support. # # Beginning with Shorewall 4.6.0, an ipset name can be specified in this # column. This is intended to be used with bitmap:port ipsets. # # This column was formerly labelled SOURCE PORT(S). # # ORIGDEST - [-] # # Included for compatibility with Shorewall. Enter '-' in this column if you # need to specify one of the later columns. # # This column was formerly labelled ORIGINAL DEST. # # RATE - limit # # where limit is one of: # # [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst] # [name1]:rate1/{sec|min|hour|day}[:burst1],[name2]:rate2/{sec|min|hour|day} # [:burst2] # # You may optionally rate-limit the rule by placing a value in this column: # # rate* is the number of connections per interval (sec or min) and burst* is # the largest burst permitted. If no burst is given, a value of 5 is assumed. # There may be no no white-space embedded in the specification. # # Example: 10/sec:20 # # When s: or d: is specified, the rate applies per source IP address or per # destination IP address respectively. The names may be chosen by the user # and specifiy a hash table to be used to count matching connections. If not # given, the name shorewallN (where N is a unique integer) is assumed. Where # more than one rule or POLICY specifies the same name, the connections # counts for the rules are aggregated and the individual rates apply to the # aggregated count. # # Beginning with Shorewall 4.6.5, two limits may be specified, separated by a # comma. In this case, the first limit (name1, rate1, burst1) specifies the # per-source IP limit and the second limit specifies the per-destination IP # limit. # # Example: client:10/sec:20,:60/sec:100 # # In this example, the 'client' hash table will be used to enforce the # per-source limit and the compiler will pick a unique name for the hash # table that tracks the per-destination limit. # # This column was formerly labelled RATE LIMIT. # # USER - [!][user-name-or-number-or-range][:group-name-or-number-or-range] # # This optional column may only be non-empty if the SOURCE is the firewall # itself. # # When this column is non-empty, the rule applies only if the program # generating the output is running under the effective user and/or group # specified (or is NOT running under that id if "!" is given). # # Beginning with Shorewall 4.5.8, multiple user or group names/ids separated # by commas may be specified. # # Examples: # # joe # # program must be run by joe # # :kids # # program must be run by a member of the 'kids' group # # !:kids # # program must not be run by a member of the 'kids' group # # 2001-2099 # # UIDs 2001 through 2099 (Shorewall 4.5.6 and later) # # This column was formerly labelled USER/GROUP. # # MARK - [!]value[/mask][:C] # # Defines a test on the existing packet or connection mark. The rule will # match only if the test returns true. # # If you don't want to define a test but need to specify anything in the # following columns, place a "-" in this field. # # ! # # Inverts the test (not equal) # # value # # Value of the packet or connection mark. # # mask # # A mask to be applied to the mark before testing. # # :C # # Designates a connection mark. If omitted, the packet mark's value is # tested. # # CONNLIMIT - [d:][!]limit[:mask] # # May be used to limit the number of simultaneous connections to/from each # individual host or network to limit connections. Requires connlimit match # in your kernel and iptables. While the limit is only checked on rules # specifying CONNLIMIT, the number of current connections is calculated over # all current connections from the SOURCE or DESTINATION host. By default, # limiting is done by SOURCE host or net, but if the specification begins # with d:, then limiting will be donw by destination host or net. # # By default, the limit is applied to each host but can be made to apply to # networks of hosts by specifying a mask. The mask specifies the width of a # VLSM mask to be applied to the source address; the number of current # connections is then taken over all hosts in the subnet source-address/mask. # When ! is specified, the rule matches when the number of connection exceeds # the limit. # # TIME - timeelement[&timeelement...] # # May be used to limit the rule to a particular time period each day, to # particular days of the week or month, or to a range defined by dates and # times. Requires time match support in your kernel and ip6tables. # # timeelement may be: # # timestart=hh:mm[:ss] # # Defines the starting time of day. # # timestop=hh:mm[:ss] # # Defines the ending time of day. # # utc # # Times are expressed in Greenwich Mean Time. # # localtz # # Deprecated by the Netfilter team in favor of kerneltz. Times are # expressed in Local Civil Time (default). # # kerneltz # # Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time # (requires iptables 1.4.12 or later). # # weekdays=ddd[,ddd]... # # where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun # # monthdays=dd[,dd],... # # where dd is an ordinal day of the month # # datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] # # Defines the starting date and time. # # datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] # # Defines the ending date and time. # # HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall 4.4.15) # # The header-list consists of a comma-separated list of headers from the # following list. # # auth, ah, or 51 # # Authentication Headers extension header. # # esp, or 50 # # Encrypted Security Payload extension header. # # hop, hop-by-hop or 0 # # Hop-by-hop options extension header. # # route, ipv6-route or 41 # # IPv6 Route extension header. # # frag, ipv6-frag or 44 # # IPv6 fragmentation extension header. # # none, ipv6-nonxt or 59 # # No next header # # proto, protocol or 255 # # Any protocol header. # # If any: is specified, the rule will match if any of the listed headers are # present. If exactly: is specified, the will match packets that exactly # include all specified headers. If neither is given, any: is assumed. # # If ! is entered, the rule will match those packets which would not be # matched when ! is omitted. # # SWITCH - [!]switch-name[={0|1}] # # Added in Shorewall6 4.4.24 and allows enabling and disabling the rule # without requiring shorewall6 restart. # # Enables the rule if the value stored in /proc/net/nf_condition/switch-name # is 1. Disables the rule if that file contains 0 (the default). If '!' is # supplied, the test is inverted such that the rule is enabled if the file # contains 0. # # Within the switch-name, '@0' and '@{0}' are replaced by the name of the # chain to which the rule is a added. The switch-name (after '@...' # expansion) must begin with a letter and be composed of letters, decimal # digits, underscores or hyphens. Switch names must be 30 characters or less # in length. # # Switches are normally off. To turn a switch on: # # echo 1 > /proc/net/nf_condition/switch-name # # To turn it off again: # # echo 0 > /proc/net/nf_condition/switch-name # # Switch settings are retained over shorewall6 restart. # # Beginning with Shorewall 4.5.10, when the switch-name is followed by =0 or # =1, then the switch is initialized to off or on respectively by the start # command. Other commands do not affect the switch setting. # # HELPER - [helper] # # Added in Shorewall 4.5.7. # # In the NEW section, causes the named conntrack helper to be associated with # this connection; the contents of this column are ignored unless ACTION is # ACCEPT*, DNAT* or REDIRECT*. # # In the RELATED section, will only match if the related connection has the # named helper associated with it. # # The helper may be one of: # # amanda # ftp # irc # netbios-ns # pptp # Q.931 # RAS # sane # sip # snmp # tftp # # If the HELPERS option is specified in shorewall6.conf(5), then any module # specified in this column must be listed in the HELPERS setting. # # Example # # Example 1: # # Accept SMTP requests from the DMZ to the internet # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST # ACCEPT dmz net tcp smtp # # Example 4: # # You want to accept SSH connections to your firewall only from internet IP # addresses 2002:ce7c::92b4:1::2 and 2002:ce7c::92b4:1::22 # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST # ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \ # $FW tcp 22 # # Example 5: # # You wish to limit SSH connections from remote systems to 1/min with a burst # of three (to allow for limited retry): # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE # SSH(ACCEPT) net all - - - - s:1/min:3 # # Example 6: # # Forward port 80 to dmz host $BACKUP if switch 'primary_down' is set. # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH # DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down # # Example 7: # # Drop all email from IP addresses in the country whose ISO-3661 country code # is ZZ. # # #ACTION SOURCE DEST PROTO DPORT # DROP net:^ZZ fw tcp 25 # # Example 8: # # You want to generate your own rule involving ip6tables targets and matches # not supported by Shorewall. # # #ACTION SOURCE DEST PROTO DPORT # INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 # # The above will generate the following ip6tables-restore input: # # -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 # # Note that SECCTX must be defined as a builtin action in shorewall6-actions # (5): # # #ACTION OPTIONS # SECCTX builtin # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Don't allow connection pickup from the net # Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the network # DNS(ACCEPT) $FW net # # Accept SSH connections from the local network for administration # SSH(ACCEPT) loc $FW # # Allow Ping from the local network # Ping(ACCEPT) loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc ipv6-icmp ACCEPT $FW net ipv6-icmp # shorewall6-5.0.4/Samples6/two-interfaces/policy0000644000000000000000000000141212647470621020161 0ustar rootroot# # Shorewall6 version 4 - Sample Policy File for two-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-policy" ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info all all REJECT info shorewall6-5.0.4/Samples6/two-interfaces/stoppedrules0000644000000000000000000000141412647470621021415 0ustar rootroot# # Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration. # Copyright (C) 2012-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-stoppedrules" ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT eth1 - ACCEPT - eth1 shorewall6-5.0.4/Samples6/two-interfaces/zones0000644000000000000000000000136312647470621020025 0ustar rootroot# # Shorewall6 version 4.0 - Sample Zones File for two-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-zones" ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv6 loc ipv6 shorewall6-5.0.4/Samples6/two-interfaces/policy.annotated0000644000000000000000000002105712650244174022140 0ustar rootroot# # Shorewall6 version 4 - Sample Policy File for two-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-policy" ############################################################################### # # This file defines the high-level policy for connections between zones defined # in shorewall6-zones(5). # # Important # # The order of entries in this file is important # # This file determines what to do with a new connection request if we don't get a # match from the /etc/shorewall6/rules file . For each source/destination pair, # the file is processed in order until a match is found ("all" will match any # client or server). # # Important # # Intra-zone policies are pre-defined # # For $FW and for all of the zones defined in /etc/shorewall6/zones, the POLICY # for connections from the zone to itself is ACCEPT (with no logging or TCP # connection rate limiting but may be overridden by an entry in this file. The # overriding entry must be explicit (specifying the zone name on both SOURCE and # DEST) or it must use "all+ or it must use "all+" (Shorewall 4.5.17 or later). # # Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall6.conf, then the # implicit policy to/from any sub-zone is CONTINUE. These implicit CONTINUE # policies may also be overridden by an explicit entry in this file. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # SOURCE - zone|$FW|all|all+ # # Source zone. Must be the name of a zone defined in shorewall6-zones(5), # $FW, "all" or "all+". # # Support for "all+" was added in Shorewall 4.5.17. "all" does not override # the implicit intra-zone ACCEPT policy while "all+" does. # # DEST - zone|$FW|all|all+ # # Destination zone. Must be the name of a zone defined in shorewall6-zones # (5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE # must be "all", "all+", another bport zone associated with the same bridge, # or it must be an ipv4 zone that is associated with only the same bridge. # # Support for "all+" was added in Shorewall 4.5.17. "all" does not override # the implicit intra-zone ACCEPT policy while "all+" does. # # POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2 # ])]|NONE}[:{default-action-or-macro[:level]|None}] # # Policy if no match from the rules file is found. # # If the policy is neither CONTINUE nor NONE then the policy may be followed # by ":" and one of the following: # # a. The word "None" or "none". This causes any default action defined in # shorewall6.conf(5) to be omitted for this policy. # # b. The name of an action. The action will be invoked before the policy is # enforced. # # Actions can have parameters specified. # # Beginning with Shorewall 4.5.10, the action name can be followed optionally # by a colon and a log level. The level will be applied to each rule in the # action or body that does not already have a log level. # # Possible actions are: # # ACCEPT # # Accept the connection. # # DROP # # Ignore the connection request. # # REJECT # # For TCP, send RST. For all other, send an "unreachable" ICMP. # # QUEUE # # Queue the request for a user-space application such as Snort-inline. # # NFQUEUE # # Queue the request for a user-space application using the # nfnetlink_queue mechanism. If a queuenumber1 is not given, queue zero # (0) is assumed. Beginning with Shorewall 4.6.10, a second queue number # (queuenumber2) may be given. This specifies a range of queues to use. # Packets are then balanced across the given queues. This is useful for # multicore systems: start multiple instances of the userspace program on # queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the same # connection are put into the same nfqueue. # # CONTINUE # # Pass the connection request past any other rules that it might also # match (where the source or destination zone in those rules is a # superset of the SOURCE or DEST in this policy). See shorewall6-nesting # (5) for additional information. # # NONE # # Assume that there will never be any packets from this SOURCE to this # DEST. shorewall6 will not create any infrastructure to handle such # packets and you may not have any rules with this SOURCE and DEST in the # /etc/shorewall6/rules file. If such a packet is received, the result is # undefined. NONE may not be used if the SOURCE or DEST columns contain # the firewall zone ($FW) or "all". # # LOG LEVEL (loglevel) - [log-level|NFLOG] # # Optional - if supplied, each connection handled under the default POLICY is # logged at that level. If not supplied, no log message is generated. See # syslog.conf(5) for a description of log levels. # # You may also specify NFLOG (must be in upper case). This will log to the # NFLOG target and will send to a separate log through use of ulogd (http:// # www.netfilter.org/projects/ulogd/index.html). # # For a description of log levels, see http://www.shorewall.net/ # shorewall_logging.html. # # If you don't want to log but need to specify the following column, place # "-" here. # # BURST:LIMIT (limit) - [-|limit] # # where limit is one of: # # [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst] # [name1]:rate1/{sec|min|hour|day}[:burst1],[name2]:rate2/{sec|min|hour|day} # [:burst2] # # If passed, specifies the maximum TCP connection rate and the size of an # acceptable burst. If not specified, TCP connections are not limited. If the # burst parameter is omitted, a value of 5 is assumed. # # When s: or d: is specified, the rate applies per source IP address or per # destination IP address respectively. The name may be chosen by the user and # specifies a hash table to be used to count matching connections. If not # give, the name shorewall is assumed. Where more than one POLICY or rule # specifies the same name, the connections counts for the policies are # aggregated and the individual rates apply to the aggregated count. # # Beginning with Shorewall 4.6.5, two limits may be specified, separated by a # comma. In this case, the first limit (name1, rate1, burst1) specifies the # per-source IP limit and the second limit specifies the per-destination IP # limit. # # Example: client:10/sec:20,:60/sec:100 # # CONNLIMIT - limit[:mask] # # May be used to limit the number of simultaneous connections from each # individual host to limit connections. While the limit is only checked on # connections to which this policy could apply, the number of current # connections is calculated over all current connections from the SOURCE # host. By default, the limit is applied to each host individually but can be # made to apply to networks of hosts by specifying a mask. The mask specifies # the width of a VLSM mask to be applied to the source address; the number of # current connections is then taken over all hosts in the subnet # source-address/mask. # # Example # # a. All connections from the local network to the internet are allowed # # b. All connections from the internet are ignored but logged at syslog level # KERNEL.INFO. # # c. All other connection requests are rejected and logged at level KERNEL.INFO. # # #SOURCE DEST POLICY LOG BURST:LIMIT # # LEVEL # loc net ACCEPT # net all DROP info # # # # THE FOLLOWING POLICY MUST BE LAST # # # all all REJECT info # ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP info all all REJECT info shorewall6-5.0.4/Samples6/two-interfaces/README.txt0000644000000000000000000000216012647470621020436 0ustar rootrootFor instructions on using these sample configurations, please see http://www.shorewall.net/two-interface.htm Shorewall Samples Copyright (C) 2006-2014 by the following authors: Thomas M. Eastep Paul D. Gear Cristian Rodriguez Francesca Smith This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Sample files are licensed under the LGPL, please see the LICENSE file or http://www.gnu.org/licenses/lgpl.html for more details. shorewall6-5.0.4/Samples6/two-interfaces/rules0000644000000000000000000000276212647470621020025 0ustar rootroot# # Shorewall6 version 4.0 - Sample Rules File for two-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-rules" ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Don't allow connection pickup from the net # Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the network # DNS(ACCEPT) $FW net # # Accept SSH connections from the local network for administration # SSH(ACCEPT) loc $FW # # Allow Ping from the local network # Ping(ACCEPT) loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc ipv6-icmp ACCEPT $FW net ipv6-icmp # shorewall6-5.0.4/Samples6/two-interfaces/shorewall6.conf0000644000000000000000000001055012647470621021677 0ustar rootroot############################################################################### # # Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf # # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at # http://www.shorewall.net/manpages6/shorewall6.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=No ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 ############################################################################### # L O G G I N G ############################################################################### BLACKLIST_LOG_LEVEL= INVALID_LOG_LEVEL= LOG_BACKEND= LOG_VERBOSITY=2 LOGALLNEW= LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGLIMIT= LOGTAGONLY=No MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= RPFILTER_LOG_LEVEL=info SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL=info UNTRACKED_LOG_LEVEL= ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall GEOIPDIR=/usr/share/xt_geoip/LE IP6TABLES= IP= IPSET= LOCKFILE= MODULESDIR= NFACCT= PERL=/usr/bin/perl PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin RESTOREFILE= SHOREWALL_SHELL=/bin/sh SUBSYSLOCK= TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT="Reject" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes ACCOUNTING_TABLE=filter ADMINISABSENTMINDED=Yes BASIC_FILTERS=No IGNOREUNKNOWNVARIABLES=No AUTOCOMMENT=Yes AUTOHELPERS=Yes AUTOMAKE=No BLACKLIST="NEW,INVALID,UNTRACKED" CHAIN_SCRIPTS=No CLAMPMSS=No CLEAR_TC=Yes COMPLETE=No DEFER_DNS_RESOLUTION=Yes DELETE_THEN_ADD=Yes DONT_LOAD= DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=No EXPORTMODULES=Yes FASTACCEPT=No FORWARD_CLEAR_MARK= HELPERS= IMPLICIT_CONTINUE=No INLINE_MATCHES=Yes IPSET_WARNINGS=Yes IP_FORWARDING=keep KEEP_RT_TABLES=Yes LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX="ko ko.xz" MUTEX_TIMEOUT=60 OPTIMIZE=All OPTIMIZE_ACCOUNTING=No REJECT_ACTION= REQUIRE_INTERFACE=No RESTART=restart RESTORE_ROUTEMARKS=Yes SAVE_IPSETS=No TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No USE_RT_NAMES=No WARNOLDCAPVERSION=Yes WORKAROUNDS=No ZONE2ZONE=- ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=CONTINUE ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS= PROVIDER_BITS= PROVIDER_OFFSET= MASK_BITS= ZONE_BITS=0 #LAST LINE -- DO NOT REMOVE shorewall6-5.0.4/Samples6/two-interfaces/interfaces0000644000000000000000000000157612647470621021020 0ustar rootroot# # Shorewall6 version 4.0 - Sample Interfaces File for two-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-interfaces" ############################################################################### ?FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS net eth0 tcpflags,forward=1,sourceroute=0 loc eth1 tcpflags,forward=1 shorewall6-5.0.4/Samples6/two-interfaces/stoppedrules.annotated0000644000000000000000000001016112650244176023366 0ustar rootroot# # Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration. # Copyright (C) 2012-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall-stoppedrules" ############################################################################### # # This file is used to define the hosts that are accessible when the firewall is # stopped or is being stopped. # # Warning # # Changes to this file do not take effect until after the next shorewall6 start, # shorewall6 reload, shorewall6 restart, or shorewall6 compile command. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ACTION - ACCEPT|NOTRACK # # Determines the disposition of the packet. # # ACCEPT means that the packet will be accepted. # # NOTRACK indicates that no conntrack entry should be created for the packet. # NOTRACK does not imply ACCEPT. # # DROP was added in Shorewall 4.6.0 and causes the packet to be dropped in # the raw table's PREROUTING chain. # # SOURCE - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[, # address]...] # # $FW matches packets originating on the firewall itself, while interface # specifies packets arriving on the named interface. # # This column may also include a comma-separated list of IP/subnet addresses. # If your kernel and iptables include iprange match support, IP address # ranges are also allowed. Ipsets and exclusion are also supported. When $FW # or interface are specified, the list must be preceded by a colon (":"). # # If left empty or supplied as "-", ::/0 is assumed. # # DEST - [-|[$FW|interface]|[{$FW|interface}[:address[,address]...]]|[address[, # address]...] # # $FW matches packets addressed the firewall itself, while interface # specifies packets arriving on the named interface. Neither may be specified # if the target is NOTRACK or DROP. # # This column may also include a comma-separated list of IP/subnet addresses. # If your kernel and iptables include iprange match support, IP address # ranges are also allowed. Ipsets and exclusion are also supported. When $FW # or interface are specified, the list must be preceded by a colon (":"). # # If left empty or supplied as "-", ::/0 is assumed. # # PROTO (Optional) ‒ protocol-name-or-number[,...] # # Protocol. # # Beginning with Shorewall 4.5.12, this column can accept a comma-separated # list of protocols. # # DPORT ‒ service-name/port-number-list # # Optional. A comma-separated list of port numbers and/or service names from # /etc/services. May also include port ranges of the form low-port:high-port # if your kernel and iptables include port range support. # # This column was formerly labelled DEST PORT(S). # # SPORT ‒ service-name/port-number-list # # Optional. A comma-separated list of port numbers and/or service names from # /etc/services. May also include port ranges of the form low-port:high-port # if your kernel and iptables include port range support. # # Beginning with Shorewall 4.5.15, you may place '=' in this column, provided # that the DPORT column is non-empty. This causes the rule to match when # either the source port or the destination port in a packet matches one of # the ports specified in DPORT. Use of '=' requires multi-port match in your # iptables and kernel. # # This column was formerly labelled SOURCE PORT(S). # ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) ACCEPT eth1 - ACCEPT - eth1 shorewall6-5.0.4/Samples6/two-interfaces/zones.annotated0000644000000000000000000002107412650244177022001 0ustar rootroot# # Shorewall6 version 4.0 - Sample Zones File for two-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-zones" ############################################################################### # # The /etc/shorewall6/zones file declares your network zones. You specify the # hosts in each zone through entries in /etc/shorewall6/interfaces or /etc/ # shorewall6/hosts. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ZONE - zone[:parent-zone[,parent-zone]...] # # Name of the zone. The names "all", "none", "SOURCE" and "DEST" are reserved # and may not be used as zone names. The maximum length of a zone name is # determined by the setting of the LOGFORMAT option in shorewall6.conf(5). # With the default LOGFORMAT, zone names can be at most 5 characters long. # # The maximum length of an iptables log prefix is 29 bytes. As explained # in shorewall6.conf (5), the default LOGPREFIX formatting string is # “Shorewall:%s:%s:” where the first %s is replaced by the chain name and # the second is replaced by the disposition. # # ☆ The default formatting string has 12 fixed characters ("Shorewall" # and three colons). # # ☆ The longest of the standard dispositions are ACCEPT and REJECT # which have 6 characters each. # # ☆ The canonical name for the chain containing the rules for traffic # going from zone 1 to zone 2 is "2". # # ☆ So if M is the maximum zone name length, such chains can have # length 2*M + 1. # # 12 + 6 + 2*M + 1 = 29 which reduces to # 2*M = 29 - 12 - 6 - 1 = 10 or # M = 5 # # The order in which Shorewall6 matches addresses from packets to zones is # determined by the order of zone declarations. Where a zone is nested in one # or more other zones, you may either ensure that the nested zone precedes # its parents in this file, or you may follow the (sub)zone name by ":" and a # comma-separated list of the parent zones. The parent zones must have been # declared in earlier records in this file. See shorewall6-nesting(5) for # additional information. # # Example: # # #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS # a ipv6 # b ipv6 # c:a,b ipv6 # # Currently, Shorewall6 uses this information to reorder the zone list so # that parent zones appear after their subzones in the list. The # IMPLICIT_CONTINUE option in shorewall6.conf(5) can also create implicit # CONTINUE policies to/from the subzone. # # Where an ipsec zone is explicitly included as a child of an ipv6 zone, the # ruleset allows CONTINUE policies (explicit or implicit) to work as # expected. # # In the future, Shorewall6 may make additional use of nesting information. # # TYPE # # ipv6 # # This is the standard Shorewall6 zone type and is the default if you # leave this column empty or if you enter "-" in the column. # Communication with some zone hosts may be encrypted. Encrypted hosts # are designated using the 'ipsec' option in shorewall6-hosts(5). # # ipsec (or ipsec6) # # Communication with all zone hosts is encrypted. Your kernel and # ip6tables must include policy match support. # # firewall # # Designates the firewall itself. You must have exactly one 'firewall' # zone. No options are permitted with a 'firewall' zone. The name that # you enter in the ZONE column will be stored in the shell variable $FW # which you may use in other configuration files to designate the # firewall zone. # # bport (or bport6) # # The zone is associated with one or more ports on a single bridge. # # vserver # # Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver # guests. The zone contents must be defined in shorewall6-hosts (5). # # Vserver zones are implicitly handled as subzones of the firewall zone. # # loopback # # Added in Shorewall 4.5.17. # # Normally, Shorewall treats the loopback interface (lo) in the following # way: # # ☆ By default, all traffic through the interface is ACCEPTed. # # ☆ If a $FW -> $FW policy is defined or $FW -> $FW rules are defined, # they are placed in a chain named ${FW}2${F2} or ${FW}-${FW} (e.g., # 'fw2fw' or 'fw-fw' ) depending on the ZONE2ZONE setting in # shorewall6.conf(5). # # ☆ $FW -> $FW traffic is only filtered in the OUTPUT chain. # # By defining a loopback zone and associating it with the loopback # interface in shorewall-interfaces(5), you can effect a slightly # different model. Suppose that the loopback zone name is 'local'; then: # # ☆ Both $FW -> local and local -> $FW chains are created. # # ☆ The $FW -> local and local -> $FW policies may be different. # # ☆ Both $FW -> local and local -> $FW rules may be specified. # # Rules to/from the loopback zone and any zone other than the firewall # zone are ignored with a warning. # # loopback zones may be nested within other loopback zones. # # local # # Added in Shorewall 4.5.17. local is the same as ipv6 with the exception # that the zone is only accessible from the firewall and vserver zones. # # OPTIONS, IN OPTIONS and OUT OPTIONS (options, in_options, out_options) - [ # option[,option]...] # # A comma-separated list of options. With the exception of the mss and # blacklist options, these only apply to TYPE ipsec zones. # # blacklist # # Added in Shorewall 4.4.13. May not be specified for firewall or vserver # zones. # # When specified in the IN_OPTIONS column, causes all traffic from this # zone to be passed against the src entries in shorewall6-blacklist(5). # # When specified in the OUT_OPTIONS column, causes all traffic to this # zone to be passed against the dst entries in shorewall6-blacklist(5). # # Specifying this option in the OPTIONS column is equivalent to entering # it in both of the IN_OPTIONS and OUT_OPTIONS column. # # dynamic_shared # # Added in Shorewall 4.5.9. May only be specified in the OPTIONS column # and indicates that only a single ipset should be created for this zone # if it has multiple dynamic entries in shorewall6-hosts(5). Without this # option, a separate ipset is created for each interface. # # reqid=number # # where number is specified using setkey(8) using the 'unique:number # option for the SPD level. # # spi= # # where number is the SPI of the SA used to encrypt/decrypt packets. # # proto=ah|esp|ipcomp # # IPSEC Encapsulation Protocol # # mss=number # # sets the MSS field in TCP packets. If you supply this option, you # should also set FASTACCEPT=No in shorewall6.conf(5) to insure that both # the SYN and SYN,ACK packets have their MSS field adjusted. # # mode=transport|tunnel # # IPSEC mode # # tunnel-src=address[/mask] # # only available with mode=tunnel # # tunnel-dst=address[/mask] # # only available with mode=tunnel # # strict # # Means that packets must match all rules. # # next # # Separates rules; can only be used with strict # # The options in the OPTIONS column are applied to both incoming and outgoing # traffic. The IN OPTIONS are applied to incoming traffic (in addition to # OPTIONS) and the OUT OPTIONS are applied to outgoing traffic. # # If you wish to leave a column empty but need to make an entry in a # following column, use "-". # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv6 loc ipv6 shorewall6-5.0.4/Samples6/two-interfaces/shorewall6.conf.annotated0000644000000000000000000020074412650244176023657 0ustar rootroot############################################################################### # # Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf # # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at # http://www.shorewall.net/manpages6/shorewall6.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### # # OPTIONS # # Many options have as their value a log-level. Log levels are a method of # describing to syslog (8) the importance of a message and a number of parameters # in this file have log levels as their value. # # These levels are defined by syslog and are used to determine the destination of # the messages through entries in /etc/syslog.conf (5). The syslog documentation # refers to these as "priorities"; Netfilter calls them "levels" and Shorewall6 # also uses that term. # # Valid levels are: # # 7 debug # 6 info # 5 notice # 4 warning # 3 err # 2 crit # 1 alert # 0 emerg # # For most Shorewall6 logging, a level of 6 (info) is appropriate. Shorewall6 log # messages are generated by NetFilter and are logged using facility 'kern' and # the level that you specify. If you are unsure of the level to choose, 6 (info) # is a safe bet. You may specify levels by name or by number. # # If you have built your kernel with NFLOG target support, you may also specify a # log level of NFLOG (must be all caps). Rather than log its messages to syslogd, # Shorewall6 will direct netfilter to log the messages via the NFLOG target which # will send them to a process called 'ulogd'. ulogd is available with most Linux # distributions (although it probably isn't installed by default). Ulogd is also # available from http://www.netfilter.org/projects/ulogd/index.html and can be # configured to log all Shorewall6 message to their own log file # # Note # # If you want to specify parameters to ULOG or NFLOG (e.g., NFLOG(1,0,1)), then # you must quote the setting. # # Example: # STARTUP_ENABLED=No # # STARTUP_ENABLED={Yes|No} # # Determines if Shorewall6 is allowed to start. As released from # shorewall.net, this option is set to No. When set to Yes or yes, Shorewall6 # may be started. Used as a guard against Shorewall6 being accidentally # started before it has been configured. # ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 # # VERBOSITY=[number] # # Shorewall6 has traditionally been very noisy (produced lots of output). You # may set the default level of verbosity using the VERBOSITY OPTION. # # Values are: # # 0 - Silent. You may make it more verbose using the -v option # 1 - Major progress messages displayed # 2 - All progress messages displayed (pre Shorewall6-3.2.0 behavior) # # If not specified, then 2 is assumed. # ############################################################################### # L O G G I N G ############################################################################### BLACKLIST_LOG_LEVEL= # # BLACKLIST_LOG_LEVEL=[log-level[:log-tag]] # # Formerly named BLACKLIST_LOGLEVEL. This parameter determines if packets # from blacklisted hosts are logged and it determines the syslog level that # they are to be logged at. Its value is a syslog level (Example: # BLACKLIST_LOG_LEVEL=debug). If you do not assign a value or if you assign # an empty value then packets from blacklisted hosts are not logged. The # setting determines the log level of packets sent to the blacklog target of # shorewall6-blrules(5). # INVALID_LOG_LEVEL= # # INVALID_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.5.13. Packets in the INVALID state that do not match # any rule in the INVALID section of shorewall6-rules (5) are logged at this # level. The default value is empty which means no logging is performed. # LOG_BACKEND= # # LOG_BACKEND=[backend] # # Added in Shorewall 4.6.4. LOG_BACKEND determines the logging backend to be # used for the iptrace command (see shorewall6(8)). # # backend is one of: # # LOG # # Use standard kernel logging. # # netlink # # Use netlink logging to ulogd version 2 or later. # LOG_VERBOSITY=2 # # LOG_VERBOSITY=[number] # # This option controls the amount of information logged to the file specified # in the STARTUP_LOG option. # # Values are: # # -1 - Logging is disabled # 0 - Silent. Only error messages are logged. # 1 - Major progress messages logged. # 2 - All progress messages logged # # If not specified, then -1 is assumed. # LOGALLNEW= # # LOGALLNEW=[log-level] # # This option is intended for use as a debugging aid. When set to a log # level, this option causes Shorewall6 to generate a logging rule as the # first rule in each builtin chain. # # □ The table name is used as the chain name in the log prefix. # # □ The chain name is used as the target in the log prefix. # # For example, using the default LOGFORMAT, the log prefix for logging # from the nat table's PREROUTING chain is: # # Shorewall:nat:PREROUTING # # Important # # To help insure that all packets in the NEW state are logged, rate # limiting (LOGLIMIT) should be disabled when using LOGALLNEW. Use # LOGALLNEW at your own risk; it may cause high CPU and disk utilization # and you may not be able to control your firewall after you enable this # option. # # Caution # # Do not use this option if the resulting log messages will be sent to # another system. # LOGFILE=/var/log/messages # # LOGFILE=[pathname] # # This parameter tells the /sbin/shorewall6 program where to look for # Shorewall6 messages when processing the dump, logwatch, show log, and hits # commands. If not assigned or if assigned an empty value, /var/log/messages # is assumed. # LOGFORMAT="Shorewall:%s:%s:" # # LOGFORMAT=["formattemplate"] # # The value of this variable generate the --log-prefix setting for Shorewall6 # logging rules. It contains a “printf” formatting template which accepts # three arguments (the chain name, logging rule number (optional) and the # disposition). To use LOGFORMAT with fireparse, set it as: # # LOGFORMAT="fp=%s:%d a=%s " # # If the LOGFORMAT value contains the substring “%d” then the logging rule # number is calculated and formatted in that position; if that substring is # not included then the rule number is not included. If not supplied or # supplied as empty (LOGFORMAT="") then “Shorewall6:%s:%s:” is assumed. # # Note # # The setting of LOGFORMAT has an effect of the permitted length of zone # names. See shorewall6-zones (5). # LOGLIMIT= # # LOGLIMIT=[[{s|d}:]rate/{sec|second|min|minute|hour|day}[:burst]] # # Added in Shorewall 4.4.12. Limits the logging rate, either overall, or by # source or destination IP address. # # If the value starts with 's:' then logging is limited per source IP. If the # value starts with 'd:', then logging is limited per destination IP. # Otherwise, the overall logging rate is limited. # # If burst is not specified, then a value of 5 is assumed. # # The keywords second and minute are accepted beginning with Shorewall # 4.6.13. # LOGTAGONLY=No # # LOGTAGONLY=[Yes|No] # # Using the default LOGFORMAT, chain names may not exceed 11 characters or # truncation of the log prefix may occur. Longer chain names may be used with # log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is # specified then the tag is included in the log prefix in place of the chain # name. # # Beginning with Shorewall 4.5.12, when LOGTAGONLY=Yes, you have more control # over the generated log prefix. Beginning with that release, the tag is # interpreted as a chain name and a disposition separated by a comma. So this # rule: # # #ACTION SOURCE DEST # LOG:info:foo,bar net fw # # would generate the following log prefix when using the default LOGFORMAT # setting: # # Shorewall:foo:bar: # # Similarly, # # #ACTION SOURCE DEST # LOG:info:,bar net fw # # would generate # # Shorewall:net2fw:bar: # MACLIST_LOG_LEVEL=info # # MACLIST_LOG_LEVEL=[log-level[:log-tag]] # # Determines the syslog level for logging connection requests that fail MAC # Verification. The value must be a valid syslogd log level. If you don't # want to log these connection requests, set to the empty value (e.g., # MACLIST_LOG_LEVEL=""). # RELATED_LOG_LEVEL= # # RELATED_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.4.27. Packets in the related state that do not match # any rule in the RELATED section of shorewall6-rules (5) are logged at this # level. The default value is empty which means no logging is performed. # RPFILTER_LOG_LEVEL=info # # RPFILTER_LOG_LEVEL=log-level[:log-tag] # # Added in shorewall 4.5.7. Determines the logging of packets disposed via # the RPFILTER_DISPOSITION. The default value is info. # SFILTER_LOG_LEVEL=info # # SFILTER_LOG_LEVEL=log-level[:log-tag] # # Added on Shorewall 4.4.20. Determines the logging of packets matching the # sfilter option (see shorewall6-interfaces(5)) and of hairpin packets on # interfaces without the routeback option.^[2] interfaces without the # routeback option. The default is info. If you don't wish for these packets # to be logged, use SFILTER_LOG_LEVEL=none. # SMURF_LOG_LEVEL=info # # SMURF_LOG_LEVEL=[log-level[:log-tag]] # # Specifies the logging level for smurf packets (see the nosmurfs option in # shorewall6-interfaces(5)). If set to the empty value ( SMURF_LOG_LEVEL="" ) # then smurfs are not logged. # STARTUP_LOG=/var/log/shorewall6-init.log # # STARTUP_LOG=[pathname] # # If specified, determines where Shorewall6 will log the details of each # start, reload, restart and refresh command. Logging verbosity is determined # by the setting of LOG_VERBOSITY above. # TCP_FLAGS_LOG_LEVEL=info # # TCP_FLAGS_LOG_LEVEL=[log-level[:log-tag]] # # Determines the syslog level for logging packets that fail the checks # enabled by the tcpflags interface option. The value must be a valid syslogd # log level. If you don't want to log these packets, set to the empty value # (e.g., TCP_FLAGS_LOG_LEVEL=""). # UNTRACKED_LOG_LEVEL= # # UNTRACKED_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.5.13. Packets in the UNTRACKED state that do not match # any rule in the UNTRACKED section of shorewall6-rules (5) are logged at # this level. The default value is empty which means no logging is performed. # ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall # # CONFIG_PATH=[directory[:directory]...] # # Specifies where configuration files other than shorewall6.conf may be # found. CONFIG_PATH is specifies as a list of directory names separated by # colons (":"). When looking for a configuration file: # # □ If the command is "try" or a "" was specified # in the command (e.g., shorewall6 check ./gateway) then the directory # given in the command is searched first. # # □ Next, each directory in the CONFIG_PATH setting is searched in # sequence. # # If CONFIG_PATH is not given or if it is set to the empty value then the # contents of /usr/share/shorewall6/configpath are used. As released from # shorewall.net, that file sets the CONFIG_PATH to /etc/shorewall6:/usr/share # /shorewall6:/usr/share/shorewall but your particular distribution may set # it differently. See the output of shorewall6 show config for the default on # your system. # GEOIPDIR=/usr/share/xt_geoip/LE # # GEOIPDIR=[pathname] # # Added in Shorewall 4.5.4. Specifies the pathname of the directory # containing the GeoIP Match database. See http://www.shorewall.net/ # ISO-3661.html. If not specified, the default value is /usr/share/xt_geoip/ # LE which is the default location of the little-endian database. # IP6TABLES= # # IP6TABLES=[pathname] # # This parameter names the ip6tables executable to be used by Shorewall6. If # not specified or if specified as a null value, then the ip6tables # executable located using the PATH option is used. # # Regardless of how the ip6tables utility is located (specified via IP6TABLES # = or located via PATH), Shorewall6 uses the ip6tables-restore and # ip6tables-save utilities from that same directory. # IP= # # IP=[pathname] # # If specified, gives the pathname of the 'ip' executable. If not specified, # 'ip' is assumed and the utility will be located using the current PATH # setting. # IPSET= # # IPSET=[pathname] # # If specified, gives the pathname of the 'ipset' executable. If not # specified, 'ipset' is assumed and the utility will be located using the # current PATH setting. # LOCKFILE= # # LOCKFILE=[pathname] # # Specifies the name of the Shorewall6 lock file, used to prevent # simultaneous state-changing commands. If not specified, ${VARDIR}/ # shorewall6/lock is assumed (${VARDIR} is normally /var/lib but can be # changed when Shorewall-core is installed -- see the output of shorewall6 # show vardir). # MODULESDIR= # # MODULESDIR=[pathname[:pathname]...] # # This parameter specifies the directory/directories where your kernel # netfilter modules may be found. If you leave the variable empty, Shorewall # will supply the value "/lib/modules/$uname/kernel/net/ipv${g_family}/ # netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/ # kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset" # where uname holds the output of 'uname -r' and g_family holds '6'. # NFACCT= # # NFACCT=[pathname] # # Added in Shorewall 4.5.7. Specifies the pathname of the nfacct utility. If # not specified, Shorewall will use the PATH setting to find the program. # PERL=/usr/bin/perl # # PERL=pathname # # Added in Shorewall 4.4.11 RC1. Specifies the path name of the Perl # executable. Default is /usr/bin/perl. If the pathname specified by this # option does not exist or the named file is not executable, then Shorewall6 # falls back to /usr/bin/perl # PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # # PATH=pathname[:pathname]... # # Determines the order in which Shorewall6 searches directories for # executable files. # RESTOREFILE= # # RESTOREFILE=filename # # Specifies the simple name of a file in /var/lib/shorewall6 to be used as # the default restore script in the shorewall6 save, shorewall6 restore, # shorewall6 forget and shorewall6 -f start commands. # SHOREWALL_SHELL=/bin/sh # # SHOREWALL_SHELL=[pathname] # # This option is used to specify the shell program to be used to interpret # the compiled script. If not specified or specified as a null value, /bin/sh # is assumed. Using a light-weight shell such as ash or dash can # significantly improve performance. # SUBSYSLOCK= # # SUBSYSLOCK=[pathname] # # This parameter should be set to the name of a file that the firewall should # create if it starts successfully and remove when it stops. Creating and # removing this file allows Shorewall6 to work with your distribution's # initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall6. # For Debian, the value is /var/lock/shorewall6 and in LEAF it is /var/run/ # shorewall. # TC= # # TC=[pathname] # # If specified, gives the pathname of the 'tc' executable. If not specified, # 'tc' is assumed and the utility will be located using the current PATH # setting. # ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" # # ACCEPT_DEFAULT={action[(parameters)][:level]|none} # DROP_DEFAULT="Drop" # # DROP_DEFAULT={action[(parameters)][:level]|none} # NFQUEUE_DEFAULT="none" # # NFQUEUE_DEFAULT={action[(parameters)][:level]|none} # QUEUE_DEFAULT="none" # # QUEUE_DEFAULT={action[(parameters)][:level]|none} # REJECT_DEFAULT="Reject" # # REJECT_DEFAULT={action[(parameters)][:level]|none} # # DROP_DEFAULT describes the rules to be applied before a connection request # is dropped by a DROP policy; REJECT_DEFAULT describes the rules to be # applied if a connection request is rejected by a REJECT policy. The other # three are similar for ACCEPT, QUEUE and NFQUEUE policies. # # The value applied to these may be: # # a) The name of an action. The name may optionally be followed by a # comma-separated list of parameters enclosed in parentheses if the specified # action accepts parameters (e.g., 'Drop(audit)'). # c) None or none # # The default values are: # # DROP_DEFAULT="Drop" # REJECT_DEFAULT="Reject" # ACCEPT_DEFAULT="none" # QUEUE_DEFAULT="none" # NFQUEUE_DEFAULT="None" # # If you set the value of either option to "None" then no default action will # be used and the default action or macro must be specified in # shorewall6-policy(5). # # You can pass parameters to the specified action or macro (e.g., myaction # (audit,DROP)). # # Beginning with Shorewall 4.5.10, the action name can be followed optionally # by a colon and a log level. The level will be applied to each rule in the # action or macro body that does not already have a log level. # ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' # # RCP_COMMAND="command" # RSH_COMMAND='ssh ${root}@${system} ${command}' # # RSH_COMMAND="command" # # Earlier generations of Shorewall6 Lite required that remote root login via # ssh be enabled in order to use the load and reload commands. Beginning with # release 3.9.5, you may define an alternative means for accessing the remote # firewall system. In that release, two new options were added to # shorewall6.conf: # # RSH_COMMAND # RCP_COMMAND # # The default values for these are as follows: # # RSH_COMMAND: ssh ${root}@${system} ${command} # RCP_COMMAND: scp ${files} ${root}@${system}:${destination} # # Shell variables that will be set when the commands are invoked are as # follows: # # root - root user. Normally root but may be overridden using the '-r' # option. # system - The name/IP address of the remote firewall system. # command - For RSH_COMMAND, the command to be executed on the firewall # system. # files - For RCP_COMMAND, a space-separated list of files to be copied to # the remote firewall system. # destination - The directory on the remote system that the files are to be # copied into. # ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes # # ACCOUNTING=[Yes|No] # # Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting is enabled # (see shorewall6-accounting(5)). If not specified or set to the empty value, # ACCOUNTING=Yes is assumed. # ACCOUNTING_TABLE=filter # # ACCOUNTING_TABLE=[filter|mangle] # # Added in Shorewall 4.4.20. This setting determines which Netfilter table # the accounting rules are added in. By default, ACCOUNTING_TABLE=filter is # assumed. See also shorewall6-accounting(5). # ADMINISABSENTMINDED=Yes # # ADMINISABSENTMINDED=[Yes|No] # # The value of this variable affects Shorewall's stopped state. The behavior # differs depending on whether shorewall-routestopped(5) or # shorewall-stoppedrules(5) is used: # # routestopped # # When ADMINISABSENTMINDED=No, only traffic to/from those addresses # listed in routestopped is accepted when Shorewall is stopped. When # ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in # routestopped, connections that were active when Shorewall stopped # continue to work and all new connections from the firewall system # itself are allowed. # # stoppedrules # # All existing connections continue to work. To sever all existing # connections when the firewall is stopped, install the conntrack utility # and place the command conntrack -F in the stopped user exit (/etc/ # shorewall6/stopped). # # If ADMINISABSENTMINDED=No, only new connections matching entries in # stoppedrules are accepted when Shorewall is stopped. Response packets # and related connections are automatically accepted. # # If ADMINISABSENTMINDED=Yes, in addition to connections matching entries # in stoppedrules, all new connections from the firewall system itself # are allowed when the firewall is stopped. Response packets and related # connections are automatically accepted. # # If this variable is not set or is given the empty value then # ADMINISABSENTMINDED=No is assumed. # BASIC_FILTERS=No # # BASIC_FILTERS=[Yes|No] # # Added in Shorewall-4.6.0. When set to Yes, causes entries in # shorewall6-tcfilters(5) to generate a basic filter rather than a u32 # filter. This setting requires the Basic Ematch capability in your kernel # and iptables. # # Note # # One of the advantages of basic filters is that ipset matches are supported # in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably # detect this capability, use of basic filters is controlled by this option. # # The default value is No which causes u32 filters to be generated. # IGNOREUNKNOWNVARIABLES=No # # IGNOREUNKNOWNVARIABLES=[Yes|No] # # Added in Shorewall 4.5.11. Normally, if an unknown shell variable is # encountered in a configuration file (except in ?IF and ?ELSIF directives), # the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes, # then such variables simply expand to an empty string. Default is No. # AUTOCOMMENT=Yes # # AUTOCOMMENT=[Yes|No] # # Formerly named AUTO_COMMENT. If set, if there is not a current comment when # a macro is invoked, the behavior is as if the first line of the macro file # was "COMMENT ". The AUTO_COMMENT option has a default value of # 'Yes'. # AUTOHELPERS=Yes # # AUTOHELPERS=[Yes|No] # # Added in Shorewall 4.5.7. When set to Yes (the default), the generated # ruleset will automatically associate helpers with applications that require # them (FTP, IRC, etc.). When configuring your firewall on systems running # kernel 3.5 or later, it is recommended that you: # # 1. Set AUTOHELPERS=No. # # 2. Modify the HELPERS setting (see below) to list the helpers that you # need. # # 3. Either: # # a. Modify shorewall6-conntrack (5) to only apply helpers where they # are required; or # # b. Specify the appropriate helper in the HELPER column in # shorewall6-rules (5). # # Note # # The macros for those applications requiring a helper automatically # specify the appropriate HELPER where required. # AUTOMAKE=No # # AUTOMAKE=[Yes|No] # # If set, the behavior of the start, reload and restart commands is changed; # if no files in the CONFIG_PATH (see below) have been changed since the last # successful start, reload or restart command, then the compilation step is # skipped and the compiled script that executed the last start, reload or # restart command is used. The default is AUTOMAKE=No. # # The setting of the AUTOMAKE option is ignored if the start, reload or # restart command includes a directory name (e.g., shorewall6 restart /etc/ # shorewall.new). # BLACKLIST="NEW,INVALID,UNTRACKED" # # BLACKLIST=[{ALL|state[,...]}] # # where state is one of NEW, ESTABLISHED, RELATED, INVALID,or UNTRACKED. # # Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY option. Specifies # the connection tracking states that are to be subject to blacklist # screening. If BLACKLIST is not specified then the states subject to # blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED. # # Note: The ESTABLISHED state may not be specified if FASTACCEPT is # specified. # CHAIN_SCRIPTS=No # # CHAIN_SCRIPTS={Yes|No} # # Added in Shorewall 4.5.16. Prior to the availability of BEGIN PERL....END # PERL in configuration files, the only way to execute a chain-specific # script was to create a script file with the same name as the chain and # place it in a directory on the CONFIG_PATH. That facility has the drawback # that the compiler will attempt to run a non-script file just because it has # the same name as a chain. To disable this facility, set CHAIN_SCRIPTS=No. # If not specified or specified as the empty value, CHAIN_SCRIPTS=Yes is # assumed. # CLAMPMSS=No # # CLAMPMSS=[Yes|No|value] # # This parameter enables the TCP Clamp MSS to PMTU feature of Netfilter and # is usually required when your internet connection is through PPPoE or PPTP. # If set to Yes or yes, the feature is enabled. If left blank or set to No or # no, the feature is not enabled. # # Important: This option requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel. # # You may also set CLAMPMSS to a numeric value (e.g., CLAMPMSS=1400). This # will set the MSS field in TCP SYN packets going through the firewall to the # value that you specify. # CLEAR_TC=Yes # # CLEAR_TC=[Yes|No] # # If this option is set to No then Shorewall6 won't clear the current traffic # control rules during [re]start. This setting is intended for use by people # that prefer to configure traffic shaping when the network interfaces come # up rather than when the firewall is started. If that is what you want to # do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6 # /tcstart file. That way, your traffic shaping rules can still use the # “fwmark” classifier based on packet marking defined in shorewall6-tcrules # (5). If not specified, CLEAR_TC=No is assumed. # # Warning # # If you also run Shorewall and if you have TC_ENABLED=Internal in your # shorewall-conf(5), then you will want CLEAR_TC=No in this file. # COMPLETE=No # # COMPLETE=[Yes|No] # # Added in Shorewall6 4.4.12. When you set this option to Yes, you are # asserting that the configuration is complete so that your set of zones # encompasses any hosts that can send or receive traffic to/from/through the # firewall. This causes Shorewall6 to omit the rules that catch packets in # which the source or destination IP address is outside of any of your zones. # Default is No. It is recommended that this option only be set to Yes if: # # □ You have defined an interface whose effective physical setting is '+'. # # □ That interface is assigned to a zone. # # □ You have no CONTINUE policies or rules. # DEFER_DNS_RESOLUTION=Yes # # DEFER_DNS_RESOLUTION=[Yes|No] # # Added in Shorewall 4.5.12. When set to 'Yes' (the default), DNS names are # validated in the compiler and then passed on to the generated script where # they are resolved by ip6tables-restore. This is an advantage if you use # AUTOMAKE=Yes and the IP address associated with the DNS name is subject to # change. When DEFER_DNS_RESOLUTION=No, DNS names are converted into IP # addresses by the compiler. This has the advantage that when AUTOMAKE=Yes # the start, reload and restart commands will succeed even if no DNS server # is reachable (assuming that the configuration hasn't changed since the # compiled script was last generated). # DELETE_THEN_ADD=Yes # # DELETE_THEN_ADD={Yes|No} # # If set to Yes (the default value), entries in the /etc/shorewall6/ # route_stopped files cause an 'ip rule del' command to be generated in # addition to an 'ip rule add' command. Setting this option to No, causes the # 'ip rule del' command to be omitted. # DONT_LOAD= # # DONT_LOAD=[module[,module]...] # # Causes Shorewall6 to not load the listed kernel modules. # DYNAMIC_BLACKLIST=Yes # # DYNAMIC_BLACKLIST={Yes|No} # # Added in Shorewall 4.4.7. When set to No or no, dynamic blacklisting using # the shorewall6 drop, shorewall6 reject, shorewall6 logdrop and shorewall6 # logreject is disabled. Default is Yes. # EXPAND_POLICIES=No # # EXPAND_POLICIES={Yes|No} # # Normally, when the SOURCE or DEST columns in shorewall-policy(5) contains # 'all', a single policy chain is created and the policy is enforced in that # chain. For example, if the policy entry is # # #SOURCE DEST POLICY LOG # # LEVEL # net all DROP info # # then the chain name is 'net-all' ("net2all" if ZONE2ZONE=2) which is also # the chain named in Shorewall log messages generated as a result of the # policy. If EXPAND_POLICIES=Yes, then Shorewall will create a separate chain # for each pair of zones covered by the policy. This makes the resulting log # messages easier to interpret since the chain in the messages will have a # name of the form 'a2b' where 'a' is the SOURCE zone and 'b' is the DEST # zone. # EXPORTMODULES=Yes # # EXPORTMODULES=[Yes|No] # # Added in Shorewall 4.4.17. When set to Yes when compiling for use by # Shorewall6 Lite (shorewall6 load, shorewall6 reload or shorewall6 export # commands), the compiler will copy the modules or helpers file from the # administrative system into the script. When set to No or not specified, the # compiler will not copy the modules or helpers file from /usr/share/ # shorewall6 but will copy the found in another location on the CONFIG_PATH. # # When compiling for direct use by Shorewall6, causes the contents of the # local module or helpers file to be copied into the compiled script. When # set to No or not set, the compiled script reads the file itself. # FASTACCEPT=No # # FASTACCEPT={Yes|No} # # Normally, Shorewall6 defers accepting ESTABLISHED/RELATED packets until # these packets reach the chain in which the original connection was # accepted. So for packets going from the 'loc' zone to the 'net' zone, # ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net' chain. # # If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets are accepted # early in the INPUT, FORWARD and OUTPUT chains. If you set FASTACCEPT=Yes # then you may not include rules in the ESTABLISHED or RELATED sections of # shorewall6-rules(5). # FORWARD_CLEAR_MARK= # # FORWARD_CLEAR_MARK={Yes|No} # # Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the # packet mark in the first rule in the mangle FORWARD chain. This behavior is # maintained with the default setting of this option (FORWARD_CLEAR_MARK= # Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle # PREROUTING chain are retained in the FORWARD chains. # HELPERS= # # HELPERS=[helper[,helper...]] # # Added in Shorewall 4.5.7. This option specifies a comma-separated list # naming the Netfilter application helpers that are to be enabled. If not # specified, the default is to enable all helpers. # # Possible values for helper are: # # □ amanda # # □ ftp # # □ h323 # # □ irc # # □ netbios-ns # # □ none - This special value was added in Shorewall 4.5.16 and indicates # that no helpers are to be enabled. It also prevents the compiler for # probing for helper support; such probing generates messages on the # system log of the form "xt_CT: No such helper XXX" where XXX is the # helper name. When used, none must be the only helper specified. # # □ pptp # # □ sane # # □ sip # # □ snmp # # □ tftp # # When HELPERS is specified on a system running Kernel 3.5.0 or later, # automatic association of helpers to connections is disabled. # IMPLICIT_CONTINUE=No # # IMPLICIT_CONTINUE={Yes|No} # # When this option is set to Yes, it causes subzones to be treated # differently with respect to policies. # # Subzones are defined by following their name with ":" and a list of parent # zones (in shorewall6-zones(5)). Normally, you want to have a set of special # rules for the subzone and if a connection doesn't match any of those # subzone-specific rules then you want the parent zone rules and policies to # be applied; see shorewall6-nesting(5). With IMPLICIT_CONTINUE=Yes, that # happens automatically. # # If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then subzones # are not subject to this special treatment. With IMPLICIT_CONTINUE=Yes, an # implicit CONTINUE policy may be overridden by including an explicit policy # (one that does not specify "all" in either the SOURCE or the DEST columns). # INLINE_MATCHES=Yes # # INLINE_MATCHES={Yes|No} # # Added in Shorewall 4.6.0. Traditionally in shorewall6-rules(5), a semicolon # separates column-oriented specifications on the left from alternative # specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the # specifications on the right are interpreted as if INLINE had been specified # in the ACTION column. This also applies to shorewall6-masq(5) and # shorewall6-mangle(5) which also support INLINE. If not specified or if # specified as the empty value, the value 'No' is assumed for backward # compatibility. # # Beginning with Shorewall 5.0.0, it is no longer necessary to set # INLINE_MATCHES=Yes in order to be able to specify your own iptables text in # a rule. You may simply preface that text with a pair of semicolons (";;"). # If alternate input is also specified in the rule, it should appear before # the semicolons and may be seperated from normal column input by a single # semicolon. # IPSET_WARNINGS=Yes # # IPSET_WARNINGS={Yes|No} # # Added in Shorewall 4.5.2. Default is Yes. When set, causes the rules # compiler to issue a warning when: # # □ The compiler is being run by root and an ipset specified in the # configuration does not exists. Only one warning is issued for each # missing ipset. # # □ When [src] is specified in a destination column and when [dst] is # specified in a source column. # IP_FORWARDING=keep # # IP_FORWARDING=[On|Off|Keep] # # This rather useless parameter determines whether Shorewall6 enables or # disables IPV6 Packet Forwarding on all interfaces (/proc/sys/net/ipv6/ # config/all/forwarding). Possible values are: # # On or on # # packet forwarding will be enabled. # # Off or off # # packet forwarding will be disabled. # # Keep or keep # # Shorewall6 will neither enable nor disable packet forwarding # # If this variable is not set or is given an empty value (IP_FORWARD="") # then IP_FORWARD=On is assumed. # KEEP_RT_TABLES=Yes # # KEEP_RT_TABLES={Yes|No} # # When set to Yes, this option prevents scripts generated by Shorewall6 from # altering the /etc/iproute2/rt_tables database when there are entries in / # etc/shorewall6/providers. If you set this option to Yes while Shorewall6 # (Shorewall6-lite) is running, you should remove the file /var/lib/ # shorewall6/rt_tables (/var/lib/shorewall6-lite/rt_tables) before your next # stop, refresh, restore, reload or restart command. # # The default is KEEP_RT_TABLES=No. # LOAD_HELPERS_ONLY=Yes # # LOAD_HELPERS_ONLY={Yes|No} # # Added in Shorewall 4.4.7. When set to Yes, restricts the set of modules # loaded by shorewall to those listed in /var/lib/shorewall6/helpers and # those that are actually used. When not set, or set to the empty value, # LOAD_HELPERS_ONLY=No is assumed. # MACLIST_TABLE=filter # # MACLIST_TABLE=[filter|mangle] # # Normally, MAC verification occurs in the filter table (INPUT and FORWARD) # chains. When forwarding a packet from an interface with MAC verification to # a bridge interface, that doesn't work. # # This problem can be worked around by setting MACLIST_TABLE=mangle which # will cause Mac verification to occur out of the PREROUTING chain. Because # REJECT isn't available in that environment, you may not specify # MACLIST_DISPOSITION=REJECT with MACLIST_TABLE=mangle. # MACLIST_TTL= # # MACLIST_TTL=[number] # # The performance of configurations with a large numbers of entries in # shorewall6-maclist(5) can be improved by setting the MACLIST_TTL variable # in shorewall6.conf(5). # # If your iptables and kernel support the "Recent Match" (see the output of # "shorewall check" near the top), you can cache the results of a 'maclist' # file lookup and thus reduce the overhead associated with MAC Verification. # # When a new connection arrives from a 'maclist' interface, the packet passes # through then list of entries for that interface in shorewall6-maclist(5). # If there is a match then the source IP address is added to the 'Recent' set # for that interface. Subsequent connection attempts from that IP address # occurring within $MACLIST_TTL seconds will be accepted without having to # scan all of the entries. After $MACLIST_TTL from the first accepted # connection request from an IP address, the next connection request from # that IP address will be checked against the entire list. # # If MACLIST_TTL is not specified or is specified as empty (e.g, MACLIST_TTL= # "" or is specified as zero then 'maclist' lookups will not be cached). # MANGLE_ENABLED=Yes # # MANGLE_ENABLED=[Yes|No] # # Determines whether Shorewall will generate rules in the Netfilter mangle # table. Setting MANGLE_ENABLED=No disables all Shorewall features that # require the mangle table. The default is MANGLE_ENABLED=Yes. # MARK_IN_FORWARD_CHAIN=No # # MARK_IN_FORWARD_CHAIN=[Yes|No] # # If your kernel has a FORWARD chain in the mangle table, you may set # MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in the tcrules # file to occur in that chain rather than in the PREROUTING chain. This # permits you to mark inbound traffic based on its destination address when # DNAT is in use. To determine if your kernel has a FORWARD chain in the # mangle table, use the /shorewall6 show mangle command; if a FORWARD chain # is displayed then your kernel will support this option. If this option is # not specified or if it is given the empty value (e.g., # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # MODULE_SUFFIX="ko ko.xz" # # MODULE_SUFFIX=["extension ..."] # # The value of this option determines the possible file extensions of kernel # modules. The default value is "ko ko.gz ko.xz o o.gz o.xz gz xz". # MUTEX_TIMEOUT=60 # # MUTEX_TIMEOUT=[seconds] # # The value of this variable determines the number of seconds that programs # will wait for exclusive access to the Shorewall6 lock file. After the # number of seconds corresponding to the value of this variable, programs # will assume that the last program to hold the lock died without releasing # the lock. # # If not set or set to the empty value, a value of 60 (60 seconds) is # assumed. # # An appropriate value for this parameter would be twice the length of time # that it takes your firewall system to process a shorewall6 restart command. # OPTIMIZE=All # # OPTIMIZE=[value] # # The specified value enables certain optimizations. Each optimization # category is associated with a power of two. To enable multiple optimization # categories, simply add their corresponding numbers together. # # Beginning with Shorewall 4.5.20, you may specify OPTIMIZE=All to enable all # optimization categories, and you may also specify OPTIMIZE=None to disable # optimization. # # □ Optimization category 1 - Traditionally, Shorewall has created rules # for the complete matrix of host groups defined by the zones, interfaces # and hosts files. Any traffic that didn't correspond to an element of # that matrix was rejected in one of the built-in chains. When the matrix # is sparse, this results in lots of largely useless rules. # # These extra rules can be eliminated by setting the 1 bit in OPTIMIZE. # # The 1 bit setting also controls the suppression of redundant wildcard # rules (those specifying "all" in the SOURCE or DEST column). A wildcard # rule is considered to be redundant when it has the same ACTION and Log # Level as the applicable policy. # # Note # # Optimization level 1 is ignored when optimization level 4 is also # selected, since level 4 performs similar optimizations in a more robust # way. # # □ Optimization category 2 - Added in Shorewall 4.4.7. When set, # suppresses superfluous ACCEPT rules in a policy chain that implements # an ACCEPT policy. Any ACCEPT rules that immediately precede the final # blanket ACCEPT rule in the chain are now omitted. # # □ Optimization category 4 - Added in Shorewall 4.4.7. When set, causes # short chains (those with less than 2 rules) to be optimized away. The # following chains are excluded from optimization: # # ☆ accounting chains (unless OPTIMIZE_ACCOUNTING=Yes) # # ☆ action chains (user-defined) # # ☆ 'blacklst' chain # # ☆ dynamic # # Additionally: # # ☆ If a built-in chain has a single rule that branches to a second # chain, then the rules from the second chain are moved to the # built-in chain and the target chain is omitted. # # ☆ Chains with no references are deleted. # # ☆ Accounting chains are subject to optimization if the # OPTIMIZE_ACCOUNTING option is set to 'Yes'. # # ☆ If a chain ends with an unconditional branch to a second chain # (other than to 'reject'), then the branch is deleted from the first # chain and the rules from the second chain are appended to it. # # An additional optimization was added in Shorewall 4.5.4. If the last # rule in a chain is an unqualified jump to a simple target, then all # immediately preceding rules with the same simple target are omitted. # # For example, consider this chain: # # -A fw-net -p udp --dport 67:68 -j ACCEPT # -A fw-net -p udp --sport 1194 -j ACCEPT # -A fw-net -p 41 -j ACCEPT # -A fw-net -j ACCEPT # # Since all of the rules are jumps to the simple target ACCEPT, this # chain is totally optimized away and jumps to the chain are replace with # jumps to ACCEPT. # # □ Optimization category 8 - Added in Shorewall 4.4.9. When set, causes # chains with identical rules to be collapsed into a single chain. # # □ Optimization category 16 - Added in Shorewall 4.4.26. When set, causes # sequences of compatible rules to be combined into a single rule. Rules # are considered compatible if they differ only in their destination # ports and comments. # # A sequence of compatible rules is often generated when macros are # invoked in sequence. # # The ability to combine adjacent rules is limited by two factors: # # ☆ Destination port lists may only be combined up to a maximum of 15 # ports, where a port-pair counts as two ports. # # ☆ Rules may only be combined until the length of their concatenated # comment reaches 255 characters. # # When either of these limits would be exceeded, the current combined # rule is emitted and the compiler attempts to combine rules beginning # with the one that would have exceeded the limit. Adjacent combined # comments are separated by ', '. Empty comments at the front of a group # of combined comments are replaced by 'Others and'. Empty comments at # the end of a group of combined comments are replaced by 'and others'. # # Beginning in Shorewall 4.5.10, this option also suppresses duplicate # adjacent rules and duplicate non-adjacent rules that don't include mark # , connmark, dscp, ecn, set, tos or u32 matches. # # Example 1: # # Rules with comments "FOO", and "BAR" would result in the # combined comment "FOO and others, BAR". # # Example 2: # # Rules with comments , "FOO" and "BAR" would result in the # combined comment "Others and FOO, BAR". Note: Optimize level 16 # requires "Extended Multi-port Match" in your iptables and kernel. # # The default value is zero which disables all optimizations. # OPTIMIZE_ACCOUNTING=No # # OPTIMIZE_ACCOUNTING=[Yes|No] # # Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting changes are # subject to optimization (OPTIMIZE=4,5,6 or 7). If not specified or set to # the empty value, OPTIMIZE_ACCOUNTING=No is assumed. # REJECT_ACTION= # # REJECT_ACTION=action # # Added in Shorewall 4.5.21. When a REJECT target is specified, Shorewall # normally handles the response as follows: # # □ If the destination address of the packet is a broadcast or multicast # address, the packet is dropped. # # □ if the protocol is ICMP (58) then the packet is dropped. # # □ if the protocol is TCP (6) then the packet is rejected with an RST. # # □ if the protocol is UDP (17) then the packet is rejected with an # 'port-unreachable' ICMP (ICMP6). # # □ if the protocol is ICMP (1) then the packet is rejected with a # 'addr-unreachable' ICMP. # # □ otherwise, the packet is rejected with a 'adm-prohibited' ICMP. # # You can modify this behavior by implementing your own action that handles # REJECT and specifying it's name in this option. The nolog and inline # options will automatically be assumed for the specified action. # # The following action implements the standard behavior: # # ?format 2 # #TARGET SOURCE DEST PROTO # Broadcast(DROP) - - - # DROP - - 2 # INLINE - - 6 ; -j REJECT --reject-with tcp-reset # ?if __ENHANCED_REJECT # INLINE - - 17 ; -j REJECT # ?if __IPV4 # INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable # INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited # ?else # INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable # INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited # ?endif # ?else # INLINE - - - ; -j REJECT # ?endif # REQUIRE_INTERFACE=No # # REQUIRE_INTERFACE=[Yes|No] # # Added in Shorewall 4.4.10. The default is No. If set to Yes, at least one # optional interface must be up in order for the firewall to be in the # started state. Intended to be used with the Shorewall Init Package. # RESTART=restart # # RESTART=[restart|reload] # # Added in Shorewall 5.0.1 to replace LEGACY_RESTART which was added in # Shorewall 5.0.0. In that release, the reload command was redefined to do # what restart had done in earlier releases and restart became a true restart # (equivalent to stop followed by start). When RESTART=reload, the restart # command performs the same operation as the reload command making it # compatible with earlier releases. If not specified, RESTART=reload is # assumed. # RESTORE_ROUTEMARKS=Yes # # RESTORE_ROUTEMARKS=[Yes|No] # # Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are # restored unconditionally at the top of the mangle OUTPUT and PREROUTING # chains, even if the saved mark is zero. When this option is set to No, the # mark is restored even when it is zero. If you have problems with IPSEC ESP # packets not being routed correctly on output, try setting this option to No # . # SAVE_IPSETS=No # # SAVE_IPSETS={Yes|No|setlist} # # Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the current # contents of your ipsets will be saved by the shorewall stop and shorewall # save commands and restored by the shorewall start and shorewall restore # commands. # # Beginning with Shorewall 4.6.4, you can restrict the set of ipsets saved by # specifying a setlist (a comma-separated list of ipv6 ipset names). # TC_ENABLED=No # # TC_ENABLED=[Yes|No|Internal|Simple|Shared] # # If you say Yes or yes here, Shorewall6 will use a script that you supply to # configure traffic shaping. The script must be named 'tcstart' and must be # placed in a directory on your CONFIG_PATH. # # If you say No or no then traffic shaping is not enabled. # # If you set TC_ENABLED=Internal or internal or leave the option empty then # Shorewall6 will use its builtin traffic shaper (tc4shorewall6 written by # Arne Bernin. # # If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later), simple traffic # shaping using shorewall-tcinterfaces(5) and shorewall-tcpri(5) is enabled. # # Beginning with Shorewall 4.4.15, if you set TC_ENABLED=Shared or shared, # then you should create symbolic links from your Shorewall6 configuration # directory (normally /etc/shorewall6/) to your Shorewall tcdevices and # tcclasses files. This allows the compiler to have access to your Shorewall # traffic shaping configuration so that it can validate CLASSIFY rules in # shorewall6-tcrules (5). # # Warning # # If you also run Shorewall and if you have TC_ENABLED=Internal in your # shorewall-conf(5), then you will want TC_ENABLED=No or TC_ENABLED=Shared in # this file. # TC_EXPERT=No # # TC_EXPERT={Yes|No} # # Normally, Shorewall6 tries to protect users from themselves by preventing # PREROUTING and OUTPUT tcrules from being applied to packets that have been # marked by the 'track' option in shorewall6-providers(5). # # If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall6 # will not include these cautionary checks. # TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" # # TC_PRIOMAP=map # # Added in Shorewall 4.4.6. Determines the mapping of a packet's TOS field to # priority bands. See shorewall6-tcpri(5). The map consists of 16 # space-separated digits with values 1, 2 or 3. A value of 1 corresponds to # Linux priority 0, 2 to Linux priority 1, and 3 to Linux Priority 2. The # first entry gives the priority of TOS value 0, the second of TOS value 1, # and so on. See tc-prio(8) for additional information. # # The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2". # TRACK_PROVIDERS=Yes # # TRACK_PROVIDERS={Yes|No} # # Added in Shorewall 4.4.3. When set to Yes, causes the track option to be # assumed on all providers defined in shorewall6-providers(5). May be # overridden on an individual provider through use of the notrack option. The # default value is 'No'. # # Beginning in Shorewall 4.4.6, setting this option to 'Yes' also simplifies # PREROUTING rules in shorewall6-tcrules(5). Previously, when TC_EXPERT=No, # packets arriving through 'tracked' provider interfaces were unconditionally # passed to the PREROUTING tcrules. This was done so that tcrules could reset # the packet mark to zero, thus allowing the packet to be routed using the # 'main' routing table. Using the main table allowed dynamic routes (such as # those added for VPNs) to be effective. The shorewall6-rtrules(5) file was # created to provide a better alternative to clearing the packet mark. As a # consequence, passing these packets to PREROUTING complicates things without # providing any real benefit. Beginning with Shorewall 4.4.6, when # TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through 'tracked' # interfaces will not be passed to the PREROUTING rules. Since # TRACK_PROVIDERS was just introduced in 4.4.3, this change should be # transparent to most, if not all, users. # TRACK_RULES=No # # TRACK_RULES={Yes|No} # # Added in Shorewall 4.5.20. If set to Yes, causes the compiler to add a # comment to iptables rules to indicate the file name and line number of the # configuration entry that generated the rule. If set to No (the default), # then no such comments are added. # # Setting this option to Yes requires the Comments capability in ip6tables # and kernel. # USE_DEFAULT_RT=Yes # # USE_DEFAULT_RT=[Yes|No] # # Added in Shorewall6 4.4.25. When set to 'Yes', this option causes the # Shorewall6 multi-ISP feature to create a set of routing rules which are # resilient to changes in the main routing table. Such changes can occur for # a number of reasons, VPNs going up and down being an example. The idea is # to send packets through the main table prior to applying any of the # Shorewall6-generated routing rules. So changes to the main table will # affect the routing of packets by default. # # When USE_DEFAULT_RT=Yes: # # 1. Both the DUPLICATE and the COPY columns in shorewall6-providers(5) file # must remain empty (or contain "-"). # # 2. The default route is added to the the 'default' table rather than to # the main table. # # 3. balance is assumed unless loose is specified. # # 4. Packets are sent through the main routing table by a rule with priority # 999. In shorewall6-routing_rules(5), the range 1-998 may be used for # inserting rules that bypass the main table. # # 5. All provider gateways must be specified explicitly in the GATEWAY # column. detect may not be specified. # # 6. You should disable all default route management outside of Shorewall6. # If a default route is added to the main table while Shorewall is # started, then all policy routing will stop working (except for those # routing rules in the priority range 1-998). # # Prior to Shorewall 4.6.0, if USE_DEFAULT_RT was not set or if it was set to # the empty string then USE_DEFAULT_RT=No was assumed. Beginning with # Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes and use of # USE_DEFAULT_RT=No is deprecated. # USE_PHYSICAL_NAMES=No # # USE_PHYSICAL_NAMES=[Yes|No] # # Added in Shorewall 4.4.27. Normally, when Shorewall creates a Netfilter # chain that relates to an interface, it uses the interface's logical name as # the base of the chain name. For example, if the logical name for an # interface is OAKLAND, then the input chain for traffic arriving on that # interface would be 'OAKLAND_in'. If this option is set to Yes, then the # physical name of the interface will be used the base of the chain name. # USE_RT_NAMES=No # # USE_RT_NAMES=[Yes|No] # # Added in Shorewall 4.5.15. When set to 'Yes', Shorewall will use routing # table (provider) names in the generated script rather than table numbers. # When set to 'No' (the default), routing table numbers will be used. # # Caution # # If you set USE_RT_NAMES=Yes and KEEP_RT_TABLES=Yes, then you must insure # that all of your providers have entries in /etc/iproute2/rt_tables as well # as the following entries: # # 255 local # 254 main # 253 default # 250 balance # 0 unspec # # Without these entries, the firewall will fail to start. # WARNOLDCAPVERSION=Yes # # WARNOLDCAPVERSION=[Yes|No] # # Added in Shorewall 4.5.12. When set to Yes (the default), the compiler # issues a warning when it finds a capabilities file that doesn't specify all # of the capabilities supported by the compiler. When WARNOLDCAPVERSION is # set to No, no warning is issued. # WORKAROUNDS=No # # WORKAROUNDS=[Yes|No] # # Added in Shorewall 4.6.11. Over time, there have been a number of changes # in Shorewall that work around defects in other products such as iptables # and ipset. When WORKAROUNDS=Yes, these workarounds are enabled; when # WORKAROUNDS=No, they are disabled. If not specified or if specified as # empty, WORKAROUNDS=Yes is assumed. # # Warning # # Do not set WORKAROUNDS=Yes if you need to be able to use # Shorewall-generated scripts (such as created by the save command) built by # Shorewall 4.4.7 or older. # ZONE2ZONE=- # # ZONE2ZONE={2|-} # # Added in Shorewall 4.4.4. This option determines how Shorewall constructs # chain names involving zone names and/or 'all'. Beginning with Shorewall # 4.6.0, the default is '-' (e.g., fw-net); prior to that release, the # default was '2' (e.g., fw2net). # ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP # # BLACKLIST_DISPOSITION=[DROP|A_DROP|REJECT|A_REJECT] # # This parameter determines the disposition of packets from blacklisted # hosts. It may have the value DROP if the packets are to be dropped or # REJECT if the packets are to be replied with an ICMP port unreachable reply # or a TCP RST (tcp only). If you do not assign a value or if you assign an # empty value then DROP is assumed. The setting determines the disposition of # packets sent to the blacklog target of shorewall6-blrules(5). # INVALID_DISPOSITION=CONTINUE # # INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.5.13. Shorewall has traditionally passed INVALID # packets through the NEW section of shorewall-rules (5). When a packet in # INVALID state fails to match any rule in the INVALID section, the packet is # disposed of based on this setting. The default value is CONTINUE for # compatibility with earlier versions. # MACLIST_DISPOSITION=REJECT # # MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT|A_DROP|A_REJECT] # # Determines the disposition of connections requests that fail MAC # Verification and must have the value ACCEPT (accept the connection request # anyway), REJECT (reject the connection request) or DROP (ignore the # connection request). If not set or if set to the empty value (e.g., # MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT is assumed. # # A_DROP and A_REJECT are audited versions of DROP and REJECT respectively # and were added in Shorewall 4.4.20. They require AUDIT_TARGET in the kernel # and ip6tables. # RELATED_DISPOSITION=ACCEPT # # RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.4.27. Shorewall has traditionally ACCEPTed RELATED # packets that don't match any rule in the RELATED section of # shorewall6-rules (5). Concern about the safety of this practice resulted in # the addition of this option. When a packet in RELATED state fails to match # any rule in the RELATED section, the packet is disposed of based on this # setting. The default value is ACCEPT for compatibility with earlier # versions. # SFILTER_DISPOSITION=DROP # # SFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] # # Added in Shorewall 4.4.20. Determines the disposition of packets matching # the sfilter option (see shorewall6-interfaces(5)) and of hairpin packets on # interfaces without the routeback option.^[1] interfaces without the # routeback option. # RPFILTER_DISPOSITION=DROP # # RPFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] # # Added in Shorewall 4.5.7. Determines the disposition of packets entering # from interfaces with the rpfilter option (see shorewall6-interfaces(5)). # Packets disposed of by this option are those whose response packets would # not be sent through the same interface receiving the packet. # SMURF_DISPOSITION=DROP # # SMURF_DISPOSITION=[DROP|A_DROP] # # Added in Shorewall 4.4.20. The default setting is DROP which causes smurf # packets (see the nosmurfs option in shorewall6-interfaces(5)) to be # dropped. A_DROP causes the packets to be audited prior to being dropped and # requires AUDIT_TARGET support in the kernel and ip6tables. # TCP_FLAGS_DISPOSITION=DROP # # TCP_FLAGS_DISPOSITION=[ACCEPT|DROP|REJECT] # # Determines the disposition of TCP packets that fail the checks enabled by # the tcpflags interface option (see shorewall6-interfaces(5)) and must have # a value of ACCEPT (accept the packet), REJECT (send an RST response) or # DROP (ignore the packet). If not set or if set to the empty value (e.g., # TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed. # UNTRACKED_DISPOSITION=CONTINUE # # UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.5.13. Shorewall has traditionally passed UNTRACKED # packets through the NEW section of shorewall6-rules (5). When a packet in # UNTRACKED state fails to match any rule in the UNTRACKED section, the # packet is disposed of based on this setting. The default value is CONTINUE # for compatibility with earlier versions. # ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS= # # TC_BITS=[number] # # Added in Shorewall 4.4.26. The number of bits at the low end of the 32-bit # packet mark to be used for traffic shaping marking. May be zero. See # MASK_BITS above for default value. # PROVIDER_BITS= # # PROVIDER_BITS=[number] # # Added in Shorewall 4.4.26. The number of bits in the 32-bit packet mark to # be used for provider numbers. May be zero. See MASK_BITS above for default # value. # PROVIDER_OFFSET= # # PROVIDER_OFFSET=[number] # # Added in Shorewall 4.4.26. The offset from the right (low-order end) of the # provider number field in the 32-bit packet mark. If non-zero, must be >= # TC_BITS (Shorewall automatically adjusts PROVIDER_OFFSET's value). # PROVIDER_OFFSET + PROVIDER_BITS + ZONE_BITS must be < 32. See MASK_BITS # above for default value. # MASK_BITS= # # MASK_BITS=[number] # # Added in Shorewall 4.4.26. Number of bits on the right of the 32-bit packet # mark to be masked when clearing the traffic shaping mark. Must be >= # TC_BITS and <= PROVIDER_OFFSET (if PROVIDER_OFFSET > 0). Prior to Shorewall # 5.0.0, default value and the default values of the other mark layout # options is determined as follows: # # Table 1. Default Packet Mark Layout # # WIDE_TC_MARKS=No, TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=No 0, MASK_BITS=8 # WIDE_TC_MARKS=No, TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=Yes 8, MASK_BITS=8 # WIDE_TC_MARKS=Yes, TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=No 0, MASK_BITS=16 # WIDE_TC_MARKS=Yes, TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=Yes 16, MASK_BITS=16 # # # From 5.0.0 onward, the default value of MASK_BITS is 8, the default value # of PROVIDER_BITS, TC_BITS, MASK_BITS and PROVIDER_OFFSET is 8. # ZONE_BITS=0 # # ZONE_BITS=[number] # # Added in Shorewall 4.4.26. When non-zero, enables automatic packet marking # by source zone and determines the number of bits in the 32-bit packet mark # to be used for the zone mark. Default value is 0. # #LAST LINE -- DO NOT REMOVE shorewall6-5.0.4/Samples6/two-interfaces/interfaces.annotated0000644000000000000000000003171712650244174022770 0ustar rootroot# # Shorewall6 version 4.0 - Sample Interfaces File for two-interface configuration. # Copyright (C) 2006-2014 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-interfaces" ############################################################################### # # The interfaces file serves to define the firewall's network interfaces to # shorewall6. The order of entries in this file is not significant in determining # zone composition. # # Beginning with Shorewall 4.5.3, the interfaces file supports two different # formats: # # FORMAT 1 (default - deprecated) # # There is a ANYCAST column which provides compatibility with older versions # of Shorewall.. # # FORMAT 2 # # The BROADCAST column is omitted. # # The format is specified by a line as follows: # # ?FORMAT {1|2} # # The columns in the file are as follows. # # ZONE - zone-name # # Zone for this interface. Must match the name of a zone declared in /etc/ # shorewall6/zones. You may not list the firewall zone in this column. # # If the interface serves multiple zones that will be defined in the # shorewall6-hosts(5) file, you should place "-" in this column. # # If there are multiple interfaces to the same zone, you must list them in # separate entries. # # Example: # # #ZONE INTERFACE BROADCAST # loc eth1 - # loc eth2 - # # Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo' # interface, then that zone must be defined as type local in shorewall6-zones # (5). # # INTERFACE - interface[:port] # # Logical name of interface. Each interface may be listed only once in this # file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0) # here; see http://www.shorewall.net/FAQ.htm#faq18. If the physical option is # not specified, then the logical name is also the name of the actual # interface. # # You may use wildcards here by specifying a prefix followed by the plus sign # ("+"). For example, if you want to make an entry that applies to all PPP # interfaces, use 'ppp+'; that would match ppp0, ppp1, ppp2, …Please note # that the '+' means 'one or more additional characters' so 'ppp' does not # match 'ppp+'. # # Care must be exercised when using wildcards where there is another zone # that uses a matching specific interface. See shorewall6-nesting(5) for a # discussion of this problem. # # Shorewall6 allows '+' as an interface name. # # There is no need to define the loopback interface (lo) in this file. # # If a port is given, then the interface must have been defined previously # with the bridge option. The OPTIONS column must be empty when a port is # given. # # ANYCAST - - # # Enter '-' in this column. It is here for compatibility between Shorewall6 # and Shorewall and is omitted if FORMAT is 2. # # OPTIONS (Optional) - [option[,option]...] # # A comma-separated list of options from the following list. The order in # which you list the options is not significant but the list should have no # embedded white-space. # # accept_ra[={0|1|2}] # # Added in Shorewall 4.5.16. Values are: # # 0 # # Do not accept Router Advertisements. # # 1 # # Accept Route Advertisements if forwarding is disabled. # # 2 # # Overrule forwarding behavior. Accept Route Advertisements even if # forwarding is enabled. # # If the option is specified without a value, then the value 1 is # assumed. # # blacklist # # Check packets arriving on this interface against the # shorewall6-blacklist(5) file. # # Beginning with Shorewall 4.4.13: # # ☆ If a zone is given in the ZONES column, then the behavior is as if # blacklist had been specified in the IN_OPTIONS column of # shorewall6-zones(5). # # ☆ Otherwise, the option is ignored with a warning: # # WARNING: The 'blacklist' option is ignored on multi-zone # interfaces # # bridge # # Designates the interface as a bridge. Beginning with Shorewall 4.4.7, # setting this option also sets routeback. # # destonly # # Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle # traffic from this interface. # # dhcp # # Specify this option when any of the following are true: # # 1. the interface gets its IP address via DHCP # # 2. the interface is used by a DHCP server running on the firewall # # 3. the interface has a static IP but is on a LAN segment with lots of # DHCP clients. # # 4. the interface is a simple bridge with a DHCP server on one port and # DHCP clients on another port. # # Note # # If you use Shorewall-perl for firewall/bridging, then you need to # include DHCP-specific rules in shorewall-rules(8). DHCP uses UDP # ports 546 and 547. # # This option allows DHCP datagrams to enter and leave the interface. # # forward[={0|1}] # # Sets the /proc/sys/net/ipv6/conf/interface/forwarding option to the # specified value. If no value is supplied, then 1 is assumed. # # ignore[=1] # # When specified, causes the generated script to ignore up/down events # from Shorewall-init for this device. Additionally, the option exempts # the interface from hairpin filtering. When '=1' is omitted, the ZONE # column must contain '-' and ignore must be the only OPTION. # # Beginning with Shorewall 4.5.5, may be specified as 'ignore=1' which # only causes the generated script to ignore up/down events from # Shorewall-init; hairpin filtering is still applied. In this case, the # above restrictions on the ZONE and OPTIONS columns are lifted. # # loopback # # Added in Shorewall 4.6.6. Designates the interface as the loopback # interface. This option is assumed if the interface's physical name is # 'lo'. Only one interface man have the loopback option specified. # # mss=number # # Causes forwarded TCP SYN packets entering or leaving on this interface # to have their MSS field set to the specified number. # # nets=(net[,...]) # # Limit the zone named in the ZONE column to only the listed networks. If # you specify this option, be sure to include the link-local network # (ff80::/10). # # nets=dynamic # # Added in Shorewall 4.4.21. Defines the zone as dynamic. Requires ipset # match support in your iptables and kernel. See http://www.shorewall.net # /Dynamic.html for further information. # # optional # # When optional is specified for an interface, shorewall6 will be silent # when: # # ☆ a /proc/sys/net/ipv6/conf/ entry for the interface cannot be # modified. # # ☆ The first global IPv6 address of the interface cannot be obtained. # # This option may not be specified together with required. # # physical=name # # Added in Shorewall 4.4.4. When specified, the interface or port name in # the INTERFACE column is a logical name that refers to the name given in # this option. It is useful when you want to specify the same wildcard # port name on two or more bridges. See http://www.shorewall.net/ # bridge-Shorewall-perl.html#Multiple. # # If the interface name is a wildcard name (ends with '+'), then the # physical name must also end in '+'. # # If physical is not specified, then it's value defaults to the interface # name. # # required # # Added in Shorewall 4.4.10. When specified, the firewall will fail to # start if the interface named in the INTERFACE column is not usable. May # not be specified together with optional. # # routeback[={0|1}] # # If specified, indicates that shorewall6 should include rules that allow # traffic arriving on this interface to be routed back out that same # interface. This option is also required when you have used a wildcard # in the INTERFACE column if you want to allow traffic between the # interfaces that match the wildcard. # # If you specify this option, then you should also specify rpfilter (see # below) if you are running Shorewall 4.5.7 or later; otherwise, you # should specify sfilter (see below). # # Beginning with Shorewall 4.5.18, you may specify this option to # explicitly reset (e.g., routeback=0). This can be used to override # Shorewall's default setting for bridge devices which is routeback=1. # # rpfilter # # Added in Shorewall 4.5.7. This is an anti-spoofing measure that # requires the 'RPFilter Match' capability in your iptables and kernel. # It provides a more efficient alternative to the sfilter option below. # # sourceroute[={0|1}] # # If this option is not specified for an interface, then source-routed # packets will not be accepted from that interface unless explicitly # enabled via sysconf. Only set this option to 1 (enable source routing) # if you know what you are doing. This might represent a security risk # and is not usually needed. # # Only those interfaces with the sourceroute option will have their # setting changed; the value assigned to the setting will be the value # specified (if any) or 1 if no value is given. # # Note # # This option does not work with a wild-card interface name (e.g., # eth0.+) in the INTERFACE column. # # sfilter=(net[,...]) # # Added in Shorewall 4.4.20. At this writing (spring 2011), Linux does # not support reverse path filtering (RFC3704) for IPv6. In its absence, # sfilter may be used as an anti-spoofing measure. # # This option should be used on bridges or other interfaces with the # routeback option. On these interfaces, sfilter should list those local # networks that are connected to the firewall through other interfaces. # # tcpflags[={0|1}] # # Packets arriving on this interface are checked for certain illegal # combinations of TCP flags. Packets found to have such a combination of # flags are handled according to the setting of TCP_FLAGS_DISPOSITION # after having been logged according to the setting of # TCP_FLAGS_LOG_LEVEL. # # Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To disable # this option, specify tcpflags=0. # # proxyndp[={0|1}] # # Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp. # # Note: This option does not work with a wild-card interface name (e.g., # eth0.+) in the INTERFACE column. # # Only those interfaces with the proxyndp option will have their setting # changed; the value assigned to the setting will be the value specified # (if any) or 1 if no value is given. # # unmanaged # # Added in Shorewall 4.5.18. Causes all traffic between the firewall and # hosts on the interface to be accepted. When this option is given: # # ☆ The ZONE column must contain '-'. # # ☆ Only the following other options are allowed with unmanaged: # # accept_ra # forward # ignore # optional # physical # sourceroute # proxyndp # # wait=seconds # # Added in Shorewall 4.4.10. Causes the generated script to wait up to # seconds seconds for the interface to become usable before applying the # required or optional options. # # Example # # Example 1: # # Suppose you have eth0 connected to a DSL modem and eth1 connected to your # local network You have a DMZ using eth2. # # Your entries for this setup would look like: # # FORMAT 2 # #ZONE INTERFACE OPTIONS # net eth0 - # loc eth1 - # dmz eth2 - # # Example 4 (Shorewall 4.4.9 and later): # # You have a bridge with no IP address and you want to allow traffic through # the bridge. # # FORMAT 2 # #ZONE INTERFACE OPTIONS # - br0 bridge # ############################################################################### ?FORMAT 2 ############################################################################### shorewall6-5.0.4/Samples6/README.txt0000644000000000000000000000217012647470621015505 0ustar rootrootFor instructions on using these sample configurations, please see http://www.shorewall.net/shorewall_quickstart_guide.htm Shorewall Samples Copyright (C) 2006 by the following authors: Thomas M. Eastep Paul D. Gear Cristian Rodriguez Francesca Smith This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Sample files are licensed under the LGPL, please see the LICENSE file or http://www.gnu.org/licenses/lgpl.html for more details. shorewall6-5.0.4/Samples6/one-interface/0000755000000000000000000000000012650244167016524 5ustar rootrootshorewall6-5.0.4/Samples6/one-interface/rules.annotated0000644000000000000000000012310112650244166021552 0ustar rootroot# # Shorewall6 version 5 - Sample Rules File for one-interface configuration. # Copyright (C) 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------------------------------------ # For information on entries in this file, type "man shorewall6-rules" ###################################################################################################################################################################################################### # # Entries in this file govern connection establishment by defining exceptions to # the policies laid out in shorewall6-policy(5). By default, subsequent requests # and responses are automatically allowed using connection tracking. For any # particular (source,dest) pair of zones, the rules are evaluated in the order in # which they appear in this file and the first terminating match is the one that # determines the disposition of the request. All rules are terminating except LOG # and QUEUE rules. # # The rules file is divided into sections. Each section is introduced by a # "Section Header" which is a line beginning with ?SECTION and followed by the # section name. # # Sections are as follows and must appear in the order listed: # # ALL # # This section was added in Shorewall 4.4.23. rules in this section are # applied, regardless of the connection tracking state of the packet. # # ESTABLISHED # # Packets in the ESTABLISHED state are processed by rules in this section. # # The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE # # There is an implicit ACCEPT rule inserted at the end of this section. # # RELATED # # Packets in the RELATED state are processed by rules in this section. # # The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE # # There is an implicit rule added at the end of this section that invokes the # RELATED_DISPOSITION (shorewall6.conf(5)). # # INVALID # # Added in Shorewall 4.5.13. Packets in the INVALID state are processed by # rules in this section. # # The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE. # # There is an implicit rule added at the end of this section that invokes the # INVALID_DISPOSITION (shorewall6.conf(5)). # # UNTRACKED # # Added in Shorewall 4.5.13. Packets in the UNTRACKED state are processed by # rules in this section. # # The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE. # # There is an implicit rule added at the end of this section that invokes the # UNTRACKED_DISPOSITION (shorewall6.conf(5)). # # NEW # # Packets in the NEW state are processed by rules in this section. If the # INVALID and/or UNTRACKED sections are empty or not included, then the # packets in the corresponding state(s) are also processed in this section. # # Note # # If you are not familiar with Netfilter to the point where you are comfortable # with the differences between the various connection tracking states, then it is # suggested that you omit the ESTABLISHED and RELATED sections and place all of # your rules in the NEW section (That's after the line that reads ?SECTION NEW'). # # Warning # # If you specify FASTACCEPT=Yes in shorewall6.conf(5) then the ESTABLISHED and # RELATED sections must be empty. # # An except is made if you are running Shorewall 4.4.27 or later and you have # specified a non-default value for RELATED_DISPOSITION or RELATED_LOG_LEVEL. In # that case, you may have rules in the RELATED section of this file. # # You may omit any section that you don't need. If no Section Headers appear in # the file then all rules are assumed to be in the NEW section. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ACTION - target[:{log-level|none}[!][:tag]] # # Specifies the action to be taken if the connection request matches the # rule. target must be one of the following. # # ACCEPT # # Allow the connection request. # # ACCEPT+ # # like ACCEPT but also excludes the connection from any subsequent # matching DNAT[-] or REDIRECT[-] rules. Requires Shorewall 4.5.14 or # later. # # ACCEPT! # # like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # action # # The name of an action declared in shorewall6-actions(5) or in /usr/ # share/shorewall/actions.std. # # ADD(ipset:flags) # # Added in Shorewall 4.4.12. Causes addresses and/or port numbers to be # added to the named ipset. The flags specify the address or tuple to be # added to the set and must match the type of ipset involved. For # example, for an iphash ipset, either the SOURCE or DESTINATION address # can be added using flags src or dst respectively (see the -A command in # ipset (8)). # # Beginning with Shorewall 5.0.3, an optional timeout can be specified. # This is the number of seconds that the new entry in the ipset is to # remain valid and overrides any timeout specified when the ipset was # created. # # ADD is non-terminating. Even if a packet matches the rule, it is passed # on to the next rule. # # AUDIT[(accept|drop|reject)] # # Added in Shorewall 4.5.10. Audits the packet with the specified type; # if the type is omitted, then drop is assumed. Require AUDIT_TARGET # support in the kernel and iptables. # # A_ACCEPT, and A_ACCEPT! # # Added in Shorewall 4.4.20. Audited versions of ACCEPT and ACCEPT! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # A_DROP and A_DROP! # # Added in Shorewall 4.4.20. Audited versions of DROP and DROP! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # A_REJECT AND A_REJECT! # # Added in Shorewall 4.4.20. Audited versions of REJECT and REJECT! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # [?]COMMENT # # the rest of the line will be attached as a comment to the Netfilter # rule(s) generated by the following entries. The comment will appear # delimited by "/* ... */" in the output of "shorewall show ". To # stop the comment from being attached to further rules, simply include # COMMENT on a line by itself. # # Note # # Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and # is preferred. # # CONTINUE # # For experts only. # # Do not process any of the following rules for this (source # zone,destination zone). If the source and/or destination IP address # falls into a zone defined later in shorewall6-zones(5) or in a parent # zone of the source or destination zones, then this connection request # will be passed to the rules defined for that (those) zone(s). See # shorewall6-nesting(5) for additional information. # # CONTINUE! # # like CONTINUE but exempts the rule from being suppressed by OPTIMIZE=1 # in shorewall6.conf(5). # # COUNT # # Simply increment the rule's packet and byte count and pass the packet # to the next rule. # # DEL(ipset:flags) # # Added in Shorewall 4.4.12. Causes an entry to be deleted from the named # ipset. The flags specify the address or tuple to be deleted from the # set and must match the type of ipset involved. For example, for an # iphash ipset, either the SOURCE or DESTINATION address can be deleted # using flags src or dst respectively (see the -D command in ipset (8)). # # DEL is non-terminating. Even if a packet matches the rule, it is passed # on to the next rule. # # DNAT # # Forward the request to another system (and optionally another port). # Requires Shorewall 4.5.14 or later. # # DNAT- # # Advanced users only. # # Like DNAT but only generates the DNAT iptables rule and not the # companion ACCEPT rule. Requires Shorewall 4.5.14 or later. # # DROP # # Ignore the request. # # DROP! # # like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # HELPER # # Added in Shorewall 4.5.7. This action requires that the HELPER column # contains the name of the Netfilter helper to be associated with # connections matching this connection. May only be specified in the NEW # section and is useful for being able to specify a helper when the # applicable policy is ACCEPT. No destination zone should be specified in # HELPER rules. # # INLINE[(action)] # # Added in Shorewall 4.5.16. This action allows you to construct most of # the rule yourself using ip6tables syntax. The part that you specify # must follow a semicolon (';') and is completely free-form. If the # target of the rule (the part following 'j') is something that Shorewall # supports in the ACTION column, then you may enclose it in parentheses # (e.g., INLINE(ACCEPT)). Otherwise, you can include it after the # semicolon. In this case, you must declare the target as a builtin # action in shorewall6-actions(5). # # Some considerations when using INLINE: # # ☆ The p, s, d, i, o, policy, and state match (state or conntrack # --ctstate) matches will always appear in the front of the rule in # that order. # # ☆ When multiple matches are specified, the compiler will keep them in # the order in which they appear (excluding the above listed ones), # but they will not necessarily be at the end of the generated rule. # For example, if addresses are specified in the SOURCE and/or DEST # columns, their generated matches will appear after those specified # using ';'. # # IP6TABLES({ip6tables-target [option ...]) # # This action allows you to specify an ip6tables target with options # (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the ip6tables-target # is not one recognized by Shorewall, the following error message will be # issued: # # ERROR: Unknown target (ip6tables-target) # # This error message may be eliminated by adding the ip6tables-target as # a builtin action in shorewall6-actions(5). # # Important # # If you specify REJECT as the ip6tables-target, the target of the rule # will be the i6ptables REJECT target and not Shorewall's builtin # 'reject' chain which is used when REJECT (see below) is specified as # the target in the ACTION column. # # LOG:level # # Simply log the packet and continue with the next rule. # # macro[(macrotarget)] # # The name of a macro defined in a file named macro.macro. If the macro # accepts an action parameter (Look at the macro source to see if it has # PARAM in the TARGET column) then the macro name is followed by the # parenthesized macrotarget (ACCEPT, DROP, REJECT, ...) to be substituted # for the parameter. # # Example: FTP(ACCEPT). # # The older syntax where the macro name and the target are separated by a # slash (e.g. FTP/ACCEPT) is still allowed but is deprecated. # # NFLOG[(nflog-parameters)] # # Added in Shorewall 4.5.9.3. Queues matching packets to a back end # logging daemon via a netlink socket then continues to the next rule. # See http://www.shorewall.net/shorewall_logging.html. # # Similar to LOG:NFLOG[(nflog-parameters)], except that the log level is # not changed when this ACTION is used in an action or macro and the # invocation of that action or macro specifies a log level. # # NFQUEUE[([queuenumber1[:queuenumber2][,bypass]]|bypass)] # # Queues the packet to a user-space application using the nfnetlink_queue # mechanism. If a queuenumber1 is not specified, queue zero (0) is # assumed. Beginning with Shorewall 4.6.10, the keyword bypass can be # given. By default, if no userspace program is listening on an NFQUEUE, # then all packets that are to be queued are dropped. When this option is # used, the NFQUEUE rule is silently bypassed instead. The packet will # move on to the next rule. Also beginning in Shorewall 4.6.10, a second # queue number (queuenumber2) may be specified. This specifies a range of # queues to use. Packets are then balanced across the given queues. This # is useful for multicore systems: start multiple instances of the # userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets # belonging to the same connection are put into the same nfqueue. # # NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)] # # like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1 # in shorewall6.conf(5). # # NONAT # # Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] # rules but doesn't generate a rule to accept the traffic. Requires # Shorewall 4.5.14 or later. # # QUEUE # # Queue the packet to a user-space application such as ftwall (http:// # p2pwall.sf.net). The application may reinsert the packet for further # processing. # # QUEUE! # # like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # REDIRECT # # Redirect the request to a server running on the firewall. Requires # Shorewall 4.5.14 or later. # # REDIRECT- # # Advanced users only. # # Like REDIRECT but only generates the REDIRECT iptables rule and not the # companion ACCEPT rule. Requires Shorewall 4.5.14 or later. # # REJECT # # disallow the request and return an icmp-unreachable or an RST packet. # # REJECT! # # like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # TARPIT [(tarpit | honeypot | reset)] # # Added in Shorewall 4.6.6. # # TARPIT captures and holds incoming TCP connections using no local # per-connection resources. # # TARPIT only works with the PROTO column set to tcp (6), and is totally # application agnostic. This module will answer a TCP request and play # along like a listening server, but aside from sending an ACK or RST, no # data is sent. Incoming packets are ignored and dropped. The attacker # will terminate the session eventually. This module allows the initial # packets of an attack to be captured by other software for inspection. # In most cases this is sufficient to determine the nature of the attack. # # This offers similar functionality to LaBrea but does not require dedicated hardware or IPs. Any TCP port # that you would normally DROP or REJECT can instead become a tarpit. # # The target accepts a single optional parameter: # # tarpit # # This mode is the default and completes a connection with the # attacker but limits the window size to 0, thus keeping the attacker # waiting long periods of time. While he is maintaining state of the # connection and trying to continue every 60-240 seconds, we keep # none, so it is very lightweight. Attempts to close the connection # are ignored, forcing the remote side to time out the connection in # 12-24 minutes. # # honeypot # # This mode completes a connection with the attacker, but signals a # normal window size, so that the remote side will attempt to send # data, often with some very nasty exploit attempts. We can capture # these packets for decoding and further analysis. The module does # not send any data, so if the remote expects an application level # response, the game is up. # # reset # # This mode is handy because we can send an inline RST (reset). It # has no other function. # # The target may optionally be followed by ":" and a syslog log level (e.g, # REJECT:info or Web(ACCEPT):debug). This causes the packet to be logged at # the specified level. Note that if the ACTION involves destination network # address translation (DNAT, REDIRECT, etc.) then the packet is logged before # the destination address is rewritten. # # If the ACTION names an action declared in shorewall-actions(5) or in /usr/ # share/shorewall/actions.std then: # # □ If the log level is followed by "!' then all rules in the action are # logged at the log level. # # □ If the log level is not followed by "!" then only those rules in the # action that do not specify logging are logged at the specified level. # # □ The special log level none! suppresses logging by the action. # # You may also specify ULOG or NFLOG (must be in upper case) as a log # level.This will log to the ULOG or NFLOG target for routing to a separate # log through use of ulogd (http://www.netfilter.org/projects/ulogd/ # index.html). # # Actions specifying logging may be followed by a log tag (a string of # alphanumeric characters) which is appended to the string generated by the # LOGPREFIX (in shorewall6.conf(5)). # # Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log prefix # generated by the LOGPREFIX setting. # # SOURCE - {zone|zone-list[+]|{all|any}[+][-]}[:interface][:<{address-or-range[, # address-or-range]...[exclusion]>|exclusion|+ipset|^countrycode-list} # # Source hosts to which the rule applies. May be a zone declared in /etc/ # shorewall6/zones, $FW to indicate the firewall itself, all, all+, all-, # all+- or none. # # Beginning with Shorewall 4.4.13, you may use a zone-list which consists of # a comma-separated list of zones declared in shorewall6-zones (5). This # zone-list may be optionally followed by "+" to indicate that the rule is to # apply to intra-zone traffic as well as inter-zone traffic. # # When none is used either in the SOURCE or DEST column, the rule is ignored. # # all means "All Zones", including the firewall itself. all- means "All # Zones, except the firewall itself". When all[-] is used either in the # SOURCE or DEST column intra-zone traffic is not affected. When all+[-] is # "used, intra-zone traffic is affected. Beginning with Shorewall 4.4.13, # exclusion is supported -- see see shorewall6-exclusion(5). # # any is equivalent to all when there are no nested zones. When there are # nested zones, any only refers to top-level zones (those with no parent # zones). Note that any excludes all vserver zones, since those zones are # nested within the firewall zone. # # Except when all[+][-] or any[+][-] is specified, clients may be further # restricted to a list of networks and/or hosts by appending ":" and a # comma-separated list of network and/or host addresses. Hosts may be # specified by IP or MAC address; mac addresses must begin with "~" and must # use "-" as a separator. # # Hosts may also be specified as an IP address range using the syntax # lowaddress-highaddress. This requires that your kernel and ip6tables # contain iprange match support. If your kernel and ip6tables have ipset # match support then you may give the name of an ipset prefaced by "+". The # ipset name may be optionally followed by a number from 1 to 6 enclosed in # square brackets ([]) to indicate the number of levels of source bindings to # be matched. # # Beginning with Shorewall6 4.4.17, the primary IP address of a firewall # interface can be specified by an ampersand ('&') followed by the logical # name of the interface as found in the INTERFACE column of # shorewall6-interfaces (5). # # Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A # countrycode-list is a comma-separated list of up to 15 two-character # ISO-3661 country codes enclosed in square brackets ('[...]') and preceded # by a caret ('^'). When a single country code is given, the square brackets # may be omitted. A list of country codes supported by Shorewall may be found # at http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list # requires GeoIP Match support in your ip6tables and Kernel. # # When an interface is not specified, you may omit the angled brackets ('<' # and '>') around the address(es) or you may supply them to improve # readability. # # You may exclude certain hosts from the set already defined through use of # an exclusion (see shorewall6-exclusion(5)). # # Examples: # # dmz:2002:ce7c::92b4:1::2 # # Host 2002:ce7c:92b4:1::2 in the DMZ # # net:2001:4d48:ad51:24::/64 # # Subnet 2001:4d48:ad51:24::/64 on the Internet # # loc:<2002:cec792b4:1::2,2002:cec792b4:1::44> # # Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local zone. # # loc:~00-A0-C9-15-39-78 # # Host in the local zone with MAC address 00:A0:C9:15:39:78. # # net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80 # # Subnet 2001:4d48:ad51:24::/64 on the Internet except for # 2001:4d48:ad51:24:6:/80. # # $FW:ð0 # # The primary IP address of eth0 in the firewall zone (Shorewall6 4.4.17 # and later). # # Alternatively, clients may be specified by interface by appending ":" to # the zone name followed by the interface name. For example, loc:eth1 # specifies a client that communicates with the firewall system through eth1. # This may be optionally followed by another colon (":") and an IP/MAC/subnet # address as described above (e.g., loc:eth1:<2002:ce7c::92b4:1::2>). # # Examples: # # loc:eth1:<2002:cec792b4:1::2,2002:cec792b4:1::44> # # Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the Local zone, # with both originating from eth1 # # DEST - {zone|zone-list[+]|all[+][-]}[:interface][:<{address-or-range[, # address-or-range]...[exclusion]>|exclusion|+ipset|^countrycode-list}[:port # [:random]] # # Location of Server. May be a zone declared in shorewall6-zones(5), $FW to # indicate the firewall itself, all. all+ or none. # # Beginning with Shorewall 4.4.13, you may use a zone-list which consists of # a comma-separated list of zones declared in shorewall6-zones (5). Ths # zone-list may be optionally followed by "+" to indicate that the rule is to # apply to intra-zone traffic as well as inter-zone traffic. Beginning with # Shorewall-4.4.13, exclusion is supported -- see see shorewall6-exclusion # (5). # # Beginning with Shorewall6 4.4.17, the primary IP address of a firewall # interface can be specified by an ampersand ('&') followed by the logical # name of the interface as found in the INTERFACE column of # shorewall6-interfaces (5). # # Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A # countrycode-list is a comma-separated list of up to 15 two-character # ISO-3661 country codes enclosed in square brackets ('[...]') and preceded # by a caret ('^'). When a single country code is given, the square brackets # may be omitted. A list of country codes supported by Shorewall may be found # at http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list # requires GeoIP Match support in your ip6tables and Kernel. # # When none is used either in the SOURCE or DEST column, the rule is ignored. # # When all is used either in the SOURCE or DEST column intra-zone traffic is # not affected. When all+ is used, intra-zone traffic is affected. # # If the DEST zone is a bport zone, then either: # # a. the SOURCE must be all[+][-], or # # b. the SOURCE zone must be another bport zone associated with the same # bridge, or # # c. the SOURCE zone must be an ipv4 zone that is associated with only the # same bridge. # # Except when all[+]|[-] is specified, the server may be further restricted # to a particular network, host or interface by appending ":" and the # network, host or interface. See SOURCE above. # # You may exclude certain hosts from the set already defined through use of # an exclusion (see shorewall6-exclusion(5)). # # Restriction: MAC addresses are not allowed (this is a Netfilter # restriction). # # If your kernel and ip6tables have ipset match support then you may give the # name of an ipset prefaced by "+". The ipset name may be optionally followed # by a number from 1 to 6 enclosed in square brackets ([]) to indicate the # number of levels of destination bindings to be matched. Only one of the # SOURCE and DEST columns may specify an ipset name. # # The port that the server is listening on may be included and separated from # the server's IP address by ":". If omitted, the firewall will not modify # the destination port. A destination port may only be included if the ACTION # is DNAT or REDIRECT. # # Example 1: # # loc:[2001:470:b:227::44]:3128 specifies a local server at IP address # 2001:470:b:227::44 and listening on port 3128. # # Example 2: # # loc:[]:3128 specifies that the destination port should be changed to # 3128 but the IP address should remain the same. # # The port may be specified as a service name. You may specify a port range # in the form lowport-highport to cause connections to be assigned to ports # in the range in round-robin fashion. When a port range is specified, # lowport and highport must be given as integers; service names are not # permitted. Additionally, the port range may be optionally followed by # :random which causes assignment to ports in the list to be random. # # If the ACTION is REDIRECT or REDIRECT-, this column needs only to contain # the port number on the firewall that the request should be redirected to. # That is equivalent to specifying $FW::port. # # PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all} # # Optional protocol - ipp2p* requires ipp2p match support in your kernel and # ip6tables. tcp:syn implies tcp plus the SYN flag must be set and the # RST,ACK and FIN flags must be reset. # # Beginning with Shorewall6 4.4.19, this column can contain a comma-separated # list of protocol-numbers and/or protocol names (e.g., tcp,udp). # # DPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} # # Optional destination Ports. A comma-separated list of Port names (from # services(5)), port numbers or port ranges; if the protocol is icmp, this # column is interpreted as the destination icmp-type(s). ICMP types may be # specified as a numeric type, a numeric type and code separated by a slash # (e.g., 3/4), or a typename. See http://www.shorewall.net/ # configuration_file_basics.htm#ICMP. Note that prior to Shorewall6 4.4.19, # only a single ICMP type may be listed. # # If the protocol is ipp2p, this column is interpreted as an ipp2p option # without the leading "--" (example bit for bit-torrent). If no port is # given, ipp2p is assumed. # # A port range is expressed as lowport:highport. # # This column is ignored if PROTO = all but must be entered if any of the # following columns are supplied. In that case, it is suggested that this # field contain a dash (-). # # If your kernel contains multi-port match support, then only a single # Netfilter rule will be generated in this list and the SPORT list below if: # # 1. There are 15 or less ports listed. # # 2. No port ranges are included or your kernel and ip6tables contain # extended multi-port match support. # # Beginning with Shorewall 4.6.0, an ipset name can be specified in this # column. This is intended to be used with bitmap:port ipsets. # # This column was formerly labelled DEST PORT(S). # # SPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} # # Optional source port(s). If omitted, any source port is acceptable. # Specified as a comma- separated list of port names, port numbers or port # ranges. # # Beginning with Shorewall 4.5.15, you may place '=' in this column, provided # that the DPORT column is non-empty. This causes the rule to match when # either the source port or the destination port in a packet matches one of # the ports specified in DPORT. Use of '=' requires multi-port match in your # iptables and kernel. # # Warning # # Unless you really understand IP, you should leave this column empty or # place a dash (-) in the column. Most people who try to use this column get # it wrong. # # If you don't want to restrict client ports but need to specify a later # column, then place "-" in this column. # # If your kernel contains multi-port match support, then only a single # Netfilter rule will be generated if in this list and the DPORT list above: # # 1. There are 15 or less ports listed. # # 2. No port ranges are included or your kernel and ip6tables contain # extended multi-port match support. # # Beginning with Shorewall 4.6.0, an ipset name can be specified in this # column. This is intended to be used with bitmap:port ipsets. # # This column was formerly labelled SOURCE PORT(S). # # ORIGDEST - [-] # # Included for compatibility with Shorewall. Enter '-' in this column if you # need to specify one of the later columns. # # This column was formerly labelled ORIGINAL DEST. # # RATE - limit # # where limit is one of: # # [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst] # [name1]:rate1/{sec|min|hour|day}[:burst1],[name2]:rate2/{sec|min|hour|day} # [:burst2] # # You may optionally rate-limit the rule by placing a value in this column: # # rate* is the number of connections per interval (sec or min) and burst* is # the largest burst permitted. If no burst is given, a value of 5 is assumed. # There may be no no white-space embedded in the specification. # # Example: 10/sec:20 # # When s: or d: is specified, the rate applies per source IP address or per # destination IP address respectively. The names may be chosen by the user # and specifiy a hash table to be used to count matching connections. If not # given, the name shorewallN (where N is a unique integer) is assumed. Where # more than one rule or POLICY specifies the same name, the connections # counts for the rules are aggregated and the individual rates apply to the # aggregated count. # # Beginning with Shorewall 4.6.5, two limits may be specified, separated by a # comma. In this case, the first limit (name1, rate1, burst1) specifies the # per-source IP limit and the second limit specifies the per-destination IP # limit. # # Example: client:10/sec:20,:60/sec:100 # # In this example, the 'client' hash table will be used to enforce the # per-source limit and the compiler will pick a unique name for the hash # table that tracks the per-destination limit. # # This column was formerly labelled RATE LIMIT. # # USER - [!][user-name-or-number-or-range][:group-name-or-number-or-range] # # This optional column may only be non-empty if the SOURCE is the firewall # itself. # # When this column is non-empty, the rule applies only if the program # generating the output is running under the effective user and/or group # specified (or is NOT running under that id if "!" is given). # # Beginning with Shorewall 4.5.8, multiple user or group names/ids separated # by commas may be specified. # # Examples: # # joe # # program must be run by joe # # :kids # # program must be run by a member of the 'kids' group # # !:kids # # program must not be run by a member of the 'kids' group # # 2001-2099 # # UIDs 2001 through 2099 (Shorewall 4.5.6 and later) # # This column was formerly labelled USER/GROUP. # # MARK - [!]value[/mask][:C] # # Defines a test on the existing packet or connection mark. The rule will # match only if the test returns true. # # If you don't want to define a test but need to specify anything in the # following columns, place a "-" in this field. # # ! # # Inverts the test (not equal) # # value # # Value of the packet or connection mark. # # mask # # A mask to be applied to the mark before testing. # # :C # # Designates a connection mark. If omitted, the packet mark's value is # tested. # # CONNLIMIT - [d:][!]limit[:mask] # # May be used to limit the number of simultaneous connections to/from each # individual host or network to limit connections. Requires connlimit match # in your kernel and iptables. While the limit is only checked on rules # specifying CONNLIMIT, the number of current connections is calculated over # all current connections from the SOURCE or DESTINATION host. By default, # limiting is done by SOURCE host or net, but if the specification begins # with d:, then limiting will be donw by destination host or net. # # By default, the limit is applied to each host but can be made to apply to # networks of hosts by specifying a mask. The mask specifies the width of a # VLSM mask to be applied to the source address; the number of current # connections is then taken over all hosts in the subnet source-address/mask. # When ! is specified, the rule matches when the number of connection exceeds # the limit. # # TIME - timeelement[&timeelement...] # # May be used to limit the rule to a particular time period each day, to # particular days of the week or month, or to a range defined by dates and # times. Requires time match support in your kernel and ip6tables. # # timeelement may be: # # timestart=hh:mm[:ss] # # Defines the starting time of day. # # timestop=hh:mm[:ss] # # Defines the ending time of day. # # utc # # Times are expressed in Greenwich Mean Time. # # localtz # # Deprecated by the Netfilter team in favor of kerneltz. Times are # expressed in Local Civil Time (default). # # kerneltz # # Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time # (requires iptables 1.4.12 or later). # # weekdays=ddd[,ddd]... # # where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun # # monthdays=dd[,dd],... # # where dd is an ordinal day of the month # # datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] # # Defines the starting date and time. # # datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] # # Defines the ending date and time. # # HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall 4.4.15) # # The header-list consists of a comma-separated list of headers from the # following list. # # auth, ah, or 51 # # Authentication Headers extension header. # # esp, or 50 # # Encrypted Security Payload extension header. # # hop, hop-by-hop or 0 # # Hop-by-hop options extension header. # # route, ipv6-route or 41 # # IPv6 Route extension header. # # frag, ipv6-frag or 44 # # IPv6 fragmentation extension header. # # none, ipv6-nonxt or 59 # # No next header # # proto, protocol or 255 # # Any protocol header. # # If any: is specified, the rule will match if any of the listed headers are # present. If exactly: is specified, the will match packets that exactly # include all specified headers. If neither is given, any: is assumed. # # If ! is entered, the rule will match those packets which would not be # matched when ! is omitted. # # SWITCH - [!]switch-name[={0|1}] # # Added in Shorewall6 4.4.24 and allows enabling and disabling the rule # without requiring shorewall6 restart. # # Enables the rule if the value stored in /proc/net/nf_condition/switch-name # is 1. Disables the rule if that file contains 0 (the default). If '!' is # supplied, the test is inverted such that the rule is enabled if the file # contains 0. # # Within the switch-name, '@0' and '@{0}' are replaced by the name of the # chain to which the rule is a added. The switch-name (after '@...' # expansion) must begin with a letter and be composed of letters, decimal # digits, underscores or hyphens. Switch names must be 30 characters or less # in length. # # Switches are normally off. To turn a switch on: # # echo 1 > /proc/net/nf_condition/switch-name # # To turn it off again: # # echo 0 > /proc/net/nf_condition/switch-name # # Switch settings are retained over shorewall6 restart. # # Beginning with Shorewall 4.5.10, when the switch-name is followed by =0 or # =1, then the switch is initialized to off or on respectively by the start # command. Other commands do not affect the switch setting. # # HELPER - [helper] # # Added in Shorewall 4.5.7. # # In the NEW section, causes the named conntrack helper to be associated with # this connection; the contents of this column are ignored unless ACTION is # ACCEPT*, DNAT* or REDIRECT*. # # In the RELATED section, will only match if the related connection has the # named helper associated with it. # # The helper may be one of: # # amanda # ftp # irc # netbios-ns # pptp # Q.931 # RAS # sane # sip # snmp # tftp # # If the HELPERS option is specified in shorewall6.conf(5), then any module # specified in this column must be listed in the HELPERS setting. # # Example # # Example 1: # # Accept SMTP requests from the DMZ to the internet # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST # ACCEPT dmz net tcp smtp # # Example 4: # # You want to accept SSH connections to your firewall only from internet IP # addresses 2002:ce7c::92b4:1::2 and 2002:ce7c::92b4:1::22 # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST # ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \ # $FW tcp 22 # # Example 5: # # You wish to limit SSH connections from remote systems to 1/min with a burst # of three (to allow for limited retry): # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE # SSH(ACCEPT) net all - - - - s:1/min:3 # # Example 6: # # Forward port 80 to dmz host $BACKUP if switch 'primary_down' is set. # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH # DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down # # Example 7: # # Drop all email from IP addresses in the country whose ISO-3661 country code # is ZZ. # # #ACTION SOURCE DEST PROTO DPORT # DROP net:^ZZ fw tcp 25 # # Example 8: # # You want to generate your own rule involving ip6tables targets and matches # not supported by Shorewall. # # #ACTION SOURCE DEST PROTO DPORT # INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 # # The above will generate the following ip6tables-restore input: # # -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 # # Note that SECCTX must be defined as a builtin action in shorewall6-actions # (5): # # #ACTION OPTIONS # SECCTX builtin # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Drop packets in the INVALID state Invalid(DROP) net $FW tcp # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW # Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT $FW net ipv6-icmp shorewall6-5.0.4/Samples6/one-interface/policy0000644000000000000000000000150212647470621017746 0ustar rootroot# # Shorewall6 version 5 - Sample Policy File for one-interface configuration. # Copyright (C) 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #----------------------------------------------------------------------------- # For information about entries in this file, type "man shorewall6-policy" # ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT net $FW DROP info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info shorewall6-5.0.4/Samples6/one-interface/zones0000644000000000000000000000135312647470621017611 0ustar rootroot# # Shorewall6 version 5 - Sample Zones File for one-interface IPv6 configuration. # Copyright (C) 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #----------------------------------------------------------------------------- # For information about entries in this file, type "man shorewall6-zones" ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv6 shorewall6-5.0.4/Samples6/one-interface/policy.annotated0000644000000000000000000002115112650244165021720 0ustar rootroot# # Shorewall6 version 5 - Sample Policy File for one-interface configuration. # Copyright (C) 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #----------------------------------------------------------------------------- # For information about entries in this file, type "man shorewall6-policy" # ############################################################################### # # This file defines the high-level policy for connections between zones defined # in shorewall6-zones(5). # # Important # # The order of entries in this file is important # # This file determines what to do with a new connection request if we don't get a # match from the /etc/shorewall6/rules file . For each source/destination pair, # the file is processed in order until a match is found ("all" will match any # client or server). # # Important # # Intra-zone policies are pre-defined # # For $FW and for all of the zones defined in /etc/shorewall6/zones, the POLICY # for connections from the zone to itself is ACCEPT (with no logging or TCP # connection rate limiting but may be overridden by an entry in this file. The # overriding entry must be explicit (specifying the zone name on both SOURCE and # DEST) or it must use "all+ or it must use "all+" (Shorewall 4.5.17 or later). # # Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall6.conf, then the # implicit policy to/from any sub-zone is CONTINUE. These implicit CONTINUE # policies may also be overridden by an explicit entry in this file. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # SOURCE - zone|$FW|all|all+ # # Source zone. Must be the name of a zone defined in shorewall6-zones(5), # $FW, "all" or "all+". # # Support for "all+" was added in Shorewall 4.5.17. "all" does not override # the implicit intra-zone ACCEPT policy while "all+" does. # # DEST - zone|$FW|all|all+ # # Destination zone. Must be the name of a zone defined in shorewall6-zones # (5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE # must be "all", "all+", another bport zone associated with the same bridge, # or it must be an ipv4 zone that is associated with only the same bridge. # # Support for "all+" was added in Shorewall 4.5.17. "all" does not override # the implicit intra-zone ACCEPT policy while "all+" does. # # POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2 # ])]|NONE}[:{default-action-or-macro[:level]|None}] # # Policy if no match from the rules file is found. # # If the policy is neither CONTINUE nor NONE then the policy may be followed # by ":" and one of the following: # # a. The word "None" or "none". This causes any default action defined in # shorewall6.conf(5) to be omitted for this policy. # # b. The name of an action. The action will be invoked before the policy is # enforced. # # Actions can have parameters specified. # # Beginning with Shorewall 4.5.10, the action name can be followed optionally # by a colon and a log level. The level will be applied to each rule in the # action or body that does not already have a log level. # # Possible actions are: # # ACCEPT # # Accept the connection. # # DROP # # Ignore the connection request. # # REJECT # # For TCP, send RST. For all other, send an "unreachable" ICMP. # # QUEUE # # Queue the request for a user-space application such as Snort-inline. # # NFQUEUE # # Queue the request for a user-space application using the # nfnetlink_queue mechanism. If a queuenumber1 is not given, queue zero # (0) is assumed. Beginning with Shorewall 4.6.10, a second queue number # (queuenumber2) may be given. This specifies a range of queues to use. # Packets are then balanced across the given queues. This is useful for # multicore systems: start multiple instances of the userspace program on # queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the same # connection are put into the same nfqueue. # # CONTINUE # # Pass the connection request past any other rules that it might also # match (where the source or destination zone in those rules is a # superset of the SOURCE or DEST in this policy). See shorewall6-nesting # (5) for additional information. # # NONE # # Assume that there will never be any packets from this SOURCE to this # DEST. shorewall6 will not create any infrastructure to handle such # packets and you may not have any rules with this SOURCE and DEST in the # /etc/shorewall6/rules file. If such a packet is received, the result is # undefined. NONE may not be used if the SOURCE or DEST columns contain # the firewall zone ($FW) or "all". # # LOG LEVEL (loglevel) - [log-level|NFLOG] # # Optional - if supplied, each connection handled under the default POLICY is # logged at that level. If not supplied, no log message is generated. See # syslog.conf(5) for a description of log levels. # # You may also specify NFLOG (must be in upper case). This will log to the # NFLOG target and will send to a separate log through use of ulogd (http:// # www.netfilter.org/projects/ulogd/index.html). # # For a description of log levels, see http://www.shorewall.net/ # shorewall_logging.html. # # If you don't want to log but need to specify the following column, place # "-" here. # # BURST:LIMIT (limit) - [-|limit] # # where limit is one of: # # [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst] # [name1]:rate1/{sec|min|hour|day}[:burst1],[name2]:rate2/{sec|min|hour|day} # [:burst2] # # If passed, specifies the maximum TCP connection rate and the size of an # acceptable burst. If not specified, TCP connections are not limited. If the # burst parameter is omitted, a value of 5 is assumed. # # When s: or d: is specified, the rate applies per source IP address or per # destination IP address respectively. The name may be chosen by the user and # specifies a hash table to be used to count matching connections. If not # give, the name shorewall is assumed. Where more than one POLICY or rule # specifies the same name, the connections counts for the policies are # aggregated and the individual rates apply to the aggregated count. # # Beginning with Shorewall 4.6.5, two limits may be specified, separated by a # comma. In this case, the first limit (name1, rate1, burst1) specifies the # per-source IP limit and the second limit specifies the per-destination IP # limit. # # Example: client:10/sec:20,:60/sec:100 # # CONNLIMIT - limit[:mask] # # May be used to limit the number of simultaneous connections from each # individual host to limit connections. While the limit is only checked on # connections to which this policy could apply, the number of current # connections is calculated over all current connections from the SOURCE # host. By default, the limit is applied to each host individually but can be # made to apply to networks of hosts by specifying a mask. The mask specifies # the width of a VLSM mask to be applied to the source address; the number of # current connections is then taken over all hosts in the subnet # source-address/mask. # # Example # # a. All connections from the local network to the internet are allowed # # b. All connections from the internet are ignored but logged at syslog level # KERNEL.INFO. # # c. All other connection requests are rejected and logged at level KERNEL.INFO. # # #SOURCE DEST POLICY LOG BURST:LIMIT # # LEVEL # loc net ACCEPT # net all DROP info # # # # THE FOLLOWING POLICY MUST BE LAST # # # all all REJECT info # ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT net $FW DROP info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info shorewall6-5.0.4/Samples6/one-interface/README.txt0000644000000000000000000000215312647470621020225 0ustar rootrootFor instructions on using this sample configuration, please see http://www.shorewall.net/standalone.htm Shorewall Samples Copyright (C) 2006-2015 by the following authors: Thomas M. Eastep Paul D. Gear Cristian Rodriguez Francesca Smith This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Sample files are licensed under the LGPL, please see the LICENSE file or http://www.gnu.org/licenses/lgpl.html for more details. shorewall6-5.0.4/Samples6/one-interface/rules0000644000000000000000000000246612647470621017613 0ustar rootroot# # Shorewall6 version 5 - Sample Rules File for one-interface configuration. # Copyright (C) 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------------------------------------ # For information on entries in this file, type "man shorewall6-rules" ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Drop packets in the INVALID state Invalid(DROP) net $FW tcp # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW # Permit all ICMP traffic FROM the firewall TO the net zone ACCEPT $FW net ipv6-icmp shorewall6-5.0.4/Samples6/one-interface/shorewall6.conf0000644000000000000000000001060712647470621021467 0ustar rootroot############################################################################### # # Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf # Copyright (C) 2012-2015 by the Shorewall Team # # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at # http://www.shorewall.net/manpages6/shorewall6.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=No ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 ############################################################################### # L O G G I N G ############################################################################### BLACKLIST_LOG_LEVEL= INVALID_LOG_LEVEL= LOG_BACKEND= LOG_VERBOSITY=2 LOGALLNEW= LOGFILE= LOGFORMAT="Shorewall:%s:%s:" LOGLIMIT= LOGTAGONLY=No MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= RPFILTER_LOG_LEVEL=info SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL=info UNTRACKED_LOG_LEVEL= ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall GEOIPDIR=/usr/share/xt_geoip/LE IP6TABLES= IP= IPSET= LOCKFILE= MODULESDIR= NFACCT= PERL=/usr/bin/perl PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin RESTOREFILE= SHOREWALL_SHELL=/bin/sh SUBSYSLOCK= TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT="Reject" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes ACCOUNTING_TABLE=filter ADMINISABSENTMINDED=Yes BASIC_FILTERS=No IGNOREUNKNOWNVARIABLES=No AUTOCOMMENT=Yes AUTOHELPERS=Yes AUTOMAKE=No BLACKLIST="NEW,INVALID,UNTRACKED" CHAIN_SCRIPTS=No CLAMPMSS=No CLEAR_TC=Yes COMPLETE=No DEFER_DNS_RESOLUTION=Yes DELETE_THEN_ADD=Yes DONT_LOAD= DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=No EXPORTMODULES=Yes FASTACCEPT=No FORWARD_CLEAR_MARK= HELPERS= IMPLICIT_CONTINUE=No INLINE_MATCHES=Yes IPSET_WARNINGS=Yes IP_FORWARDING=keep KEEP_RT_TABLES=Yes LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX="ko ko.xz" MUTEX_TIMEOUT=60 OPTIMIZE=All OPTIMIZE_ACCOUNTING=No REJECT_ACTION= REQUIRE_INTERFACE=No RESTART=restart RESTORE_ROUTEMARKS=Yes SAVE_IPSETS=No TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No USE_RT_NAMES=No WARNOLDCAPVERSION=Yes WORKAROUNDS=No ZONE2ZONE=- ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=CONTINUE ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS= PROVIDER_BITS= PROVIDER_OFFSET= MASK_BITS= ZONE_BITS=0 #LAST LINE -- DO NOT REMOVE shorewall6-5.0.4/Samples6/one-interface/interfaces0000644000000000000000000000147112647470621020577 0ustar rootroot# # Shorewall6 version 5 - Sample Interfaces File for one-interface configuration. # Copyright (C) 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-interfaces" ############################################################################### ?FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS net eth0 tcpflags shorewall6-5.0.4/Samples6/one-interface/zones.annotated0000644000000000000000000002106512650244167021565 0ustar rootroot# # Shorewall6 version 5 - Sample Zones File for one-interface IPv6 configuration. # Copyright (C) 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #----------------------------------------------------------------------------- # For information about entries in this file, type "man shorewall6-zones" ############################################################################### # # The /etc/shorewall6/zones file declares your network zones. You specify the # hosts in each zone through entries in /etc/shorewall6/interfaces or /etc/ # shorewall6/hosts. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ZONE - zone[:parent-zone[,parent-zone]...] # # Name of the zone. The names "all", "none", "SOURCE" and "DEST" are reserved # and may not be used as zone names. The maximum length of a zone name is # determined by the setting of the LOGFORMAT option in shorewall6.conf(5). # With the default LOGFORMAT, zone names can be at most 5 characters long. # # The maximum length of an iptables log prefix is 29 bytes. As explained # in shorewall6.conf (5), the default LOGPREFIX formatting string is # “Shorewall:%s:%s:” where the first %s is replaced by the chain name and # the second is replaced by the disposition. # # ☆ The default formatting string has 12 fixed characters ("Shorewall" # and three colons). # # ☆ The longest of the standard dispositions are ACCEPT and REJECT # which have 6 characters each. # # ☆ The canonical name for the chain containing the rules for traffic # going from zone 1 to zone 2 is "2". # # ☆ So if M is the maximum zone name length, such chains can have # length 2*M + 1. # # 12 + 6 + 2*M + 1 = 29 which reduces to # 2*M = 29 - 12 - 6 - 1 = 10 or # M = 5 # # The order in which Shorewall6 matches addresses from packets to zones is # determined by the order of zone declarations. Where a zone is nested in one # or more other zones, you may either ensure that the nested zone precedes # its parents in this file, or you may follow the (sub)zone name by ":" and a # comma-separated list of the parent zones. The parent zones must have been # declared in earlier records in this file. See shorewall6-nesting(5) for # additional information. # # Example: # # #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS # a ipv6 # b ipv6 # c:a,b ipv6 # # Currently, Shorewall6 uses this information to reorder the zone list so # that parent zones appear after their subzones in the list. The # IMPLICIT_CONTINUE option in shorewall6.conf(5) can also create implicit # CONTINUE policies to/from the subzone. # # Where an ipsec zone is explicitly included as a child of an ipv6 zone, the # ruleset allows CONTINUE policies (explicit or implicit) to work as # expected. # # In the future, Shorewall6 may make additional use of nesting information. # # TYPE # # ipv6 # # This is the standard Shorewall6 zone type and is the default if you # leave this column empty or if you enter "-" in the column. # Communication with some zone hosts may be encrypted. Encrypted hosts # are designated using the 'ipsec' option in shorewall6-hosts(5). # # ipsec (or ipsec6) # # Communication with all zone hosts is encrypted. Your kernel and # ip6tables must include policy match support. # # firewall # # Designates the firewall itself. You must have exactly one 'firewall' # zone. No options are permitted with a 'firewall' zone. The name that # you enter in the ZONE column will be stored in the shell variable $FW # which you may use in other configuration files to designate the # firewall zone. # # bport (or bport6) # # The zone is associated with one or more ports on a single bridge. # # vserver # # Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver # guests. The zone contents must be defined in shorewall6-hosts (5). # # Vserver zones are implicitly handled as subzones of the firewall zone. # # loopback # # Added in Shorewall 4.5.17. # # Normally, Shorewall treats the loopback interface (lo) in the following # way: # # ☆ By default, all traffic through the interface is ACCEPTed. # # ☆ If a $FW -> $FW policy is defined or $FW -> $FW rules are defined, # they are placed in a chain named ${FW}2${F2} or ${FW}-${FW} (e.g., # 'fw2fw' or 'fw-fw' ) depending on the ZONE2ZONE setting in # shorewall6.conf(5). # # ☆ $FW -> $FW traffic is only filtered in the OUTPUT chain. # # By defining a loopback zone and associating it with the loopback # interface in shorewall-interfaces(5), you can effect a slightly # different model. Suppose that the loopback zone name is 'local'; then: # # ☆ Both $FW -> local and local -> $FW chains are created. # # ☆ The $FW -> local and local -> $FW policies may be different. # # ☆ Both $FW -> local and local -> $FW rules may be specified. # # Rules to/from the loopback zone and any zone other than the firewall # zone are ignored with a warning. # # loopback zones may be nested within other loopback zones. # # local # # Added in Shorewall 4.5.17. local is the same as ipv6 with the exception # that the zone is only accessible from the firewall and vserver zones. # # OPTIONS, IN OPTIONS and OUT OPTIONS (options, in_options, out_options) - [ # option[,option]...] # # A comma-separated list of options. With the exception of the mss and # blacklist options, these only apply to TYPE ipsec zones. # # blacklist # # Added in Shorewall 4.4.13. May not be specified for firewall or vserver # zones. # # When specified in the IN_OPTIONS column, causes all traffic from this # zone to be passed against the src entries in shorewall6-blacklist(5). # # When specified in the OUT_OPTIONS column, causes all traffic to this # zone to be passed against the dst entries in shorewall6-blacklist(5). # # Specifying this option in the OPTIONS column is equivalent to entering # it in both of the IN_OPTIONS and OUT_OPTIONS column. # # dynamic_shared # # Added in Shorewall 4.5.9. May only be specified in the OPTIONS column # and indicates that only a single ipset should be created for this zone # if it has multiple dynamic entries in shorewall6-hosts(5). Without this # option, a separate ipset is created for each interface. # # reqid=number # # where number is specified using setkey(8) using the 'unique:number # option for the SPD level. # # spi= # # where number is the SPI of the SA used to encrypt/decrypt packets. # # proto=ah|esp|ipcomp # # IPSEC Encapsulation Protocol # # mss=number # # sets the MSS field in TCP packets. If you supply this option, you # should also set FASTACCEPT=No in shorewall6.conf(5) to insure that both # the SYN and SYN,ACK packets have their MSS field adjusted. # # mode=transport|tunnel # # IPSEC mode # # tunnel-src=address[/mask] # # only available with mode=tunnel # # tunnel-dst=address[/mask] # # only available with mode=tunnel # # strict # # Means that packets must match all rules. # # next # # Separates rules; can only be used with strict # # The options in the OPTIONS column are applied to both incoming and outgoing # traffic. The IN OPTIONS are applied to incoming traffic (in addition to # OPTIONS) and the OUT OPTIONS are applied to outgoing traffic. # # If you wish to leave a column empty but need to make an entry in a # following column, use "-". # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv6 shorewall6-5.0.4/Samples6/one-interface/shorewall6.conf.annotated0000644000000000000000000020100312650244167023431 0ustar rootroot############################################################################### # # Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf # Copyright (C) 2012-2015 by the Shorewall Team # # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at # http://www.shorewall.net/manpages6/shorewall6.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### # # OPTIONS # # Many options have as their value a log-level. Log levels are a method of # describing to syslog (8) the importance of a message and a number of parameters # in this file have log levels as their value. # # These levels are defined by syslog and are used to determine the destination of # the messages through entries in /etc/syslog.conf (5). The syslog documentation # refers to these as "priorities"; Netfilter calls them "levels" and Shorewall6 # also uses that term. # # Valid levels are: # # 7 debug # 6 info # 5 notice # 4 warning # 3 err # 2 crit # 1 alert # 0 emerg # # For most Shorewall6 logging, a level of 6 (info) is appropriate. Shorewall6 log # messages are generated by NetFilter and are logged using facility 'kern' and # the level that you specify. If you are unsure of the level to choose, 6 (info) # is a safe bet. You may specify levels by name or by number. # # If you have built your kernel with NFLOG target support, you may also specify a # log level of NFLOG (must be all caps). Rather than log its messages to syslogd, # Shorewall6 will direct netfilter to log the messages via the NFLOG target which # will send them to a process called 'ulogd'. ulogd is available with most Linux # distributions (although it probably isn't installed by default). Ulogd is also # available from http://www.netfilter.org/projects/ulogd/index.html and can be # configured to log all Shorewall6 message to their own log file # # Note # # If you want to specify parameters to ULOG or NFLOG (e.g., NFLOG(1,0,1)), then # you must quote the setting. # # Example: # STARTUP_ENABLED=No # # STARTUP_ENABLED={Yes|No} # # Determines if Shorewall6 is allowed to start. As released from # shorewall.net, this option is set to No. When set to Yes or yes, Shorewall6 # may be started. Used as a guard against Shorewall6 being accidentally # started before it has been configured. # ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 # # VERBOSITY=[number] # # Shorewall6 has traditionally been very noisy (produced lots of output). You # may set the default level of verbosity using the VERBOSITY OPTION. # # Values are: # # 0 - Silent. You may make it more verbose using the -v option # 1 - Major progress messages displayed # 2 - All progress messages displayed (pre Shorewall6-3.2.0 behavior) # # If not specified, then 2 is assumed. # ############################################################################### # L O G G I N G ############################################################################### BLACKLIST_LOG_LEVEL= # # BLACKLIST_LOG_LEVEL=[log-level[:log-tag]] # # Formerly named BLACKLIST_LOGLEVEL. This parameter determines if packets # from blacklisted hosts are logged and it determines the syslog level that # they are to be logged at. Its value is a syslog level (Example: # BLACKLIST_LOG_LEVEL=debug). If you do not assign a value or if you assign # an empty value then packets from blacklisted hosts are not logged. The # setting determines the log level of packets sent to the blacklog target of # shorewall6-blrules(5). # INVALID_LOG_LEVEL= # # INVALID_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.5.13. Packets in the INVALID state that do not match # any rule in the INVALID section of shorewall6-rules (5) are logged at this # level. The default value is empty which means no logging is performed. # LOG_BACKEND= # # LOG_BACKEND=[backend] # # Added in Shorewall 4.6.4. LOG_BACKEND determines the logging backend to be # used for the iptrace command (see shorewall6(8)). # # backend is one of: # # LOG # # Use standard kernel logging. # # netlink # # Use netlink logging to ulogd version 2 or later. # LOG_VERBOSITY=2 # # LOG_VERBOSITY=[number] # # This option controls the amount of information logged to the file specified # in the STARTUP_LOG option. # # Values are: # # -1 - Logging is disabled # 0 - Silent. Only error messages are logged. # 1 - Major progress messages logged. # 2 - All progress messages logged # # If not specified, then -1 is assumed. # LOGALLNEW= # # LOGALLNEW=[log-level] # # This option is intended for use as a debugging aid. When set to a log # level, this option causes Shorewall6 to generate a logging rule as the # first rule in each builtin chain. # # □ The table name is used as the chain name in the log prefix. # # □ The chain name is used as the target in the log prefix. # # For example, using the default LOGFORMAT, the log prefix for logging # from the nat table's PREROUTING chain is: # # Shorewall:nat:PREROUTING # # Important # # To help insure that all packets in the NEW state are logged, rate # limiting (LOGLIMIT) should be disabled when using LOGALLNEW. Use # LOGALLNEW at your own risk; it may cause high CPU and disk utilization # and you may not be able to control your firewall after you enable this # option. # # Caution # # Do not use this option if the resulting log messages will be sent to # another system. # LOGFILE= # # LOGFILE=[pathname] # # This parameter tells the /sbin/shorewall6 program where to look for # Shorewall6 messages when processing the dump, logwatch, show log, and hits # commands. If not assigned or if assigned an empty value, /var/log/messages # is assumed. # LOGFORMAT="Shorewall:%s:%s:" # # LOGFORMAT=["formattemplate"] # # The value of this variable generate the --log-prefix setting for Shorewall6 # logging rules. It contains a “printf” formatting template which accepts # three arguments (the chain name, logging rule number (optional) and the # disposition). To use LOGFORMAT with fireparse, set it as: # # LOGFORMAT="fp=%s:%d a=%s " # # If the LOGFORMAT value contains the substring “%d” then the logging rule # number is calculated and formatted in that position; if that substring is # not included then the rule number is not included. If not supplied or # supplied as empty (LOGFORMAT="") then “Shorewall6:%s:%s:” is assumed. # # Note # # The setting of LOGFORMAT has an effect of the permitted length of zone # names. See shorewall6-zones (5). # LOGLIMIT= # # LOGLIMIT=[[{s|d}:]rate/{sec|second|min|minute|hour|day}[:burst]] # # Added in Shorewall 4.4.12. Limits the logging rate, either overall, or by # source or destination IP address. # # If the value starts with 's:' then logging is limited per source IP. If the # value starts with 'd:', then logging is limited per destination IP. # Otherwise, the overall logging rate is limited. # # If burst is not specified, then a value of 5 is assumed. # # The keywords second and minute are accepted beginning with Shorewall # 4.6.13. # LOGTAGONLY=No # # LOGTAGONLY=[Yes|No] # # Using the default LOGFORMAT, chain names may not exceed 11 characters or # truncation of the log prefix may occur. Longer chain names may be used with # log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is # specified then the tag is included in the log prefix in place of the chain # name. # # Beginning with Shorewall 4.5.12, when LOGTAGONLY=Yes, you have more control # over the generated log prefix. Beginning with that release, the tag is # interpreted as a chain name and a disposition separated by a comma. So this # rule: # # #ACTION SOURCE DEST # LOG:info:foo,bar net fw # # would generate the following log prefix when using the default LOGFORMAT # setting: # # Shorewall:foo:bar: # # Similarly, # # #ACTION SOURCE DEST # LOG:info:,bar net fw # # would generate # # Shorewall:net2fw:bar: # MACLIST_LOG_LEVEL=info # # MACLIST_LOG_LEVEL=[log-level[:log-tag]] # # Determines the syslog level for logging connection requests that fail MAC # Verification. The value must be a valid syslogd log level. If you don't # want to log these connection requests, set to the empty value (e.g., # MACLIST_LOG_LEVEL=""). # RELATED_LOG_LEVEL= # # RELATED_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.4.27. Packets in the related state that do not match # any rule in the RELATED section of shorewall6-rules (5) are logged at this # level. The default value is empty which means no logging is performed. # RPFILTER_LOG_LEVEL=info # # RPFILTER_LOG_LEVEL=log-level[:log-tag] # # Added in shorewall 4.5.7. Determines the logging of packets disposed via # the RPFILTER_DISPOSITION. The default value is info. # SFILTER_LOG_LEVEL=info # # SFILTER_LOG_LEVEL=log-level[:log-tag] # # Added on Shorewall 4.4.20. Determines the logging of packets matching the # sfilter option (see shorewall6-interfaces(5)) and of hairpin packets on # interfaces without the routeback option.^[2] interfaces without the # routeback option. The default is info. If you don't wish for these packets # to be logged, use SFILTER_LOG_LEVEL=none. # SMURF_LOG_LEVEL=info # # SMURF_LOG_LEVEL=[log-level[:log-tag]] # # Specifies the logging level for smurf packets (see the nosmurfs option in # shorewall6-interfaces(5)). If set to the empty value ( SMURF_LOG_LEVEL="" ) # then smurfs are not logged. # STARTUP_LOG=/var/log/shorewall6-init.log # # STARTUP_LOG=[pathname] # # If specified, determines where Shorewall6 will log the details of each # start, reload, restart and refresh command. Logging verbosity is determined # by the setting of LOG_VERBOSITY above. # TCP_FLAGS_LOG_LEVEL=info # # TCP_FLAGS_LOG_LEVEL=[log-level[:log-tag]] # # Determines the syslog level for logging packets that fail the checks # enabled by the tcpflags interface option. The value must be a valid syslogd # log level. If you don't want to log these packets, set to the empty value # (e.g., TCP_FLAGS_LOG_LEVEL=""). # UNTRACKED_LOG_LEVEL= # # UNTRACKED_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.5.13. Packets in the UNTRACKED state that do not match # any rule in the UNTRACKED section of shorewall6-rules (5) are logged at # this level. The default value is empty which means no logging is performed. # ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall # # CONFIG_PATH=[directory[:directory]...] # # Specifies where configuration files other than shorewall6.conf may be # found. CONFIG_PATH is specifies as a list of directory names separated by # colons (":"). When looking for a configuration file: # # □ If the command is "try" or a "" was specified # in the command (e.g., shorewall6 check ./gateway) then the directory # given in the command is searched first. # # □ Next, each directory in the CONFIG_PATH setting is searched in # sequence. # # If CONFIG_PATH is not given or if it is set to the empty value then the # contents of /usr/share/shorewall6/configpath are used. As released from # shorewall.net, that file sets the CONFIG_PATH to /etc/shorewall6:/usr/share # /shorewall6:/usr/share/shorewall but your particular distribution may set # it differently. See the output of shorewall6 show config for the default on # your system. # GEOIPDIR=/usr/share/xt_geoip/LE # # GEOIPDIR=[pathname] # # Added in Shorewall 4.5.4. Specifies the pathname of the directory # containing the GeoIP Match database. See http://www.shorewall.net/ # ISO-3661.html. If not specified, the default value is /usr/share/xt_geoip/ # LE which is the default location of the little-endian database. # IP6TABLES= # # IP6TABLES=[pathname] # # This parameter names the ip6tables executable to be used by Shorewall6. If # not specified or if specified as a null value, then the ip6tables # executable located using the PATH option is used. # # Regardless of how the ip6tables utility is located (specified via IP6TABLES # = or located via PATH), Shorewall6 uses the ip6tables-restore and # ip6tables-save utilities from that same directory. # IP= # # IP=[pathname] # # If specified, gives the pathname of the 'ip' executable. If not specified, # 'ip' is assumed and the utility will be located using the current PATH # setting. # IPSET= # # IPSET=[pathname] # # If specified, gives the pathname of the 'ipset' executable. If not # specified, 'ipset' is assumed and the utility will be located using the # current PATH setting. # LOCKFILE= # # LOCKFILE=[pathname] # # Specifies the name of the Shorewall6 lock file, used to prevent # simultaneous state-changing commands. If not specified, ${VARDIR}/ # shorewall6/lock is assumed (${VARDIR} is normally /var/lib but can be # changed when Shorewall-core is installed -- see the output of shorewall6 # show vardir). # MODULESDIR= # # MODULESDIR=[pathname[:pathname]...] # # This parameter specifies the directory/directories where your kernel # netfilter modules may be found. If you leave the variable empty, Shorewall # will supply the value "/lib/modules/$uname/kernel/net/ipv${g_family}/ # netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/ # kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset" # where uname holds the output of 'uname -r' and g_family holds '6'. # NFACCT= # # NFACCT=[pathname] # # Added in Shorewall 4.5.7. Specifies the pathname of the nfacct utility. If # not specified, Shorewall will use the PATH setting to find the program. # PERL=/usr/bin/perl # # PERL=pathname # # Added in Shorewall 4.4.11 RC1. Specifies the path name of the Perl # executable. Default is /usr/bin/perl. If the pathname specified by this # option does not exist or the named file is not executable, then Shorewall6 # falls back to /usr/bin/perl # PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # # PATH=pathname[:pathname]... # # Determines the order in which Shorewall6 searches directories for # executable files. # RESTOREFILE= # # RESTOREFILE=filename # # Specifies the simple name of a file in /var/lib/shorewall6 to be used as # the default restore script in the shorewall6 save, shorewall6 restore, # shorewall6 forget and shorewall6 -f start commands. # SHOREWALL_SHELL=/bin/sh # # SHOREWALL_SHELL=[pathname] # # This option is used to specify the shell program to be used to interpret # the compiled script. If not specified or specified as a null value, /bin/sh # is assumed. Using a light-weight shell such as ash or dash can # significantly improve performance. # SUBSYSLOCK= # # SUBSYSLOCK=[pathname] # # This parameter should be set to the name of a file that the firewall should # create if it starts successfully and remove when it stops. Creating and # removing this file allows Shorewall6 to work with your distribution's # initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall6. # For Debian, the value is /var/lock/shorewall6 and in LEAF it is /var/run/ # shorewall. # TC= # # TC=[pathname] # # If specified, gives the pathname of the 'tc' executable. If not specified, # 'tc' is assumed and the utility will be located using the current PATH # setting. # ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" # # ACCEPT_DEFAULT={action[(parameters)][:level]|none} # DROP_DEFAULT="Drop" # # DROP_DEFAULT={action[(parameters)][:level]|none} # NFQUEUE_DEFAULT="none" # # NFQUEUE_DEFAULT={action[(parameters)][:level]|none} # QUEUE_DEFAULT="none" # # QUEUE_DEFAULT={action[(parameters)][:level]|none} # REJECT_DEFAULT="Reject" # # REJECT_DEFAULT={action[(parameters)][:level]|none} # # DROP_DEFAULT describes the rules to be applied before a connection request # is dropped by a DROP policy; REJECT_DEFAULT describes the rules to be # applied if a connection request is rejected by a REJECT policy. The other # three are similar for ACCEPT, QUEUE and NFQUEUE policies. # # The value applied to these may be: # # a) The name of an action. The name may optionally be followed by a # comma-separated list of parameters enclosed in parentheses if the specified # action accepts parameters (e.g., 'Drop(audit)'). # c) None or none # # The default values are: # # DROP_DEFAULT="Drop" # REJECT_DEFAULT="Reject" # ACCEPT_DEFAULT="none" # QUEUE_DEFAULT="none" # NFQUEUE_DEFAULT="None" # # If you set the value of either option to "None" then no default action will # be used and the default action or macro must be specified in # shorewall6-policy(5). # # You can pass parameters to the specified action or macro (e.g., myaction # (audit,DROP)). # # Beginning with Shorewall 4.5.10, the action name can be followed optionally # by a colon and a log level. The level will be applied to each rule in the # action or macro body that does not already have a log level. # ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' # # RCP_COMMAND="command" # RSH_COMMAND='ssh ${root}@${system} ${command}' # # RSH_COMMAND="command" # # Earlier generations of Shorewall6 Lite required that remote root login via # ssh be enabled in order to use the load and reload commands. Beginning with # release 3.9.5, you may define an alternative means for accessing the remote # firewall system. In that release, two new options were added to # shorewall6.conf: # # RSH_COMMAND # RCP_COMMAND # # The default values for these are as follows: # # RSH_COMMAND: ssh ${root}@${system} ${command} # RCP_COMMAND: scp ${files} ${root}@${system}:${destination} # # Shell variables that will be set when the commands are invoked are as # follows: # # root - root user. Normally root but may be overridden using the '-r' # option. # system - The name/IP address of the remote firewall system. # command - For RSH_COMMAND, the command to be executed on the firewall # system. # files - For RCP_COMMAND, a space-separated list of files to be copied to # the remote firewall system. # destination - The directory on the remote system that the files are to be # copied into. # ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes # # ACCOUNTING=[Yes|No] # # Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting is enabled # (see shorewall6-accounting(5)). If not specified or set to the empty value, # ACCOUNTING=Yes is assumed. # ACCOUNTING_TABLE=filter # # ACCOUNTING_TABLE=[filter|mangle] # # Added in Shorewall 4.4.20. This setting determines which Netfilter table # the accounting rules are added in. By default, ACCOUNTING_TABLE=filter is # assumed. See also shorewall6-accounting(5). # ADMINISABSENTMINDED=Yes # # ADMINISABSENTMINDED=[Yes|No] # # The value of this variable affects Shorewall's stopped state. The behavior # differs depending on whether shorewall-routestopped(5) or # shorewall-stoppedrules(5) is used: # # routestopped # # When ADMINISABSENTMINDED=No, only traffic to/from those addresses # listed in routestopped is accepted when Shorewall is stopped. When # ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in # routestopped, connections that were active when Shorewall stopped # continue to work and all new connections from the firewall system # itself are allowed. # # stoppedrules # # All existing connections continue to work. To sever all existing # connections when the firewall is stopped, install the conntrack utility # and place the command conntrack -F in the stopped user exit (/etc/ # shorewall6/stopped). # # If ADMINISABSENTMINDED=No, only new connections matching entries in # stoppedrules are accepted when Shorewall is stopped. Response packets # and related connections are automatically accepted. # # If ADMINISABSENTMINDED=Yes, in addition to connections matching entries # in stoppedrules, all new connections from the firewall system itself # are allowed when the firewall is stopped. Response packets and related # connections are automatically accepted. # # If this variable is not set or is given the empty value then # ADMINISABSENTMINDED=No is assumed. # BASIC_FILTERS=No # # BASIC_FILTERS=[Yes|No] # # Added in Shorewall-4.6.0. When set to Yes, causes entries in # shorewall6-tcfilters(5) to generate a basic filter rather than a u32 # filter. This setting requires the Basic Ematch capability in your kernel # and iptables. # # Note # # One of the advantages of basic filters is that ipset matches are supported # in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably # detect this capability, use of basic filters is controlled by this option. # # The default value is No which causes u32 filters to be generated. # IGNOREUNKNOWNVARIABLES=No # # IGNOREUNKNOWNVARIABLES=[Yes|No] # # Added in Shorewall 4.5.11. Normally, if an unknown shell variable is # encountered in a configuration file (except in ?IF and ?ELSIF directives), # the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes, # then such variables simply expand to an empty string. Default is No. # AUTOCOMMENT=Yes # # AUTOCOMMENT=[Yes|No] # # Formerly named AUTO_COMMENT. If set, if there is not a current comment when # a macro is invoked, the behavior is as if the first line of the macro file # was "COMMENT ". The AUTO_COMMENT option has a default value of # 'Yes'. # AUTOHELPERS=Yes # # AUTOHELPERS=[Yes|No] # # Added in Shorewall 4.5.7. When set to Yes (the default), the generated # ruleset will automatically associate helpers with applications that require # them (FTP, IRC, etc.). When configuring your firewall on systems running # kernel 3.5 or later, it is recommended that you: # # 1. Set AUTOHELPERS=No. # # 2. Modify the HELPERS setting (see below) to list the helpers that you # need. # # 3. Either: # # a. Modify shorewall6-conntrack (5) to only apply helpers where they # are required; or # # b. Specify the appropriate helper in the HELPER column in # shorewall6-rules (5). # # Note # # The macros for those applications requiring a helper automatically # specify the appropriate HELPER where required. # AUTOMAKE=No # # AUTOMAKE=[Yes|No] # # If set, the behavior of the start, reload and restart commands is changed; # if no files in the CONFIG_PATH (see below) have been changed since the last # successful start, reload or restart command, then the compilation step is # skipped and the compiled script that executed the last start, reload or # restart command is used. The default is AUTOMAKE=No. # # The setting of the AUTOMAKE option is ignored if the start, reload or # restart command includes a directory name (e.g., shorewall6 restart /etc/ # shorewall.new). # BLACKLIST="NEW,INVALID,UNTRACKED" # # BLACKLIST=[{ALL|state[,...]}] # # where state is one of NEW, ESTABLISHED, RELATED, INVALID,or UNTRACKED. # # Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY option. Specifies # the connection tracking states that are to be subject to blacklist # screening. If BLACKLIST is not specified then the states subject to # blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED. # # Note: The ESTABLISHED state may not be specified if FASTACCEPT is # specified. # CHAIN_SCRIPTS=No # # CHAIN_SCRIPTS={Yes|No} # # Added in Shorewall 4.5.16. Prior to the availability of BEGIN PERL....END # PERL in configuration files, the only way to execute a chain-specific # script was to create a script file with the same name as the chain and # place it in a directory on the CONFIG_PATH. That facility has the drawback # that the compiler will attempt to run a non-script file just because it has # the same name as a chain. To disable this facility, set CHAIN_SCRIPTS=No. # If not specified or specified as the empty value, CHAIN_SCRIPTS=Yes is # assumed. # CLAMPMSS=No # # CLAMPMSS=[Yes|No|value] # # This parameter enables the TCP Clamp MSS to PMTU feature of Netfilter and # is usually required when your internet connection is through PPPoE or PPTP. # If set to Yes or yes, the feature is enabled. If left blank or set to No or # no, the feature is not enabled. # # Important: This option requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel. # # You may also set CLAMPMSS to a numeric value (e.g., CLAMPMSS=1400). This # will set the MSS field in TCP SYN packets going through the firewall to the # value that you specify. # CLEAR_TC=Yes # # CLEAR_TC=[Yes|No] # # If this option is set to No then Shorewall6 won't clear the current traffic # control rules during [re]start. This setting is intended for use by people # that prefer to configure traffic shaping when the network interfaces come # up rather than when the firewall is started. If that is what you want to # do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6 # /tcstart file. That way, your traffic shaping rules can still use the # “fwmark” classifier based on packet marking defined in shorewall6-tcrules # (5). If not specified, CLEAR_TC=No is assumed. # # Warning # # If you also run Shorewall and if you have TC_ENABLED=Internal in your # shorewall-conf(5), then you will want CLEAR_TC=No in this file. # COMPLETE=No # # COMPLETE=[Yes|No] # # Added in Shorewall6 4.4.12. When you set this option to Yes, you are # asserting that the configuration is complete so that your set of zones # encompasses any hosts that can send or receive traffic to/from/through the # firewall. This causes Shorewall6 to omit the rules that catch packets in # which the source or destination IP address is outside of any of your zones. # Default is No. It is recommended that this option only be set to Yes if: # # □ You have defined an interface whose effective physical setting is '+'. # # □ That interface is assigned to a zone. # # □ You have no CONTINUE policies or rules. # DEFER_DNS_RESOLUTION=Yes # # DEFER_DNS_RESOLUTION=[Yes|No] # # Added in Shorewall 4.5.12. When set to 'Yes' (the default), DNS names are # validated in the compiler and then passed on to the generated script where # they are resolved by ip6tables-restore. This is an advantage if you use # AUTOMAKE=Yes and the IP address associated with the DNS name is subject to # change. When DEFER_DNS_RESOLUTION=No, DNS names are converted into IP # addresses by the compiler. This has the advantage that when AUTOMAKE=Yes # the start, reload and restart commands will succeed even if no DNS server # is reachable (assuming that the configuration hasn't changed since the # compiled script was last generated). # DELETE_THEN_ADD=Yes # # DELETE_THEN_ADD={Yes|No} # # If set to Yes (the default value), entries in the /etc/shorewall6/ # route_stopped files cause an 'ip rule del' command to be generated in # addition to an 'ip rule add' command. Setting this option to No, causes the # 'ip rule del' command to be omitted. # DONT_LOAD= # # DONT_LOAD=[module[,module]...] # # Causes Shorewall6 to not load the listed kernel modules. # DYNAMIC_BLACKLIST=Yes # # DYNAMIC_BLACKLIST={Yes|No} # # Added in Shorewall 4.4.7. When set to No or no, dynamic blacklisting using # the shorewall6 drop, shorewall6 reject, shorewall6 logdrop and shorewall6 # logreject is disabled. Default is Yes. # EXPAND_POLICIES=No # # EXPAND_POLICIES={Yes|No} # # Normally, when the SOURCE or DEST columns in shorewall-policy(5) contains # 'all', a single policy chain is created and the policy is enforced in that # chain. For example, if the policy entry is # # #SOURCE DEST POLICY LOG # # LEVEL # net all DROP info # # then the chain name is 'net-all' ("net2all" if ZONE2ZONE=2) which is also # the chain named in Shorewall log messages generated as a result of the # policy. If EXPAND_POLICIES=Yes, then Shorewall will create a separate chain # for each pair of zones covered by the policy. This makes the resulting log # messages easier to interpret since the chain in the messages will have a # name of the form 'a2b' where 'a' is the SOURCE zone and 'b' is the DEST # zone. # EXPORTMODULES=Yes # # EXPORTMODULES=[Yes|No] # # Added in Shorewall 4.4.17. When set to Yes when compiling for use by # Shorewall6 Lite (shorewall6 load, shorewall6 reload or shorewall6 export # commands), the compiler will copy the modules or helpers file from the # administrative system into the script. When set to No or not specified, the # compiler will not copy the modules or helpers file from /usr/share/ # shorewall6 but will copy the found in another location on the CONFIG_PATH. # # When compiling for direct use by Shorewall6, causes the contents of the # local module or helpers file to be copied into the compiled script. When # set to No or not set, the compiled script reads the file itself. # FASTACCEPT=No # # FASTACCEPT={Yes|No} # # Normally, Shorewall6 defers accepting ESTABLISHED/RELATED packets until # these packets reach the chain in which the original connection was # accepted. So for packets going from the 'loc' zone to the 'net' zone, # ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net' chain. # # If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets are accepted # early in the INPUT, FORWARD and OUTPUT chains. If you set FASTACCEPT=Yes # then you may not include rules in the ESTABLISHED or RELATED sections of # shorewall6-rules(5). # FORWARD_CLEAR_MARK= # # FORWARD_CLEAR_MARK={Yes|No} # # Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the # packet mark in the first rule in the mangle FORWARD chain. This behavior is # maintained with the default setting of this option (FORWARD_CLEAR_MARK= # Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle # PREROUTING chain are retained in the FORWARD chains. # HELPERS= # # HELPERS=[helper[,helper...]] # # Added in Shorewall 4.5.7. This option specifies a comma-separated list # naming the Netfilter application helpers that are to be enabled. If not # specified, the default is to enable all helpers. # # Possible values for helper are: # # □ amanda # # □ ftp # # □ h323 # # □ irc # # □ netbios-ns # # □ none - This special value was added in Shorewall 4.5.16 and indicates # that no helpers are to be enabled. It also prevents the compiler for # probing for helper support; such probing generates messages on the # system log of the form "xt_CT: No such helper XXX" where XXX is the # helper name. When used, none must be the only helper specified. # # □ pptp # # □ sane # # □ sip # # □ snmp # # □ tftp # # When HELPERS is specified on a system running Kernel 3.5.0 or later, # automatic association of helpers to connections is disabled. # IMPLICIT_CONTINUE=No # # IMPLICIT_CONTINUE={Yes|No} # # When this option is set to Yes, it causes subzones to be treated # differently with respect to policies. # # Subzones are defined by following their name with ":" and a list of parent # zones (in shorewall6-zones(5)). Normally, you want to have a set of special # rules for the subzone and if a connection doesn't match any of those # subzone-specific rules then you want the parent zone rules and policies to # be applied; see shorewall6-nesting(5). With IMPLICIT_CONTINUE=Yes, that # happens automatically. # # If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then subzones # are not subject to this special treatment. With IMPLICIT_CONTINUE=Yes, an # implicit CONTINUE policy may be overridden by including an explicit policy # (one that does not specify "all" in either the SOURCE or the DEST columns). # INLINE_MATCHES=Yes # # INLINE_MATCHES={Yes|No} # # Added in Shorewall 4.6.0. Traditionally in shorewall6-rules(5), a semicolon # separates column-oriented specifications on the left from alternative # specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the # specifications on the right are interpreted as if INLINE had been specified # in the ACTION column. This also applies to shorewall6-masq(5) and # shorewall6-mangle(5) which also support INLINE. If not specified or if # specified as the empty value, the value 'No' is assumed for backward # compatibility. # # Beginning with Shorewall 5.0.0, it is no longer necessary to set # INLINE_MATCHES=Yes in order to be able to specify your own iptables text in # a rule. You may simply preface that text with a pair of semicolons (";;"). # If alternate input is also specified in the rule, it should appear before # the semicolons and may be seperated from normal column input by a single # semicolon. # IPSET_WARNINGS=Yes # # IPSET_WARNINGS={Yes|No} # # Added in Shorewall 4.5.2. Default is Yes. When set, causes the rules # compiler to issue a warning when: # # □ The compiler is being run by root and an ipset specified in the # configuration does not exists. Only one warning is issued for each # missing ipset. # # □ When [src] is specified in a destination column and when [dst] is # specified in a source column. # IP_FORWARDING=keep # # IP_FORWARDING=[On|Off|Keep] # # This rather useless parameter determines whether Shorewall6 enables or # disables IPV6 Packet Forwarding on all interfaces (/proc/sys/net/ipv6/ # config/all/forwarding). Possible values are: # # On or on # # packet forwarding will be enabled. # # Off or off # # packet forwarding will be disabled. # # Keep or keep # # Shorewall6 will neither enable nor disable packet forwarding # # If this variable is not set or is given an empty value (IP_FORWARD="") # then IP_FORWARD=On is assumed. # KEEP_RT_TABLES=Yes # # KEEP_RT_TABLES={Yes|No} # # When set to Yes, this option prevents scripts generated by Shorewall6 from # altering the /etc/iproute2/rt_tables database when there are entries in / # etc/shorewall6/providers. If you set this option to Yes while Shorewall6 # (Shorewall6-lite) is running, you should remove the file /var/lib/ # shorewall6/rt_tables (/var/lib/shorewall6-lite/rt_tables) before your next # stop, refresh, restore, reload or restart command. # # The default is KEEP_RT_TABLES=No. # LOAD_HELPERS_ONLY=Yes # # LOAD_HELPERS_ONLY={Yes|No} # # Added in Shorewall 4.4.7. When set to Yes, restricts the set of modules # loaded by shorewall to those listed in /var/lib/shorewall6/helpers and # those that are actually used. When not set, or set to the empty value, # LOAD_HELPERS_ONLY=No is assumed. # MACLIST_TABLE=filter # # MACLIST_TABLE=[filter|mangle] # # Normally, MAC verification occurs in the filter table (INPUT and FORWARD) # chains. When forwarding a packet from an interface with MAC verification to # a bridge interface, that doesn't work. # # This problem can be worked around by setting MACLIST_TABLE=mangle which # will cause Mac verification to occur out of the PREROUTING chain. Because # REJECT isn't available in that environment, you may not specify # MACLIST_DISPOSITION=REJECT with MACLIST_TABLE=mangle. # MACLIST_TTL= # # MACLIST_TTL=[number] # # The performance of configurations with a large numbers of entries in # shorewall6-maclist(5) can be improved by setting the MACLIST_TTL variable # in shorewall6.conf(5). # # If your iptables and kernel support the "Recent Match" (see the output of # "shorewall check" near the top), you can cache the results of a 'maclist' # file lookup and thus reduce the overhead associated with MAC Verification. # # When a new connection arrives from a 'maclist' interface, the packet passes # through then list of entries for that interface in shorewall6-maclist(5). # If there is a match then the source IP address is added to the 'Recent' set # for that interface. Subsequent connection attempts from that IP address # occurring within $MACLIST_TTL seconds will be accepted without having to # scan all of the entries. After $MACLIST_TTL from the first accepted # connection request from an IP address, the next connection request from # that IP address will be checked against the entire list. # # If MACLIST_TTL is not specified or is specified as empty (e.g, MACLIST_TTL= # "" or is specified as zero then 'maclist' lookups will not be cached). # MANGLE_ENABLED=Yes # # MANGLE_ENABLED=[Yes|No] # # Determines whether Shorewall will generate rules in the Netfilter mangle # table. Setting MANGLE_ENABLED=No disables all Shorewall features that # require the mangle table. The default is MANGLE_ENABLED=Yes. # MARK_IN_FORWARD_CHAIN=No # # MARK_IN_FORWARD_CHAIN=[Yes|No] # # If your kernel has a FORWARD chain in the mangle table, you may set # MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in the tcrules # file to occur in that chain rather than in the PREROUTING chain. This # permits you to mark inbound traffic based on its destination address when # DNAT is in use. To determine if your kernel has a FORWARD chain in the # mangle table, use the /shorewall6 show mangle command; if a FORWARD chain # is displayed then your kernel will support this option. If this option is # not specified or if it is given the empty value (e.g., # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # MODULE_SUFFIX="ko ko.xz" # # MODULE_SUFFIX=["extension ..."] # # The value of this option determines the possible file extensions of kernel # modules. The default value is "ko ko.gz ko.xz o o.gz o.xz gz xz". # MUTEX_TIMEOUT=60 # # MUTEX_TIMEOUT=[seconds] # # The value of this variable determines the number of seconds that programs # will wait for exclusive access to the Shorewall6 lock file. After the # number of seconds corresponding to the value of this variable, programs # will assume that the last program to hold the lock died without releasing # the lock. # # If not set or set to the empty value, a value of 60 (60 seconds) is # assumed. # # An appropriate value for this parameter would be twice the length of time # that it takes your firewall system to process a shorewall6 restart command. # OPTIMIZE=All # # OPTIMIZE=[value] # # The specified value enables certain optimizations. Each optimization # category is associated with a power of two. To enable multiple optimization # categories, simply add their corresponding numbers together. # # Beginning with Shorewall 4.5.20, you may specify OPTIMIZE=All to enable all # optimization categories, and you may also specify OPTIMIZE=None to disable # optimization. # # □ Optimization category 1 - Traditionally, Shorewall has created rules # for the complete matrix of host groups defined by the zones, interfaces # and hosts files. Any traffic that didn't correspond to an element of # that matrix was rejected in one of the built-in chains. When the matrix # is sparse, this results in lots of largely useless rules. # # These extra rules can be eliminated by setting the 1 bit in OPTIMIZE. # # The 1 bit setting also controls the suppression of redundant wildcard # rules (those specifying "all" in the SOURCE or DEST column). A wildcard # rule is considered to be redundant when it has the same ACTION and Log # Level as the applicable policy. # # Note # # Optimization level 1 is ignored when optimization level 4 is also # selected, since level 4 performs similar optimizations in a more robust # way. # # □ Optimization category 2 - Added in Shorewall 4.4.7. When set, # suppresses superfluous ACCEPT rules in a policy chain that implements # an ACCEPT policy. Any ACCEPT rules that immediately precede the final # blanket ACCEPT rule in the chain are now omitted. # # □ Optimization category 4 - Added in Shorewall 4.4.7. When set, causes # short chains (those with less than 2 rules) to be optimized away. The # following chains are excluded from optimization: # # ☆ accounting chains (unless OPTIMIZE_ACCOUNTING=Yes) # # ☆ action chains (user-defined) # # ☆ 'blacklst' chain # # ☆ dynamic # # Additionally: # # ☆ If a built-in chain has a single rule that branches to a second # chain, then the rules from the second chain are moved to the # built-in chain and the target chain is omitted. # # ☆ Chains with no references are deleted. # # ☆ Accounting chains are subject to optimization if the # OPTIMIZE_ACCOUNTING option is set to 'Yes'. # # ☆ If a chain ends with an unconditional branch to a second chain # (other than to 'reject'), then the branch is deleted from the first # chain and the rules from the second chain are appended to it. # # An additional optimization was added in Shorewall 4.5.4. If the last # rule in a chain is an unqualified jump to a simple target, then all # immediately preceding rules with the same simple target are omitted. # # For example, consider this chain: # # -A fw-net -p udp --dport 67:68 -j ACCEPT # -A fw-net -p udp --sport 1194 -j ACCEPT # -A fw-net -p 41 -j ACCEPT # -A fw-net -j ACCEPT # # Since all of the rules are jumps to the simple target ACCEPT, this # chain is totally optimized away and jumps to the chain are replace with # jumps to ACCEPT. # # □ Optimization category 8 - Added in Shorewall 4.4.9. When set, causes # chains with identical rules to be collapsed into a single chain. # # □ Optimization category 16 - Added in Shorewall 4.4.26. When set, causes # sequences of compatible rules to be combined into a single rule. Rules # are considered compatible if they differ only in their destination # ports and comments. # # A sequence of compatible rules is often generated when macros are # invoked in sequence. # # The ability to combine adjacent rules is limited by two factors: # # ☆ Destination port lists may only be combined up to a maximum of 15 # ports, where a port-pair counts as two ports. # # ☆ Rules may only be combined until the length of their concatenated # comment reaches 255 characters. # # When either of these limits would be exceeded, the current combined # rule is emitted and the compiler attempts to combine rules beginning # with the one that would have exceeded the limit. Adjacent combined # comments are separated by ', '. Empty comments at the front of a group # of combined comments are replaced by 'Others and'. Empty comments at # the end of a group of combined comments are replaced by 'and others'. # # Beginning in Shorewall 4.5.10, this option also suppresses duplicate # adjacent rules and duplicate non-adjacent rules that don't include mark # , connmark, dscp, ecn, set, tos or u32 matches. # # Example 1: # # Rules with comments "FOO", and "BAR" would result in the # combined comment "FOO and others, BAR". # # Example 2: # # Rules with comments , "FOO" and "BAR" would result in the # combined comment "Others and FOO, BAR". Note: Optimize level 16 # requires "Extended Multi-port Match" in your iptables and kernel. # # The default value is zero which disables all optimizations. # OPTIMIZE_ACCOUNTING=No # # OPTIMIZE_ACCOUNTING=[Yes|No] # # Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting changes are # subject to optimization (OPTIMIZE=4,5,6 or 7). If not specified or set to # the empty value, OPTIMIZE_ACCOUNTING=No is assumed. # REJECT_ACTION= # # REJECT_ACTION=action # # Added in Shorewall 4.5.21. When a REJECT target is specified, Shorewall # normally handles the response as follows: # # □ If the destination address of the packet is a broadcast or multicast # address, the packet is dropped. # # □ if the protocol is ICMP (58) then the packet is dropped. # # □ if the protocol is TCP (6) then the packet is rejected with an RST. # # □ if the protocol is UDP (17) then the packet is rejected with an # 'port-unreachable' ICMP (ICMP6). # # □ if the protocol is ICMP (1) then the packet is rejected with a # 'addr-unreachable' ICMP. # # □ otherwise, the packet is rejected with a 'adm-prohibited' ICMP. # # You can modify this behavior by implementing your own action that handles # REJECT and specifying it's name in this option. The nolog and inline # options will automatically be assumed for the specified action. # # The following action implements the standard behavior: # # ?format 2 # #TARGET SOURCE DEST PROTO # Broadcast(DROP) - - - # DROP - - 2 # INLINE - - 6 ; -j REJECT --reject-with tcp-reset # ?if __ENHANCED_REJECT # INLINE - - 17 ; -j REJECT # ?if __IPV4 # INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable # INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited # ?else # INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable # INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited # ?endif # ?else # INLINE - - - ; -j REJECT # ?endif # REQUIRE_INTERFACE=No # # REQUIRE_INTERFACE=[Yes|No] # # Added in Shorewall 4.4.10. The default is No. If set to Yes, at least one # optional interface must be up in order for the firewall to be in the # started state. Intended to be used with the Shorewall Init Package. # RESTART=restart # # RESTART=[restart|reload] # # Added in Shorewall 5.0.1 to replace LEGACY_RESTART which was added in # Shorewall 5.0.0. In that release, the reload command was redefined to do # what restart had done in earlier releases and restart became a true restart # (equivalent to stop followed by start). When RESTART=reload, the restart # command performs the same operation as the reload command making it # compatible with earlier releases. If not specified, RESTART=reload is # assumed. # RESTORE_ROUTEMARKS=Yes # # RESTORE_ROUTEMARKS=[Yes|No] # # Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are # restored unconditionally at the top of the mangle OUTPUT and PREROUTING # chains, even if the saved mark is zero. When this option is set to No, the # mark is restored even when it is zero. If you have problems with IPSEC ESP # packets not being routed correctly on output, try setting this option to No # . # SAVE_IPSETS=No # # SAVE_IPSETS={Yes|No|setlist} # # Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the current # contents of your ipsets will be saved by the shorewall stop and shorewall # save commands and restored by the shorewall start and shorewall restore # commands. # # Beginning with Shorewall 4.6.4, you can restrict the set of ipsets saved by # specifying a setlist (a comma-separated list of ipv6 ipset names). # TC_ENABLED=No # # TC_ENABLED=[Yes|No|Internal|Simple|Shared] # # If you say Yes or yes here, Shorewall6 will use a script that you supply to # configure traffic shaping. The script must be named 'tcstart' and must be # placed in a directory on your CONFIG_PATH. # # If you say No or no then traffic shaping is not enabled. # # If you set TC_ENABLED=Internal or internal or leave the option empty then # Shorewall6 will use its builtin traffic shaper (tc4shorewall6 written by # Arne Bernin. # # If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later), simple traffic # shaping using shorewall-tcinterfaces(5) and shorewall-tcpri(5) is enabled. # # Beginning with Shorewall 4.4.15, if you set TC_ENABLED=Shared or shared, # then you should create symbolic links from your Shorewall6 configuration # directory (normally /etc/shorewall6/) to your Shorewall tcdevices and # tcclasses files. This allows the compiler to have access to your Shorewall # traffic shaping configuration so that it can validate CLASSIFY rules in # shorewall6-tcrules (5). # # Warning # # If you also run Shorewall and if you have TC_ENABLED=Internal in your # shorewall-conf(5), then you will want TC_ENABLED=No or TC_ENABLED=Shared in # this file. # TC_EXPERT=No # # TC_EXPERT={Yes|No} # # Normally, Shorewall6 tries to protect users from themselves by preventing # PREROUTING and OUTPUT tcrules from being applied to packets that have been # marked by the 'track' option in shorewall6-providers(5). # # If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall6 # will not include these cautionary checks. # TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" # # TC_PRIOMAP=map # # Added in Shorewall 4.4.6. Determines the mapping of a packet's TOS field to # priority bands. See shorewall6-tcpri(5). The map consists of 16 # space-separated digits with values 1, 2 or 3. A value of 1 corresponds to # Linux priority 0, 2 to Linux priority 1, and 3 to Linux Priority 2. The # first entry gives the priority of TOS value 0, the second of TOS value 1, # and so on. See tc-prio(8) for additional information. # # The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2". # TRACK_PROVIDERS=Yes # # TRACK_PROVIDERS={Yes|No} # # Added in Shorewall 4.4.3. When set to Yes, causes the track option to be # assumed on all providers defined in shorewall6-providers(5). May be # overridden on an individual provider through use of the notrack option. The # default value is 'No'. # # Beginning in Shorewall 4.4.6, setting this option to 'Yes' also simplifies # PREROUTING rules in shorewall6-tcrules(5). Previously, when TC_EXPERT=No, # packets arriving through 'tracked' provider interfaces were unconditionally # passed to the PREROUTING tcrules. This was done so that tcrules could reset # the packet mark to zero, thus allowing the packet to be routed using the # 'main' routing table. Using the main table allowed dynamic routes (such as # those added for VPNs) to be effective. The shorewall6-rtrules(5) file was # created to provide a better alternative to clearing the packet mark. As a # consequence, passing these packets to PREROUTING complicates things without # providing any real benefit. Beginning with Shorewall 4.4.6, when # TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through 'tracked' # interfaces will not be passed to the PREROUTING rules. Since # TRACK_PROVIDERS was just introduced in 4.4.3, this change should be # transparent to most, if not all, users. # TRACK_RULES=No # # TRACK_RULES={Yes|No} # # Added in Shorewall 4.5.20. If set to Yes, causes the compiler to add a # comment to iptables rules to indicate the file name and line number of the # configuration entry that generated the rule. If set to No (the default), # then no such comments are added. # # Setting this option to Yes requires the Comments capability in ip6tables # and kernel. # USE_DEFAULT_RT=Yes # # USE_DEFAULT_RT=[Yes|No] # # Added in Shorewall6 4.4.25. When set to 'Yes', this option causes the # Shorewall6 multi-ISP feature to create a set of routing rules which are # resilient to changes in the main routing table. Such changes can occur for # a number of reasons, VPNs going up and down being an example. The idea is # to send packets through the main table prior to applying any of the # Shorewall6-generated routing rules. So changes to the main table will # affect the routing of packets by default. # # When USE_DEFAULT_RT=Yes: # # 1. Both the DUPLICATE and the COPY columns in shorewall6-providers(5) file # must remain empty (or contain "-"). # # 2. The default route is added to the the 'default' table rather than to # the main table. # # 3. balance is assumed unless loose is specified. # # 4. Packets are sent through the main routing table by a rule with priority # 999. In shorewall6-routing_rules(5), the range 1-998 may be used for # inserting rules that bypass the main table. # # 5. All provider gateways must be specified explicitly in the GATEWAY # column. detect may not be specified. # # 6. You should disable all default route management outside of Shorewall6. # If a default route is added to the main table while Shorewall is # started, then all policy routing will stop working (except for those # routing rules in the priority range 1-998). # # Prior to Shorewall 4.6.0, if USE_DEFAULT_RT was not set or if it was set to # the empty string then USE_DEFAULT_RT=No was assumed. Beginning with # Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes and use of # USE_DEFAULT_RT=No is deprecated. # USE_PHYSICAL_NAMES=No # # USE_PHYSICAL_NAMES=[Yes|No] # # Added in Shorewall 4.4.27. Normally, when Shorewall creates a Netfilter # chain that relates to an interface, it uses the interface's logical name as # the base of the chain name. For example, if the logical name for an # interface is OAKLAND, then the input chain for traffic arriving on that # interface would be 'OAKLAND_in'. If this option is set to Yes, then the # physical name of the interface will be used the base of the chain name. # USE_RT_NAMES=No # # USE_RT_NAMES=[Yes|No] # # Added in Shorewall 4.5.15. When set to 'Yes', Shorewall will use routing # table (provider) names in the generated script rather than table numbers. # When set to 'No' (the default), routing table numbers will be used. # # Caution # # If you set USE_RT_NAMES=Yes and KEEP_RT_TABLES=Yes, then you must insure # that all of your providers have entries in /etc/iproute2/rt_tables as well # as the following entries: # # 255 local # 254 main # 253 default # 250 balance # 0 unspec # # Without these entries, the firewall will fail to start. # WARNOLDCAPVERSION=Yes # # WARNOLDCAPVERSION=[Yes|No] # # Added in Shorewall 4.5.12. When set to Yes (the default), the compiler # issues a warning when it finds a capabilities file that doesn't specify all # of the capabilities supported by the compiler. When WARNOLDCAPVERSION is # set to No, no warning is issued. # WORKAROUNDS=No # # WORKAROUNDS=[Yes|No] # # Added in Shorewall 4.6.11. Over time, there have been a number of changes # in Shorewall that work around defects in other products such as iptables # and ipset. When WORKAROUNDS=Yes, these workarounds are enabled; when # WORKAROUNDS=No, they are disabled. If not specified or if specified as # empty, WORKAROUNDS=Yes is assumed. # # Warning # # Do not set WORKAROUNDS=Yes if you need to be able to use # Shorewall-generated scripts (such as created by the save command) built by # Shorewall 4.4.7 or older. # ZONE2ZONE=- # # ZONE2ZONE={2|-} # # Added in Shorewall 4.4.4. This option determines how Shorewall constructs # chain names involving zone names and/or 'all'. Beginning with Shorewall # 4.6.0, the default is '-' (e.g., fw-net); prior to that release, the # default was '2' (e.g., fw2net). # ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP # # BLACKLIST_DISPOSITION=[DROP|A_DROP|REJECT|A_REJECT] # # This parameter determines the disposition of packets from blacklisted # hosts. It may have the value DROP if the packets are to be dropped or # REJECT if the packets are to be replied with an ICMP port unreachable reply # or a TCP RST (tcp only). If you do not assign a value or if you assign an # empty value then DROP is assumed. The setting determines the disposition of # packets sent to the blacklog target of shorewall6-blrules(5). # INVALID_DISPOSITION=CONTINUE # # INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.5.13. Shorewall has traditionally passed INVALID # packets through the NEW section of shorewall-rules (5). When a packet in # INVALID state fails to match any rule in the INVALID section, the packet is # disposed of based on this setting. The default value is CONTINUE for # compatibility with earlier versions. # MACLIST_DISPOSITION=REJECT # # MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT|A_DROP|A_REJECT] # # Determines the disposition of connections requests that fail MAC # Verification and must have the value ACCEPT (accept the connection request # anyway), REJECT (reject the connection request) or DROP (ignore the # connection request). If not set or if set to the empty value (e.g., # MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT is assumed. # # A_DROP and A_REJECT are audited versions of DROP and REJECT respectively # and were added in Shorewall 4.4.20. They require AUDIT_TARGET in the kernel # and ip6tables. # RELATED_DISPOSITION=ACCEPT # # RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.4.27. Shorewall has traditionally ACCEPTed RELATED # packets that don't match any rule in the RELATED section of # shorewall6-rules (5). Concern about the safety of this practice resulted in # the addition of this option. When a packet in RELATED state fails to match # any rule in the RELATED section, the packet is disposed of based on this # setting. The default value is ACCEPT for compatibility with earlier # versions. # SFILTER_DISPOSITION=DROP # # SFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] # # Added in Shorewall 4.4.20. Determines the disposition of packets matching # the sfilter option (see shorewall6-interfaces(5)) and of hairpin packets on # interfaces without the routeback option.^[1] interfaces without the # routeback option. # RPFILTER_DISPOSITION=DROP # # RPFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] # # Added in Shorewall 4.5.7. Determines the disposition of packets entering # from interfaces with the rpfilter option (see shorewall6-interfaces(5)). # Packets disposed of by this option are those whose response packets would # not be sent through the same interface receiving the packet. # SMURF_DISPOSITION=DROP # # SMURF_DISPOSITION=[DROP|A_DROP] # # Added in Shorewall 4.4.20. The default setting is DROP which causes smurf # packets (see the nosmurfs option in shorewall6-interfaces(5)) to be # dropped. A_DROP causes the packets to be audited prior to being dropped and # requires AUDIT_TARGET support in the kernel and ip6tables. # TCP_FLAGS_DISPOSITION=DROP # # TCP_FLAGS_DISPOSITION=[ACCEPT|DROP|REJECT] # # Determines the disposition of TCP packets that fail the checks enabled by # the tcpflags interface option (see shorewall6-interfaces(5)) and must have # a value of ACCEPT (accept the packet), REJECT (send an RST response) or # DROP (ignore the packet). If not set or if set to the empty value (e.g., # TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed. # UNTRACKED_DISPOSITION=CONTINUE # # UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.5.13. Shorewall has traditionally passed UNTRACKED # packets through the NEW section of shorewall6-rules (5). When a packet in # UNTRACKED state fails to match any rule in the UNTRACKED section, the # packet is disposed of based on this setting. The default value is CONTINUE # for compatibility with earlier versions. # ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS= # # TC_BITS=[number] # # Added in Shorewall 4.4.26. The number of bits at the low end of the 32-bit # packet mark to be used for traffic shaping marking. May be zero. See # MASK_BITS above for default value. # PROVIDER_BITS= # # PROVIDER_BITS=[number] # # Added in Shorewall 4.4.26. The number of bits in the 32-bit packet mark to # be used for provider numbers. May be zero. See MASK_BITS above for default # value. # PROVIDER_OFFSET= # # PROVIDER_OFFSET=[number] # # Added in Shorewall 4.4.26. The offset from the right (low-order end) of the # provider number field in the 32-bit packet mark. If non-zero, must be >= # TC_BITS (Shorewall automatically adjusts PROVIDER_OFFSET's value). # PROVIDER_OFFSET + PROVIDER_BITS + ZONE_BITS must be < 32. See MASK_BITS # above for default value. # MASK_BITS= # # MASK_BITS=[number] # # Added in Shorewall 4.4.26. Number of bits on the right of the 32-bit packet # mark to be masked when clearing the traffic shaping mark. Must be >= # TC_BITS and <= PROVIDER_OFFSET (if PROVIDER_OFFSET > 0). Prior to Shorewall # 5.0.0, default value and the default values of the other mark layout # options is determined as follows: # # Table 1. Default Packet Mark Layout # # WIDE_TC_MARKS=No, TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=No 0, MASK_BITS=8 # WIDE_TC_MARKS=No, TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=Yes 8, MASK_BITS=8 # WIDE_TC_MARKS=Yes, TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=No 0, MASK_BITS=16 # WIDE_TC_MARKS=Yes, TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=Yes 16, MASK_BITS=16 # # # From 5.0.0 onward, the default value of MASK_BITS is 8, the default value # of PROVIDER_BITS, TC_BITS, MASK_BITS and PROVIDER_OFFSET is 8. # ZONE_BITS=0 # # ZONE_BITS=[number] # # Added in Shorewall 4.4.26. When non-zero, enables automatic packet marking # by source zone and determines the number of bits in the 32-bit packet mark # to be used for the zone mark. Default value is 0. # #LAST LINE -- DO NOT REMOVE shorewall6-5.0.4/Samples6/one-interface/interfaces.annotated0000644000000000000000000003171512650244165022553 0ustar rootroot# # Shorewall6 version 5 - Sample Interfaces File for one-interface configuration. # Copyright (C) 2006-2015 by the Shorewall Team # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # See the file README.txt for further details. #------------------------------------------------------------------------------ # For information about entries in this file, type "man shorewall6-interfaces" ############################################################################### # # The interfaces file serves to define the firewall's network interfaces to # shorewall6. The order of entries in this file is not significant in determining # zone composition. # # Beginning with Shorewall 4.5.3, the interfaces file supports two different # formats: # # FORMAT 1 (default - deprecated) # # There is a ANYCAST column which provides compatibility with older versions # of Shorewall.. # # FORMAT 2 # # The BROADCAST column is omitted. # # The format is specified by a line as follows: # # ?FORMAT {1|2} # # The columns in the file are as follows. # # ZONE - zone-name # # Zone for this interface. Must match the name of a zone declared in /etc/ # shorewall6/zones. You may not list the firewall zone in this column. # # If the interface serves multiple zones that will be defined in the # shorewall6-hosts(5) file, you should place "-" in this column. # # If there are multiple interfaces to the same zone, you must list them in # separate entries. # # Example: # # #ZONE INTERFACE BROADCAST # loc eth1 - # loc eth2 - # # Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo' # interface, then that zone must be defined as type local in shorewall6-zones # (5). # # INTERFACE - interface[:port] # # Logical name of interface. Each interface may be listed only once in this # file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0) # here; see http://www.shorewall.net/FAQ.htm#faq18. If the physical option is # not specified, then the logical name is also the name of the actual # interface. # # You may use wildcards here by specifying a prefix followed by the plus sign # ("+"). For example, if you want to make an entry that applies to all PPP # interfaces, use 'ppp+'; that would match ppp0, ppp1, ppp2, …Please note # that the '+' means 'one or more additional characters' so 'ppp' does not # match 'ppp+'. # # Care must be exercised when using wildcards where there is another zone # that uses a matching specific interface. See shorewall6-nesting(5) for a # discussion of this problem. # # Shorewall6 allows '+' as an interface name. # # There is no need to define the loopback interface (lo) in this file. # # If a port is given, then the interface must have been defined previously # with the bridge option. The OPTIONS column must be empty when a port is # given. # # ANYCAST - - # # Enter '-' in this column. It is here for compatibility between Shorewall6 # and Shorewall and is omitted if FORMAT is 2. # # OPTIONS (Optional) - [option[,option]...] # # A comma-separated list of options from the following list. The order in # which you list the options is not significant but the list should have no # embedded white-space. # # accept_ra[={0|1|2}] # # Added in Shorewall 4.5.16. Values are: # # 0 # # Do not accept Router Advertisements. # # 1 # # Accept Route Advertisements if forwarding is disabled. # # 2 # # Overrule forwarding behavior. Accept Route Advertisements even if # forwarding is enabled. # # If the option is specified without a value, then the value 1 is # assumed. # # blacklist # # Check packets arriving on this interface against the # shorewall6-blacklist(5) file. # # Beginning with Shorewall 4.4.13: # # ☆ If a zone is given in the ZONES column, then the behavior is as if # blacklist had been specified in the IN_OPTIONS column of # shorewall6-zones(5). # # ☆ Otherwise, the option is ignored with a warning: # # WARNING: The 'blacklist' option is ignored on multi-zone # interfaces # # bridge # # Designates the interface as a bridge. Beginning with Shorewall 4.4.7, # setting this option also sets routeback. # # destonly # # Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle # traffic from this interface. # # dhcp # # Specify this option when any of the following are true: # # 1. the interface gets its IP address via DHCP # # 2. the interface is used by a DHCP server running on the firewall # # 3. the interface has a static IP but is on a LAN segment with lots of # DHCP clients. # # 4. the interface is a simple bridge with a DHCP server on one port and # DHCP clients on another port. # # Note # # If you use Shorewall-perl for firewall/bridging, then you need to # include DHCP-specific rules in shorewall-rules(8). DHCP uses UDP # ports 546 and 547. # # This option allows DHCP datagrams to enter and leave the interface. # # forward[={0|1}] # # Sets the /proc/sys/net/ipv6/conf/interface/forwarding option to the # specified value. If no value is supplied, then 1 is assumed. # # ignore[=1] # # When specified, causes the generated script to ignore up/down events # from Shorewall-init for this device. Additionally, the option exempts # the interface from hairpin filtering. When '=1' is omitted, the ZONE # column must contain '-' and ignore must be the only OPTION. # # Beginning with Shorewall 4.5.5, may be specified as 'ignore=1' which # only causes the generated script to ignore up/down events from # Shorewall-init; hairpin filtering is still applied. In this case, the # above restrictions on the ZONE and OPTIONS columns are lifted. # # loopback # # Added in Shorewall 4.6.6. Designates the interface as the loopback # interface. This option is assumed if the interface's physical name is # 'lo'. Only one interface man have the loopback option specified. # # mss=number # # Causes forwarded TCP SYN packets entering or leaving on this interface # to have their MSS field set to the specified number. # # nets=(net[,...]) # # Limit the zone named in the ZONE column to only the listed networks. If # you specify this option, be sure to include the link-local network # (ff80::/10). # # nets=dynamic # # Added in Shorewall 4.4.21. Defines the zone as dynamic. Requires ipset # match support in your iptables and kernel. See http://www.shorewall.net # /Dynamic.html for further information. # # optional # # When optional is specified for an interface, shorewall6 will be silent # when: # # ☆ a /proc/sys/net/ipv6/conf/ entry for the interface cannot be # modified. # # ☆ The first global IPv6 address of the interface cannot be obtained. # # This option may not be specified together with required. # # physical=name # # Added in Shorewall 4.4.4. When specified, the interface or port name in # the INTERFACE column is a logical name that refers to the name given in # this option. It is useful when you want to specify the same wildcard # port name on two or more bridges. See http://www.shorewall.net/ # bridge-Shorewall-perl.html#Multiple. # # If the interface name is a wildcard name (ends with '+'), then the # physical name must also end in '+'. # # If physical is not specified, then it's value defaults to the interface # name. # # required # # Added in Shorewall 4.4.10. When specified, the firewall will fail to # start if the interface named in the INTERFACE column is not usable. May # not be specified together with optional. # # routeback[={0|1}] # # If specified, indicates that shorewall6 should include rules that allow # traffic arriving on this interface to be routed back out that same # interface. This option is also required when you have used a wildcard # in the INTERFACE column if you want to allow traffic between the # interfaces that match the wildcard. # # If you specify this option, then you should also specify rpfilter (see # below) if you are running Shorewall 4.5.7 or later; otherwise, you # should specify sfilter (see below). # # Beginning with Shorewall 4.5.18, you may specify this option to # explicitly reset (e.g., routeback=0). This can be used to override # Shorewall's default setting for bridge devices which is routeback=1. # # rpfilter # # Added in Shorewall 4.5.7. This is an anti-spoofing measure that # requires the 'RPFilter Match' capability in your iptables and kernel. # It provides a more efficient alternative to the sfilter option below. # # sourceroute[={0|1}] # # If this option is not specified for an interface, then source-routed # packets will not be accepted from that interface unless explicitly # enabled via sysconf. Only set this option to 1 (enable source routing) # if you know what you are doing. This might represent a security risk # and is not usually needed. # # Only those interfaces with the sourceroute option will have their # setting changed; the value assigned to the setting will be the value # specified (if any) or 1 if no value is given. # # Note # # This option does not work with a wild-card interface name (e.g., # eth0.+) in the INTERFACE column. # # sfilter=(net[,...]) # # Added in Shorewall 4.4.20. At this writing (spring 2011), Linux does # not support reverse path filtering (RFC3704) for IPv6. In its absence, # sfilter may be used as an anti-spoofing measure. # # This option should be used on bridges or other interfaces with the # routeback option. On these interfaces, sfilter should list those local # networks that are connected to the firewall through other interfaces. # # tcpflags[={0|1}] # # Packets arriving on this interface are checked for certain illegal # combinations of TCP flags. Packets found to have such a combination of # flags are handled according to the setting of TCP_FLAGS_DISPOSITION # after having been logged according to the setting of # TCP_FLAGS_LOG_LEVEL. # # Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To disable # this option, specify tcpflags=0. # # proxyndp[={0|1}] # # Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp. # # Note: This option does not work with a wild-card interface name (e.g., # eth0.+) in the INTERFACE column. # # Only those interfaces with the proxyndp option will have their setting # changed; the value assigned to the setting will be the value specified # (if any) or 1 if no value is given. # # unmanaged # # Added in Shorewall 4.5.18. Causes all traffic between the firewall and # hosts on the interface to be accepted. When this option is given: # # ☆ The ZONE column must contain '-'. # # ☆ Only the following other options are allowed with unmanaged: # # accept_ra # forward # ignore # optional # physical # sourceroute # proxyndp # # wait=seconds # # Added in Shorewall 4.4.10. Causes the generated script to wait up to # seconds seconds for the interface to become usable before applying the # required or optional options. # # Example # # Example 1: # # Suppose you have eth0 connected to a DSL modem and eth1 connected to your # local network You have a DMZ using eth2. # # Your entries for this setup would look like: # # FORMAT 2 # #ZONE INTERFACE OPTIONS # net eth0 - # loc eth1 - # dmz eth2 - # # Example 4 (Shorewall 4.4.9 and later): # # You have a bridge with no IP address and you want to allow traffic through # the bridge. # # FORMAT 2 # #ZONE INTERFACE OPTIONS # - br0 bridge # ############################################################################### ?FORMAT 2 ############################################################################### shorewall6-5.0.4/Samples6/Universal/0000755000000000000000000000000012650244202015743 5ustar rootrootshorewall6-5.0.4/Samples6/Universal/rules.annotated0000644000000000000000000012175012650244201021001 0ustar rootroot# # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### # # Entries in this file govern connection establishment by defining exceptions to # the policies laid out in shorewall6-policy(5). By default, subsequent requests # and responses are automatically allowed using connection tracking. For any # particular (source,dest) pair of zones, the rules are evaluated in the order in # which they appear in this file and the first terminating match is the one that # determines the disposition of the request. All rules are terminating except LOG # and QUEUE rules. # # The rules file is divided into sections. Each section is introduced by a # "Section Header" which is a line beginning with ?SECTION and followed by the # section name. # # Sections are as follows and must appear in the order listed: # # ALL # # This section was added in Shorewall 4.4.23. rules in this section are # applied, regardless of the connection tracking state of the packet. # # ESTABLISHED # # Packets in the ESTABLISHED state are processed by rules in this section. # # The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE # # There is an implicit ACCEPT rule inserted at the end of this section. # # RELATED # # Packets in the RELATED state are processed by rules in this section. # # The only ACTIONs allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE # # There is an implicit rule added at the end of this section that invokes the # RELATED_DISPOSITION (shorewall6.conf(5)). # # INVALID # # Added in Shorewall 4.5.13. Packets in the INVALID state are processed by # rules in this section. # # The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE. # # There is an implicit rule added at the end of this section that invokes the # INVALID_DISPOSITION (shorewall6.conf(5)). # # UNTRACKED # # Added in Shorewall 4.5.13. Packets in the UNTRACKED state are processed by # rules in this section. # # The only Actions allowed in this section are ACCEPT, DROP, REJECT, LOG and # QUEUE. # # There is an implicit rule added at the end of this section that invokes the # UNTRACKED_DISPOSITION (shorewall6.conf(5)). # # NEW # # Packets in the NEW state are processed by rules in this section. If the # INVALID and/or UNTRACKED sections are empty or not included, then the # packets in the corresponding state(s) are also processed in this section. # # Note # # If you are not familiar with Netfilter to the point where you are comfortable # with the differences between the various connection tracking states, then it is # suggested that you omit the ESTABLISHED and RELATED sections and place all of # your rules in the NEW section (That's after the line that reads ?SECTION NEW'). # # Warning # # If you specify FASTACCEPT=Yes in shorewall6.conf(5) then the ESTABLISHED and # RELATED sections must be empty. # # An except is made if you are running Shorewall 4.4.27 or later and you have # specified a non-default value for RELATED_DISPOSITION or RELATED_LOG_LEVEL. In # that case, you may have rules in the RELATED section of this file. # # You may omit any section that you don't need. If no Section Headers appear in # the file then all rules are assumed to be in the NEW section. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ACTION - target[:{log-level|none}[!][:tag]] # # Specifies the action to be taken if the connection request matches the # rule. target must be one of the following. # # ACCEPT # # Allow the connection request. # # ACCEPT+ # # like ACCEPT but also excludes the connection from any subsequent # matching DNAT[-] or REDIRECT[-] rules. Requires Shorewall 4.5.14 or # later. # # ACCEPT! # # like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # action # # The name of an action declared in shorewall6-actions(5) or in /usr/ # share/shorewall/actions.std. # # ADD(ipset:flags) # # Added in Shorewall 4.4.12. Causes addresses and/or port numbers to be # added to the named ipset. The flags specify the address or tuple to be # added to the set and must match the type of ipset involved. For # example, for an iphash ipset, either the SOURCE or DESTINATION address # can be added using flags src or dst respectively (see the -A command in # ipset (8)). # # Beginning with Shorewall 5.0.3, an optional timeout can be specified. # This is the number of seconds that the new entry in the ipset is to # remain valid and overrides any timeout specified when the ipset was # created. # # ADD is non-terminating. Even if a packet matches the rule, it is passed # on to the next rule. # # AUDIT[(accept|drop|reject)] # # Added in Shorewall 4.5.10. Audits the packet with the specified type; # if the type is omitted, then drop is assumed. Require AUDIT_TARGET # support in the kernel and iptables. # # A_ACCEPT, and A_ACCEPT! # # Added in Shorewall 4.4.20. Audited versions of ACCEPT and ACCEPT! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # A_DROP and A_DROP! # # Added in Shorewall 4.4.20. Audited versions of DROP and DROP! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # A_REJECT AND A_REJECT! # # Added in Shorewall 4.4.20. Audited versions of REJECT and REJECT! # respectively. Require AUDIT_TARGET support in the kernel and iptables. # # [?]COMMENT # # the rest of the line will be attached as a comment to the Netfilter # rule(s) generated by the following entries. The comment will appear # delimited by "/* ... */" in the output of "shorewall show ". To # stop the comment from being attached to further rules, simply include # COMMENT on a line by itself. # # Note # # Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and # is preferred. # # CONTINUE # # For experts only. # # Do not process any of the following rules for this (source # zone,destination zone). If the source and/or destination IP address # falls into a zone defined later in shorewall6-zones(5) or in a parent # zone of the source or destination zones, then this connection request # will be passed to the rules defined for that (those) zone(s). See # shorewall6-nesting(5) for additional information. # # CONTINUE! # # like CONTINUE but exempts the rule from being suppressed by OPTIMIZE=1 # in shorewall6.conf(5). # # COUNT # # Simply increment the rule's packet and byte count and pass the packet # to the next rule. # # DEL(ipset:flags) # # Added in Shorewall 4.4.12. Causes an entry to be deleted from the named # ipset. The flags specify the address or tuple to be deleted from the # set and must match the type of ipset involved. For example, for an # iphash ipset, either the SOURCE or DESTINATION address can be deleted # using flags src or dst respectively (see the -D command in ipset (8)). # # DEL is non-terminating. Even if a packet matches the rule, it is passed # on to the next rule. # # DNAT # # Forward the request to another system (and optionally another port). # Requires Shorewall 4.5.14 or later. # # DNAT- # # Advanced users only. # # Like DNAT but only generates the DNAT iptables rule and not the # companion ACCEPT rule. Requires Shorewall 4.5.14 or later. # # DROP # # Ignore the request. # # DROP! # # like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # HELPER # # Added in Shorewall 4.5.7. This action requires that the HELPER column # contains the name of the Netfilter helper to be associated with # connections matching this connection. May only be specified in the NEW # section and is useful for being able to specify a helper when the # applicable policy is ACCEPT. No destination zone should be specified in # HELPER rules. # # INLINE[(action)] # # Added in Shorewall 4.5.16. This action allows you to construct most of # the rule yourself using ip6tables syntax. The part that you specify # must follow a semicolon (';') and is completely free-form. If the # target of the rule (the part following 'j') is something that Shorewall # supports in the ACTION column, then you may enclose it in parentheses # (e.g., INLINE(ACCEPT)). Otherwise, you can include it after the # semicolon. In this case, you must declare the target as a builtin # action in shorewall6-actions(5). # # Some considerations when using INLINE: # # ☆ The p, s, d, i, o, policy, and state match (state or conntrack # --ctstate) matches will always appear in the front of the rule in # that order. # # ☆ When multiple matches are specified, the compiler will keep them in # the order in which they appear (excluding the above listed ones), # but they will not necessarily be at the end of the generated rule. # For example, if addresses are specified in the SOURCE and/or DEST # columns, their generated matches will appear after those specified # using ';'. # # IP6TABLES({ip6tables-target [option ...]) # # This action allows you to specify an ip6tables target with options # (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the ip6tables-target # is not one recognized by Shorewall, the following error message will be # issued: # # ERROR: Unknown target (ip6tables-target) # # This error message may be eliminated by adding the ip6tables-target as # a builtin action in shorewall6-actions(5). # # Important # # If you specify REJECT as the ip6tables-target, the target of the rule # will be the i6ptables REJECT target and not Shorewall's builtin # 'reject' chain which is used when REJECT (see below) is specified as # the target in the ACTION column. # # LOG:level # # Simply log the packet and continue with the next rule. # # macro[(macrotarget)] # # The name of a macro defined in a file named macro.macro. If the macro # accepts an action parameter (Look at the macro source to see if it has # PARAM in the TARGET column) then the macro name is followed by the # parenthesized macrotarget (ACCEPT, DROP, REJECT, ...) to be substituted # for the parameter. # # Example: FTP(ACCEPT). # # The older syntax where the macro name and the target are separated by a # slash (e.g. FTP/ACCEPT) is still allowed but is deprecated. # # NFLOG[(nflog-parameters)] # # Added in Shorewall 4.5.9.3. Queues matching packets to a back end # logging daemon via a netlink socket then continues to the next rule. # See http://www.shorewall.net/shorewall_logging.html. # # Similar to LOG:NFLOG[(nflog-parameters)], except that the log level is # not changed when this ACTION is used in an action or macro and the # invocation of that action or macro specifies a log level. # # NFQUEUE[([queuenumber1[:queuenumber2][,bypass]]|bypass)] # # Queues the packet to a user-space application using the nfnetlink_queue # mechanism. If a queuenumber1 is not specified, queue zero (0) is # assumed. Beginning with Shorewall 4.6.10, the keyword bypass can be # given. By default, if no userspace program is listening on an NFQUEUE, # then all packets that are to be queued are dropped. When this option is # used, the NFQUEUE rule is silently bypassed instead. The packet will # move on to the next rule. Also beginning in Shorewall 4.6.10, a second # queue number (queuenumber2) may be specified. This specifies a range of # queues to use. Packets are then balanced across the given queues. This # is useful for multicore systems: start multiple instances of the # userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets # belonging to the same connection are put into the same nfqueue. # # NFQUEUE[([queuenumber1[,queuenumber2][,bypass]]|bypass)] # # like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1 # in shorewall6.conf(5). # # NONAT # # Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] # rules but doesn't generate a rule to accept the traffic. Requires # Shorewall 4.5.14 or later. # # QUEUE # # Queue the packet to a user-space application such as ftwall (http:// # p2pwall.sf.net). The application may reinsert the packet for further # processing. # # QUEUE! # # like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # REDIRECT # # Redirect the request to a server running on the firewall. Requires # Shorewall 4.5.14 or later. # # REDIRECT- # # Advanced users only. # # Like REDIRECT but only generates the REDIRECT iptables rule and not the # companion ACCEPT rule. Requires Shorewall 4.5.14 or later. # # REJECT # # disallow the request and return an icmp-unreachable or an RST packet. # # REJECT! # # like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in # shorewall6.conf(5). # # TARPIT [(tarpit | honeypot | reset)] # # Added in Shorewall 4.6.6. # # TARPIT captures and holds incoming TCP connections using no local # per-connection resources. # # TARPIT only works with the PROTO column set to tcp (6), and is totally # application agnostic. This module will answer a TCP request and play # along like a listening server, but aside from sending an ACK or RST, no # data is sent. Incoming packets are ignored and dropped. The attacker # will terminate the session eventually. This module allows the initial # packets of an attack to be captured by other software for inspection. # In most cases this is sufficient to determine the nature of the attack. # # This offers similar functionality to LaBrea but does not require dedicated hardware or IPs. Any TCP port # that you would normally DROP or REJECT can instead become a tarpit. # # The target accepts a single optional parameter: # # tarpit # # This mode is the default and completes a connection with the # attacker but limits the window size to 0, thus keeping the attacker # waiting long periods of time. While he is maintaining state of the # connection and trying to continue every 60-240 seconds, we keep # none, so it is very lightweight. Attempts to close the connection # are ignored, forcing the remote side to time out the connection in # 12-24 minutes. # # honeypot # # This mode completes a connection with the attacker, but signals a # normal window size, so that the remote side will attempt to send # data, often with some very nasty exploit attempts. We can capture # these packets for decoding and further analysis. The module does # not send any data, so if the remote expects an application level # response, the game is up. # # reset # # This mode is handy because we can send an inline RST (reset). It # has no other function. # # The target may optionally be followed by ":" and a syslog log level (e.g, # REJECT:info or Web(ACCEPT):debug). This causes the packet to be logged at # the specified level. Note that if the ACTION involves destination network # address translation (DNAT, REDIRECT, etc.) then the packet is logged before # the destination address is rewritten. # # If the ACTION names an action declared in shorewall-actions(5) or in /usr/ # share/shorewall/actions.std then: # # □ If the log level is followed by "!' then all rules in the action are # logged at the log level. # # □ If the log level is not followed by "!" then only those rules in the # action that do not specify logging are logged at the specified level. # # □ The special log level none! suppresses logging by the action. # # You may also specify ULOG or NFLOG (must be in upper case) as a log # level.This will log to the ULOG or NFLOG target for routing to a separate # log through use of ulogd (http://www.netfilter.org/projects/ulogd/ # index.html). # # Actions specifying logging may be followed by a log tag (a string of # alphanumeric characters) which is appended to the string generated by the # LOGPREFIX (in shorewall6.conf(5)). # # Example: ACCEPT:info:ftp would include 'ftp ' at the end of the log prefix # generated by the LOGPREFIX setting. # # SOURCE - {zone|zone-list[+]|{all|any}[+][-]}[:interface][:<{address-or-range[, # address-or-range]...[exclusion]>|exclusion|+ipset|^countrycode-list} # # Source hosts to which the rule applies. May be a zone declared in /etc/ # shorewall6/zones, $FW to indicate the firewall itself, all, all+, all-, # all+- or none. # # Beginning with Shorewall 4.4.13, you may use a zone-list which consists of # a comma-separated list of zones declared in shorewall6-zones (5). This # zone-list may be optionally followed by "+" to indicate that the rule is to # apply to intra-zone traffic as well as inter-zone traffic. # # When none is used either in the SOURCE or DEST column, the rule is ignored. # # all means "All Zones", including the firewall itself. all- means "All # Zones, except the firewall itself". When all[-] is used either in the # SOURCE or DEST column intra-zone traffic is not affected. When all+[-] is # "used, intra-zone traffic is affected. Beginning with Shorewall 4.4.13, # exclusion is supported -- see see shorewall6-exclusion(5). # # any is equivalent to all when there are no nested zones. When there are # nested zones, any only refers to top-level zones (those with no parent # zones). Note that any excludes all vserver zones, since those zones are # nested within the firewall zone. # # Except when all[+][-] or any[+][-] is specified, clients may be further # restricted to a list of networks and/or hosts by appending ":" and a # comma-separated list of network and/or host addresses. Hosts may be # specified by IP or MAC address; mac addresses must begin with "~" and must # use "-" as a separator. # # Hosts may also be specified as an IP address range using the syntax # lowaddress-highaddress. This requires that your kernel and ip6tables # contain iprange match support. If your kernel and ip6tables have ipset # match support then you may give the name of an ipset prefaced by "+". The # ipset name may be optionally followed by a number from 1 to 6 enclosed in # square brackets ([]) to indicate the number of levels of source bindings to # be matched. # # Beginning with Shorewall6 4.4.17, the primary IP address of a firewall # interface can be specified by an ampersand ('&') followed by the logical # name of the interface as found in the INTERFACE column of # shorewall6-interfaces (5). # # Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A # countrycode-list is a comma-separated list of up to 15 two-character # ISO-3661 country codes enclosed in square brackets ('[...]') and preceded # by a caret ('^'). When a single country code is given, the square brackets # may be omitted. A list of country codes supported by Shorewall may be found # at http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list # requires GeoIP Match support in your ip6tables and Kernel. # # When an interface is not specified, you may omit the angled brackets ('<' # and '>') around the address(es) or you may supply them to improve # readability. # # You may exclude certain hosts from the set already defined through use of # an exclusion (see shorewall6-exclusion(5)). # # Examples: # # dmz:2002:ce7c::92b4:1::2 # # Host 2002:ce7c:92b4:1::2 in the DMZ # # net:2001:4d48:ad51:24::/64 # # Subnet 2001:4d48:ad51:24::/64 on the Internet # # loc:<2002:cec792b4:1::2,2002:cec792b4:1::44> # # Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the local zone. # # loc:~00-A0-C9-15-39-78 # # Host in the local zone with MAC address 00:A0:C9:15:39:78. # # net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80 # # Subnet 2001:4d48:ad51:24::/64 on the Internet except for # 2001:4d48:ad51:24:6:/80. # # $FW:ð0 # # The primary IP address of eth0 in the firewall zone (Shorewall6 4.4.17 # and later). # # Alternatively, clients may be specified by interface by appending ":" to # the zone name followed by the interface name. For example, loc:eth1 # specifies a client that communicates with the firewall system through eth1. # This may be optionally followed by another colon (":") and an IP/MAC/subnet # address as described above (e.g., loc:eth1:<2002:ce7c::92b4:1::2>). # # Examples: # # loc:eth1:<2002:cec792b4:1::2,2002:cec792b4:1::44> # # Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the Local zone, # with both originating from eth1 # # DEST - {zone|zone-list[+]|all[+][-]}[:interface][:<{address-or-range[, # address-or-range]...[exclusion]>|exclusion|+ipset|^countrycode-list}[:port # [:random]] # # Location of Server. May be a zone declared in shorewall6-zones(5), $FW to # indicate the firewall itself, all. all+ or none. # # Beginning with Shorewall 4.4.13, you may use a zone-list which consists of # a comma-separated list of zones declared in shorewall6-zones (5). Ths # zone-list may be optionally followed by "+" to indicate that the rule is to # apply to intra-zone traffic as well as inter-zone traffic. Beginning with # Shorewall-4.4.13, exclusion is supported -- see see shorewall6-exclusion # (5). # # Beginning with Shorewall6 4.4.17, the primary IP address of a firewall # interface can be specified by an ampersand ('&') followed by the logical # name of the interface as found in the INTERFACE column of # shorewall6-interfaces (5). # # Beginning with Shorewall 4.5.4, A countrycode-list may be specified. A # countrycode-list is a comma-separated list of up to 15 two-character # ISO-3661 country codes enclosed in square brackets ('[...]') and preceded # by a caret ('^'). When a single country code is given, the square brackets # may be omitted. A list of country codes supported by Shorewall may be found # at http://www.shorewall.net/ISO-3661.html. Specifying a countrycode-list # requires GeoIP Match support in your ip6tables and Kernel. # # When none is used either in the SOURCE or DEST column, the rule is ignored. # # When all is used either in the SOURCE or DEST column intra-zone traffic is # not affected. When all+ is used, intra-zone traffic is affected. # # If the DEST zone is a bport zone, then either: # # a. the SOURCE must be all[+][-], or # # b. the SOURCE zone must be another bport zone associated with the same # bridge, or # # c. the SOURCE zone must be an ipv4 zone that is associated with only the # same bridge. # # Except when all[+]|[-] is specified, the server may be further restricted # to a particular network, host or interface by appending ":" and the # network, host or interface. See SOURCE above. # # You may exclude certain hosts from the set already defined through use of # an exclusion (see shorewall6-exclusion(5)). # # Restriction: MAC addresses are not allowed (this is a Netfilter # restriction). # # If your kernel and ip6tables have ipset match support then you may give the # name of an ipset prefaced by "+". The ipset name may be optionally followed # by a number from 1 to 6 enclosed in square brackets ([]) to indicate the # number of levels of destination bindings to be matched. Only one of the # SOURCE and DEST columns may specify an ipset name. # # The port that the server is listening on may be included and separated from # the server's IP address by ":". If omitted, the firewall will not modify # the destination port. A destination port may only be included if the ACTION # is DNAT or REDIRECT. # # Example 1: # # loc:[2001:470:b:227::44]:3128 specifies a local server at IP address # 2001:470:b:227::44 and listening on port 3128. # # Example 2: # # loc:[]:3128 specifies that the destination port should be changed to # 3128 but the IP address should remain the same. # # The port may be specified as a service name. You may specify a port range # in the form lowport-highport to cause connections to be assigned to ports # in the range in round-robin fashion. When a port range is specified, # lowport and highport must be given as integers; service names are not # permitted. Additionally, the port range may be optionally followed by # :random which causes assignment to ports in the list to be random. # # If the ACTION is REDIRECT or REDIRECT-, this column needs only to contain # the port number on the firewall that the request should be redirected to. # That is equivalent to specifying $FW::port. # # PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all} # # Optional protocol - ipp2p* requires ipp2p match support in your kernel and # ip6tables. tcp:syn implies tcp plus the SYN flag must be set and the # RST,ACK and FIN flags must be reset. # # Beginning with Shorewall6 4.4.19, this column can contain a comma-separated # list of protocol-numbers and/or protocol names (e.g., tcp,udp). # # DPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} # # Optional destination Ports. A comma-separated list of Port names (from # services(5)), port numbers or port ranges; if the protocol is icmp, this # column is interpreted as the destination icmp-type(s). ICMP types may be # specified as a numeric type, a numeric type and code separated by a slash # (e.g., 3/4), or a typename. See http://www.shorewall.net/ # configuration_file_basics.htm#ICMP. Note that prior to Shorewall6 4.4.19, # only a single ICMP type may be listed. # # If the protocol is ipp2p, this column is interpreted as an ipp2p option # without the leading "--" (example bit for bit-torrent). If no port is # given, ipp2p is assumed. # # A port range is expressed as lowport:highport. # # This column is ignored if PROTO = all but must be entered if any of the # following columns are supplied. In that case, it is suggested that this # field contain a dash (-). # # If your kernel contains multi-port match support, then only a single # Netfilter rule will be generated in this list and the SPORT list below if: # # 1. There are 15 or less ports listed. # # 2. No port ranges are included or your kernel and ip6tables contain # extended multi-port match support. # # Beginning with Shorewall 4.6.0, an ipset name can be specified in this # column. This is intended to be used with bitmap:port ipsets. # # This column was formerly labelled DEST PORT(S). # # SPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset} # # Optional source port(s). If omitted, any source port is acceptable. # Specified as a comma- separated list of port names, port numbers or port # ranges. # # Beginning with Shorewall 4.5.15, you may place '=' in this column, provided # that the DPORT column is non-empty. This causes the rule to match when # either the source port or the destination port in a packet matches one of # the ports specified in DPORT. Use of '=' requires multi-port match in your # iptables and kernel. # # Warning # # Unless you really understand IP, you should leave this column empty or # place a dash (-) in the column. Most people who try to use this column get # it wrong. # # If you don't want to restrict client ports but need to specify a later # column, then place "-" in this column. # # If your kernel contains multi-port match support, then only a single # Netfilter rule will be generated if in this list and the DPORT list above: # # 1. There are 15 or less ports listed. # # 2. No port ranges are included or your kernel and ip6tables contain # extended multi-port match support. # # Beginning with Shorewall 4.6.0, an ipset name can be specified in this # column. This is intended to be used with bitmap:port ipsets. # # This column was formerly labelled SOURCE PORT(S). # # ORIGDEST - [-] # # Included for compatibility with Shorewall. Enter '-' in this column if you # need to specify one of the later columns. # # This column was formerly labelled ORIGINAL DEST. # # RATE - limit # # where limit is one of: # # [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst] # [name1]:rate1/{sec|min|hour|day}[:burst1],[name2]:rate2/{sec|min|hour|day} # [:burst2] # # You may optionally rate-limit the rule by placing a value in this column: # # rate* is the number of connections per interval (sec or min) and burst* is # the largest burst permitted. If no burst is given, a value of 5 is assumed. # There may be no no white-space embedded in the specification. # # Example: 10/sec:20 # # When s: or d: is specified, the rate applies per source IP address or per # destination IP address respectively. The names may be chosen by the user # and specifiy a hash table to be used to count matching connections. If not # given, the name shorewallN (where N is a unique integer) is assumed. Where # more than one rule or POLICY specifies the same name, the connections # counts for the rules are aggregated and the individual rates apply to the # aggregated count. # # Beginning with Shorewall 4.6.5, two limits may be specified, separated by a # comma. In this case, the first limit (name1, rate1, burst1) specifies the # per-source IP limit and the second limit specifies the per-destination IP # limit. # # Example: client:10/sec:20,:60/sec:100 # # In this example, the 'client' hash table will be used to enforce the # per-source limit and the compiler will pick a unique name for the hash # table that tracks the per-destination limit. # # This column was formerly labelled RATE LIMIT. # # USER - [!][user-name-or-number-or-range][:group-name-or-number-or-range] # # This optional column may only be non-empty if the SOURCE is the firewall # itself. # # When this column is non-empty, the rule applies only if the program # generating the output is running under the effective user and/or group # specified (or is NOT running under that id if "!" is given). # # Beginning with Shorewall 4.5.8, multiple user or group names/ids separated # by commas may be specified. # # Examples: # # joe # # program must be run by joe # # :kids # # program must be run by a member of the 'kids' group # # !:kids # # program must not be run by a member of the 'kids' group # # 2001-2099 # # UIDs 2001 through 2099 (Shorewall 4.5.6 and later) # # This column was formerly labelled USER/GROUP. # # MARK - [!]value[/mask][:C] # # Defines a test on the existing packet or connection mark. The rule will # match only if the test returns true. # # If you don't want to define a test but need to specify anything in the # following columns, place a "-" in this field. # # ! # # Inverts the test (not equal) # # value # # Value of the packet or connection mark. # # mask # # A mask to be applied to the mark before testing. # # :C # # Designates a connection mark. If omitted, the packet mark's value is # tested. # # CONNLIMIT - [d:][!]limit[:mask] # # May be used to limit the number of simultaneous connections to/from each # individual host or network to limit connections. Requires connlimit match # in your kernel and iptables. While the limit is only checked on rules # specifying CONNLIMIT, the number of current connections is calculated over # all current connections from the SOURCE or DESTINATION host. By default, # limiting is done by SOURCE host or net, but if the specification begins # with d:, then limiting will be donw by destination host or net. # # By default, the limit is applied to each host but can be made to apply to # networks of hosts by specifying a mask. The mask specifies the width of a # VLSM mask to be applied to the source address; the number of current # connections is then taken over all hosts in the subnet source-address/mask. # When ! is specified, the rule matches when the number of connection exceeds # the limit. # # TIME - timeelement[&timeelement...] # # May be used to limit the rule to a particular time period each day, to # particular days of the week or month, or to a range defined by dates and # times. Requires time match support in your kernel and ip6tables. # # timeelement may be: # # timestart=hh:mm[:ss] # # Defines the starting time of day. # # timestop=hh:mm[:ss] # # Defines the ending time of day. # # utc # # Times are expressed in Greenwich Mean Time. # # localtz # # Deprecated by the Netfilter team in favor of kerneltz. Times are # expressed in Local Civil Time (default). # # kerneltz # # Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time # (requires iptables 1.4.12 or later). # # weekdays=ddd[,ddd]... # # where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun # # monthdays=dd[,dd],... # # where dd is an ordinal day of the month # # datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] # # Defines the starting date and time. # # datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]] # # Defines the ending date and time. # # HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall 4.4.15) # # The header-list consists of a comma-separated list of headers from the # following list. # # auth, ah, or 51 # # Authentication Headers extension header. # # esp, or 50 # # Encrypted Security Payload extension header. # # hop, hop-by-hop or 0 # # Hop-by-hop options extension header. # # route, ipv6-route or 41 # # IPv6 Route extension header. # # frag, ipv6-frag or 44 # # IPv6 fragmentation extension header. # # none, ipv6-nonxt or 59 # # No next header # # proto, protocol or 255 # # Any protocol header. # # If any: is specified, the rule will match if any of the listed headers are # present. If exactly: is specified, the will match packets that exactly # include all specified headers. If neither is given, any: is assumed. # # If ! is entered, the rule will match those packets which would not be # matched when ! is omitted. # # SWITCH - [!]switch-name[={0|1}] # # Added in Shorewall6 4.4.24 and allows enabling and disabling the rule # without requiring shorewall6 restart. # # Enables the rule if the value stored in /proc/net/nf_condition/switch-name # is 1. Disables the rule if that file contains 0 (the default). If '!' is # supplied, the test is inverted such that the rule is enabled if the file # contains 0. # # Within the switch-name, '@0' and '@{0}' are replaced by the name of the # chain to which the rule is a added. The switch-name (after '@...' # expansion) must begin with a letter and be composed of letters, decimal # digits, underscores or hyphens. Switch names must be 30 characters or less # in length. # # Switches are normally off. To turn a switch on: # # echo 1 > /proc/net/nf_condition/switch-name # # To turn it off again: # # echo 0 > /proc/net/nf_condition/switch-name # # Switch settings are retained over shorewall6 restart. # # Beginning with Shorewall 4.5.10, when the switch-name is followed by =0 or # =1, then the switch is initialized to off or on respectively by the start # command. Other commands do not affect the switch setting. # # HELPER - [helper] # # Added in Shorewall 4.5.7. # # In the NEW section, causes the named conntrack helper to be associated with # this connection; the contents of this column are ignored unless ACTION is # ACCEPT*, DNAT* or REDIRECT*. # # In the RELATED section, will only match if the related connection has the # named helper associated with it. # # The helper may be one of: # # amanda # ftp # irc # netbios-ns # pptp # Q.931 # RAS # sane # sip # snmp # tftp # # If the HELPERS option is specified in shorewall6.conf(5), then any module # specified in this column must be listed in the HELPERS setting. # # Example # # Example 1: # # Accept SMTP requests from the DMZ to the internet # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST # ACCEPT dmz net tcp smtp # # Example 4: # # You want to accept SSH connections to your firewall only from internet IP # addresses 2002:ce7c::92b4:1::2 and 2002:ce7c::92b4:1::22 # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST # ACCEPT net:<2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22> \ # $FW tcp 22 # # Example 5: # # You wish to limit SSH connections from remote systems to 1/min with a burst # of three (to allow for limited retry): # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE # SSH(ACCEPT) net all - - - - s:1/min:3 # # Example 6: # # Forward port 80 to dmz host $BACKUP if switch 'primary_down' is set. # # #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH # DNAT net dmz:$BACKUP tcp 80 - - - - - - - - primary_down # # Example 7: # # Drop all email from IP addresses in the country whose ISO-3661 country code # is ZZ. # # #ACTION SOURCE DEST PROTO DPORT # DROP net:^ZZ fw tcp 25 # # Example 8: # # You want to generate your own rule involving ip6tables targets and matches # not supported by Shorewall. # # #ACTION SOURCE DEST PROTO DPORT # INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 # # The above will generate the following ip6tables-restore input: # # -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 # # Note that SECCTX must be defined as a builtin action in shorewall6-actions # (5): # # #ACTION OPTIONS # SECCTX builtin # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW Invalid(DROP) net $FW tcp SSH(ACCEPT) net $FW Ping(ACCEPT) net $FW shorewall6-5.0.4/Samples6/Universal/policy0000644000000000000000000000057712647470621017212 0ustar rootroot# # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK fw net ACCEPT net all DROP shorewall6-5.0.4/Samples6/Universal/zones0000644000000000000000000000053412647470621017042 0ustar rootroot# # Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ip shorewall6-5.0.4/Samples6/Universal/policy.annotated0000644000000000000000000002024512650244200021142 0ustar rootroot# # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### # # This file defines the high-level policy for connections between zones defined # in shorewall6-zones(5). # # Important # # The order of entries in this file is important # # This file determines what to do with a new connection request if we don't get a # match from the /etc/shorewall6/rules file . For each source/destination pair, # the file is processed in order until a match is found ("all" will match any # client or server). # # Important # # Intra-zone policies are pre-defined # # For $FW and for all of the zones defined in /etc/shorewall6/zones, the POLICY # for connections from the zone to itself is ACCEPT (with no logging or TCP # connection rate limiting but may be overridden by an entry in this file. The # overriding entry must be explicit (specifying the zone name on both SOURCE and # DEST) or it must use "all+ or it must use "all+" (Shorewall 4.5.17 or later). # # Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall6.conf, then the # implicit policy to/from any sub-zone is CONTINUE. These implicit CONTINUE # policies may also be overridden by an explicit entry in this file. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # SOURCE - zone|$FW|all|all+ # # Source zone. Must be the name of a zone defined in shorewall6-zones(5), # $FW, "all" or "all+". # # Support for "all+" was added in Shorewall 4.5.17. "all" does not override # the implicit intra-zone ACCEPT policy while "all+" does. # # DEST - zone|$FW|all|all+ # # Destination zone. Must be the name of a zone defined in shorewall6-zones # (5), $FW, "all" or "all+". If the DEST is a bport zone, then the SOURCE # must be "all", "all+", another bport zone associated with the same bridge, # or it must be an ipv4 zone that is associated with only the same bridge. # # Support for "all+" was added in Shorewall 4.5.17. "all" does not override # the implicit intra-zone ACCEPT policy while "all+" does. # # POLICY - {ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2 # ])]|NONE}[:{default-action-or-macro[:level]|None}] # # Policy if no match from the rules file is found. # # If the policy is neither CONTINUE nor NONE then the policy may be followed # by ":" and one of the following: # # a. The word "None" or "none". This causes any default action defined in # shorewall6.conf(5) to be omitted for this policy. # # b. The name of an action. The action will be invoked before the policy is # enforced. # # Actions can have parameters specified. # # Beginning with Shorewall 4.5.10, the action name can be followed optionally # by a colon and a log level. The level will be applied to each rule in the # action or body that does not already have a log level. # # Possible actions are: # # ACCEPT # # Accept the connection. # # DROP # # Ignore the connection request. # # REJECT # # For TCP, send RST. For all other, send an "unreachable" ICMP. # # QUEUE # # Queue the request for a user-space application such as Snort-inline. # # NFQUEUE # # Queue the request for a user-space application using the # nfnetlink_queue mechanism. If a queuenumber1 is not given, queue zero # (0) is assumed. Beginning with Shorewall 4.6.10, a second queue number # (queuenumber2) may be given. This specifies a range of queues to use. # Packets are then balanced across the given queues. This is useful for # multicore systems: start multiple instances of the userspace program on # queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the same # connection are put into the same nfqueue. # # CONTINUE # # Pass the connection request past any other rules that it might also # match (where the source or destination zone in those rules is a # superset of the SOURCE or DEST in this policy). See shorewall6-nesting # (5) for additional information. # # NONE # # Assume that there will never be any packets from this SOURCE to this # DEST. shorewall6 will not create any infrastructure to handle such # packets and you may not have any rules with this SOURCE and DEST in the # /etc/shorewall6/rules file. If such a packet is received, the result is # undefined. NONE may not be used if the SOURCE or DEST columns contain # the firewall zone ($FW) or "all". # # LOG LEVEL (loglevel) - [log-level|NFLOG] # # Optional - if supplied, each connection handled under the default POLICY is # logged at that level. If not supplied, no log message is generated. See # syslog.conf(5) for a description of log levels. # # You may also specify NFLOG (must be in upper case). This will log to the # NFLOG target and will send to a separate log through use of ulogd (http:// # www.netfilter.org/projects/ulogd/index.html). # # For a description of log levels, see http://www.shorewall.net/ # shorewall_logging.html. # # If you don't want to log but need to specify the following column, place # "-" here. # # BURST:LIMIT (limit) - [-|limit] # # where limit is one of: # # [-|[{s|d}:[[name]:]]]rate/{sec|min|hour|day}[:burst] # [name1]:rate1/{sec|min|hour|day}[:burst1],[name2]:rate2/{sec|min|hour|day} # [:burst2] # # If passed, specifies the maximum TCP connection rate and the size of an # acceptable burst. If not specified, TCP connections are not limited. If the # burst parameter is omitted, a value of 5 is assumed. # # When s: or d: is specified, the rate applies per source IP address or per # destination IP address respectively. The name may be chosen by the user and # specifies a hash table to be used to count matching connections. If not # give, the name shorewall is assumed. Where more than one POLICY or rule # specifies the same name, the connections counts for the policies are # aggregated and the individual rates apply to the aggregated count. # # Beginning with Shorewall 4.6.5, two limits may be specified, separated by a # comma. In this case, the first limit (name1, rate1, burst1) specifies the # per-source IP limit and the second limit specifies the per-destination IP # limit. # # Example: client:10/sec:20,:60/sec:100 # # CONNLIMIT - limit[:mask] # # May be used to limit the number of simultaneous connections from each # individual host to limit connections. While the limit is only checked on # connections to which this policy could apply, the number of current # connections is calculated over all current connections from the SOURCE # host. By default, the limit is applied to each host individually but can be # made to apply to networks of hosts by specifying a mask. The mask specifies # the width of a VLSM mask to be applied to the source address; the number of # current connections is then taken over all hosts in the subnet # source-address/mask. # # Example # # a. All connections from the local network to the internet are allowed # # b. All connections from the internet are ignored but logged at syslog level # KERNEL.INFO. # # c. All other connection requests are rejected and logged at level KERNEL.INFO. # # #SOURCE DEST POLICY LOG BURST:LIMIT # # LEVEL # loc net ACCEPT # net all DROP info # # # # THE FOLLOWING POLICY MUST BE LAST # # # all all REJECT info # ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK fw net ACCEPT net all DROP shorewall6-5.0.4/Samples6/Universal/rules0000644000000000000000000000132712647470621017037 0ustar rootroot# # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ###################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW Invalid(DROP) net $FW tcp SSH(ACCEPT) net $FW Ping(ACCEPT) net $FW shorewall6-5.0.4/Samples6/Universal/shorewall6.conf0000644000000000000000000001053412647470621020717 0ustar rootroot############################################################################### # # Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf # # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at # http://www.shorewall.net/manpages6/shorewall6.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=Yes ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 ############################################################################### # L O G G I N G ############################################################################### BLACKLIST_LOG_LEVEL= INVALID_LOG_LEVEL= LOG_BACKEND= LOG_VERBOSITY=2 LOGALLNEW= LOGFILE= LOGFORMAT="Shorewall:%s:%s:" LOGLIMIT= LOGTAGONLY=No MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= RPFILTER_LOG_LEVEL=info SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info STARTUP_LOG=/var/log/shorewall6-init.log TCP_FLAGS_LOG_LEVEL=info UNTRACKED_LOG_LEVEL= ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall GEOIPDIR=/usr/share/xt_geoip/LE IP6TABLES= IP= IPSET= LOCKFILE= MODULESDIR= NFACCT= PERL=/usr/bin/perl PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin RESTOREFILE= SHOREWALL_SHELL=/bin/sh SUBSYSLOCK= TC= ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT="Reject" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes ACCOUNTING_TABLE=filter ADMINISABSENTMINDED=Yes BASIC_FILTERS=No IGNOREUNKNOWNVARIABLES=No AUTOCOMMENT=Yes AUTOHELPERS=Yes AUTOMAKE=No BLACKLIST="NEW,INVALID,UNTRACKED" CHAIN_SCRIPTS=No CLAMPMSS=No CLEAR_TC=Yes COMPLETE=Yes DEFER_DNS_RESOLUTION=Yes DELETE_THEN_ADD=Yes DONT_LOAD= DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=Yes FORWARD_CLEAR_MARK= HELPERS= IMPLICIT_CONTINUE=No INLINE_MATCHES=Yes IPSET_WARNINGS=Yes IP_FORWARDING=keep KEEP_RT_TABLES=Yes LOAD_HELPERS_ONLY=Yes MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX="ko ko.xz" MUTEX_TIMEOUT=60 OPTIMIZE=All OPTIMIZE_ACCOUNTING=No REJECT_ACTION= REQUIRE_INTERFACE=Yes RESTART=restart RESTORE_ROUTEMARKS=Yes SAVE_IPSETS=No TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=Yes TRACK_RULES=No USE_DEFAULT_RT=Yes USE_PHYSICAL_NAMES=No USE_RT_NAMES=No WARNOLDCAPVERSION=Yes WORKAROUNDS=No ZONE2ZONE=- ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP INVALID_DISPOSITION=CONTINUE MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SFILTER_DISPOSITION=DROP RPFILTER_DISPOSITION=DROP SMURF_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP UNTRACKED_DISPOSITION=CONTINUE ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS= PROVIDER_BITS= PROVIDER_OFFSET= MASK_BITS= ZONE_BITS=0 #LAST LINE -- DO NOT REMOVE shorewall6-5.0.4/Samples6/Universal/interfaces0000644000000000000000000000073512647470621020032 0ustar rootroot# # Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### ?FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS - lo ignore net all dhcp,physical=+,routeback,sourceroute=0 shorewall6-5.0.4/Samples6/Universal/zones.annotated0000644000000000000000000002024512650244202021003 0ustar rootroot# # Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### # # The /etc/shorewall6/zones file declares your network zones. You specify the # hosts in each zone through entries in /etc/shorewall6/interfaces or /etc/ # shorewall6/hosts. # # The columns in the file are as follows (where the column name is followed by a # different name in parentheses, the different name is used in the alternate # specification syntax). # # ZONE - zone[:parent-zone[,parent-zone]...] # # Name of the zone. The names "all", "none", "SOURCE" and "DEST" are reserved # and may not be used as zone names. The maximum length of a zone name is # determined by the setting of the LOGFORMAT option in shorewall6.conf(5). # With the default LOGFORMAT, zone names can be at most 5 characters long. # # The maximum length of an iptables log prefix is 29 bytes. As explained # in shorewall6.conf (5), the default LOGPREFIX formatting string is # “Shorewall:%s:%s:” where the first %s is replaced by the chain name and # the second is replaced by the disposition. # # ☆ The default formatting string has 12 fixed characters ("Shorewall" # and three colons). # # ☆ The longest of the standard dispositions are ACCEPT and REJECT # which have 6 characters each. # # ☆ The canonical name for the chain containing the rules for traffic # going from zone 1 to zone 2 is "2". # # ☆ So if M is the maximum zone name length, such chains can have # length 2*M + 1. # # 12 + 6 + 2*M + 1 = 29 which reduces to # 2*M = 29 - 12 - 6 - 1 = 10 or # M = 5 # # The order in which Shorewall6 matches addresses from packets to zones is # determined by the order of zone declarations. Where a zone is nested in one # or more other zones, you may either ensure that the nested zone precedes # its parents in this file, or you may follow the (sub)zone name by ":" and a # comma-separated list of the parent zones. The parent zones must have been # declared in earlier records in this file. See shorewall6-nesting(5) for # additional information. # # Example: # # #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS # a ipv6 # b ipv6 # c:a,b ipv6 # # Currently, Shorewall6 uses this information to reorder the zone list so # that parent zones appear after their subzones in the list. The # IMPLICIT_CONTINUE option in shorewall6.conf(5) can also create implicit # CONTINUE policies to/from the subzone. # # Where an ipsec zone is explicitly included as a child of an ipv6 zone, the # ruleset allows CONTINUE policies (explicit or implicit) to work as # expected. # # In the future, Shorewall6 may make additional use of nesting information. # # TYPE # # ipv6 # # This is the standard Shorewall6 zone type and is the default if you # leave this column empty or if you enter "-" in the column. # Communication with some zone hosts may be encrypted. Encrypted hosts # are designated using the 'ipsec' option in shorewall6-hosts(5). # # ipsec (or ipsec6) # # Communication with all zone hosts is encrypted. Your kernel and # ip6tables must include policy match support. # # firewall # # Designates the firewall itself. You must have exactly one 'firewall' # zone. No options are permitted with a 'firewall' zone. The name that # you enter in the ZONE column will be stored in the shell variable $FW # which you may use in other configuration files to designate the # firewall zone. # # bport (or bport6) # # The zone is associated with one or more ports on a single bridge. # # vserver # # Added in Shorewall 4.4.11 Beta 2 - A zone composed of Linux-vserver # guests. The zone contents must be defined in shorewall6-hosts (5). # # Vserver zones are implicitly handled as subzones of the firewall zone. # # loopback # # Added in Shorewall 4.5.17. # # Normally, Shorewall treats the loopback interface (lo) in the following # way: # # ☆ By default, all traffic through the interface is ACCEPTed. # # ☆ If a $FW -> $FW policy is defined or $FW -> $FW rules are defined, # they are placed in a chain named ${FW}2${F2} or ${FW}-${FW} (e.g., # 'fw2fw' or 'fw-fw' ) depending on the ZONE2ZONE setting in # shorewall6.conf(5). # # ☆ $FW -> $FW traffic is only filtered in the OUTPUT chain. # # By defining a loopback zone and associating it with the loopback # interface in shorewall-interfaces(5), you can effect a slightly # different model. Suppose that the loopback zone name is 'local'; then: # # ☆ Both $FW -> local and local -> $FW chains are created. # # ☆ The $FW -> local and local -> $FW policies may be different. # # ☆ Both $FW -> local and local -> $FW rules may be specified. # # Rules to/from the loopback zone and any zone other than the firewall # zone are ignored with a warning. # # loopback zones may be nested within other loopback zones. # # local # # Added in Shorewall 4.5.17. local is the same as ipv6 with the exception # that the zone is only accessible from the firewall and vserver zones. # # OPTIONS, IN OPTIONS and OUT OPTIONS (options, in_options, out_options) - [ # option[,option]...] # # A comma-separated list of options. With the exception of the mss and # blacklist options, these only apply to TYPE ipsec zones. # # blacklist # # Added in Shorewall 4.4.13. May not be specified for firewall or vserver # zones. # # When specified in the IN_OPTIONS column, causes all traffic from this # zone to be passed against the src entries in shorewall6-blacklist(5). # # When specified in the OUT_OPTIONS column, causes all traffic to this # zone to be passed against the dst entries in shorewall6-blacklist(5). # # Specifying this option in the OPTIONS column is equivalent to entering # it in both of the IN_OPTIONS and OUT_OPTIONS column. # # dynamic_shared # # Added in Shorewall 4.5.9. May only be specified in the OPTIONS column # and indicates that only a single ipset should be created for this zone # if it has multiple dynamic entries in shorewall6-hosts(5). Without this # option, a separate ipset is created for each interface. # # reqid=number # # where number is specified using setkey(8) using the 'unique:number # option for the SPD level. # # spi= # # where number is the SPI of the SA used to encrypt/decrypt packets. # # proto=ah|esp|ipcomp # # IPSEC Encapsulation Protocol # # mss=number # # sets the MSS field in TCP packets. If you supply this option, you # should also set FASTACCEPT=No in shorewall6.conf(5) to insure that both # the SYN and SYN,ACK packets have their MSS field adjusted. # # mode=transport|tunnel # # IPSEC mode # # tunnel-src=address[/mask] # # only available with mode=tunnel # # tunnel-dst=address[/mask] # # only available with mode=tunnel # # strict # # Means that packets must match all rules. # # next # # Separates rules; can only be used with strict # # The options in the OPTIONS column are applied to both incoming and outgoing # traffic. The IN OPTIONS are applied to incoming traffic (in addition to # OPTIONS) and the OUT OPTIONS are applied to outgoing traffic. # # If you wish to leave a column empty but need to make an entry in a # following column, use "-". # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ip shorewall6-5.0.4/Samples6/Universal/shorewall6.conf.annotated0000644000000000000000000020073012650244201022655 0ustar rootroot############################################################################### # # Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf # # For information about the settings in this file, type "man shorewall6.conf" # # Manpage also online at # http://www.shorewall.net/manpages6/shorewall6.conf.html ############################################################################### # S T A R T U P E N A B L E D ############################################################################### # # OPTIONS # # Many options have as their value a log-level. Log levels are a method of # describing to syslog (8) the importance of a message and a number of parameters # in this file have log levels as their value. # # These levels are defined by syslog and are used to determine the destination of # the messages through entries in /etc/syslog.conf (5). The syslog documentation # refers to these as "priorities"; Netfilter calls them "levels" and Shorewall6 # also uses that term. # # Valid levels are: # # 7 debug # 6 info # 5 notice # 4 warning # 3 err # 2 crit # 1 alert # 0 emerg # # For most Shorewall6 logging, a level of 6 (info) is appropriate. Shorewall6 log # messages are generated by NetFilter and are logged using facility 'kern' and # the level that you specify. If you are unsure of the level to choose, 6 (info) # is a safe bet. You may specify levels by name or by number. # # If you have built your kernel with NFLOG target support, you may also specify a # log level of NFLOG (must be all caps). Rather than log its messages to syslogd, # Shorewall6 will direct netfilter to log the messages via the NFLOG target which # will send them to a process called 'ulogd'. ulogd is available with most Linux # distributions (although it probably isn't installed by default). Ulogd is also # available from http://www.netfilter.org/projects/ulogd/index.html and can be # configured to log all Shorewall6 message to their own log file # # Note # # If you want to specify parameters to ULOG or NFLOG (e.g., NFLOG(1,0,1)), then # you must quote the setting. # # Example: # STARTUP_ENABLED=Yes # # STARTUP_ENABLED={Yes|No} # # Determines if Shorewall6 is allowed to start. As released from # shorewall.net, this option is set to No. When set to Yes or yes, Shorewall6 # may be started. Used as a guard against Shorewall6 being accidentally # started before it has been configured. # ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 # # VERBOSITY=[number] # # Shorewall6 has traditionally been very noisy (produced lots of output). You # may set the default level of verbosity using the VERBOSITY OPTION. # # Values are: # # 0 - Silent. You may make it more verbose using the -v option # 1 - Major progress messages displayed # 2 - All progress messages displayed (pre Shorewall6-3.2.0 behavior) # # If not specified, then 2 is assumed. # ############################################################################### # L O G G I N G ############################################################################### BLACKLIST_LOG_LEVEL= # # BLACKLIST_LOG_LEVEL=[log-level[:log-tag]] # # Formerly named BLACKLIST_LOGLEVEL. This parameter determines if packets # from blacklisted hosts are logged and it determines the syslog level that # they are to be logged at. Its value is a syslog level (Example: # BLACKLIST_LOG_LEVEL=debug). If you do not assign a value or if you assign # an empty value then packets from blacklisted hosts are not logged. The # setting determines the log level of packets sent to the blacklog target of # shorewall6-blrules(5). # INVALID_LOG_LEVEL= # # INVALID_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.5.13. Packets in the INVALID state that do not match # any rule in the INVALID section of shorewall6-rules (5) are logged at this # level. The default value is empty which means no logging is performed. # LOG_BACKEND= # # LOG_BACKEND=[backend] # # Added in Shorewall 4.6.4. LOG_BACKEND determines the logging backend to be # used for the iptrace command (see shorewall6(8)). # # backend is one of: # # LOG # # Use standard kernel logging. # # netlink # # Use netlink logging to ulogd version 2 or later. # LOG_VERBOSITY=2 # # LOG_VERBOSITY=[number] # # This option controls the amount of information logged to the file specified # in the STARTUP_LOG option. # # Values are: # # -1 - Logging is disabled # 0 - Silent. Only error messages are logged. # 1 - Major progress messages logged. # 2 - All progress messages logged # # If not specified, then -1 is assumed. # LOGALLNEW= # # LOGALLNEW=[log-level] # # This option is intended for use as a debugging aid. When set to a log # level, this option causes Shorewall6 to generate a logging rule as the # first rule in each builtin chain. # # □ The table name is used as the chain name in the log prefix. # # □ The chain name is used as the target in the log prefix. # # For example, using the default LOGFORMAT, the log prefix for logging # from the nat table's PREROUTING chain is: # # Shorewall:nat:PREROUTING # # Important # # To help insure that all packets in the NEW state are logged, rate # limiting (LOGLIMIT) should be disabled when using LOGALLNEW. Use # LOGALLNEW at your own risk; it may cause high CPU and disk utilization # and you may not be able to control your firewall after you enable this # option. # # Caution # # Do not use this option if the resulting log messages will be sent to # another system. # LOGFILE= # # LOGFILE=[pathname] # # This parameter tells the /sbin/shorewall6 program where to look for # Shorewall6 messages when processing the dump, logwatch, show log, and hits # commands. If not assigned or if assigned an empty value, /var/log/messages # is assumed. # LOGFORMAT="Shorewall:%s:%s:" # # LOGFORMAT=["formattemplate"] # # The value of this variable generate the --log-prefix setting for Shorewall6 # logging rules. It contains a “printf” formatting template which accepts # three arguments (the chain name, logging rule number (optional) and the # disposition). To use LOGFORMAT with fireparse, set it as: # # LOGFORMAT="fp=%s:%d a=%s " # # If the LOGFORMAT value contains the substring “%d” then the logging rule # number is calculated and formatted in that position; if that substring is # not included then the rule number is not included. If not supplied or # supplied as empty (LOGFORMAT="") then “Shorewall6:%s:%s:” is assumed. # # Note # # The setting of LOGFORMAT has an effect of the permitted length of zone # names. See shorewall6-zones (5). # LOGLIMIT= # # LOGLIMIT=[[{s|d}:]rate/{sec|second|min|minute|hour|day}[:burst]] # # Added in Shorewall 4.4.12. Limits the logging rate, either overall, or by # source or destination IP address. # # If the value starts with 's:' then logging is limited per source IP. If the # value starts with 'd:', then logging is limited per destination IP. # Otherwise, the overall logging rate is limited. # # If burst is not specified, then a value of 5 is assumed. # # The keywords second and minute are accepted beginning with Shorewall # 4.6.13. # LOGTAGONLY=No # # LOGTAGONLY=[Yes|No] # # Using the default LOGFORMAT, chain names may not exceed 11 characters or # truncation of the log prefix may occur. Longer chain names may be used with # log tags if you set LOGTAGONLY=Yes. With LOGTAGONLY=Yes, if a log tag is # specified then the tag is included in the log prefix in place of the chain # name. # # Beginning with Shorewall 4.5.12, when LOGTAGONLY=Yes, you have more control # over the generated log prefix. Beginning with that release, the tag is # interpreted as a chain name and a disposition separated by a comma. So this # rule: # # #ACTION SOURCE DEST # LOG:info:foo,bar net fw # # would generate the following log prefix when using the default LOGFORMAT # setting: # # Shorewall:foo:bar: # # Similarly, # # #ACTION SOURCE DEST # LOG:info:,bar net fw # # would generate # # Shorewall:net2fw:bar: # MACLIST_LOG_LEVEL=info # # MACLIST_LOG_LEVEL=[log-level[:log-tag]] # # Determines the syslog level for logging connection requests that fail MAC # Verification. The value must be a valid syslogd log level. If you don't # want to log these connection requests, set to the empty value (e.g., # MACLIST_LOG_LEVEL=""). # RELATED_LOG_LEVEL= # # RELATED_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.4.27. Packets in the related state that do not match # any rule in the RELATED section of shorewall6-rules (5) are logged at this # level. The default value is empty which means no logging is performed. # RPFILTER_LOG_LEVEL=info # # RPFILTER_LOG_LEVEL=log-level[:log-tag] # # Added in shorewall 4.5.7. Determines the logging of packets disposed via # the RPFILTER_DISPOSITION. The default value is info. # SFILTER_LOG_LEVEL=info # # SFILTER_LOG_LEVEL=log-level[:log-tag] # # Added on Shorewall 4.4.20. Determines the logging of packets matching the # sfilter option (see shorewall6-interfaces(5)) and of hairpin packets on # interfaces without the routeback option.^[2] interfaces without the # routeback option. The default is info. If you don't wish for these packets # to be logged, use SFILTER_LOG_LEVEL=none. # SMURF_LOG_LEVEL=info # # SMURF_LOG_LEVEL=[log-level[:log-tag]] # # Specifies the logging level for smurf packets (see the nosmurfs option in # shorewall6-interfaces(5)). If set to the empty value ( SMURF_LOG_LEVEL="" ) # then smurfs are not logged. # STARTUP_LOG=/var/log/shorewall6-init.log # # STARTUP_LOG=[pathname] # # If specified, determines where Shorewall6 will log the details of each # start, reload, restart and refresh command. Logging verbosity is determined # by the setting of LOG_VERBOSITY above. # TCP_FLAGS_LOG_LEVEL=info # # TCP_FLAGS_LOG_LEVEL=[log-level[:log-tag]] # # Determines the syslog level for logging packets that fail the checks # enabled by the tcpflags interface option. The value must be a valid syslogd # log level. If you don't want to log these packets, set to the empty value # (e.g., TCP_FLAGS_LOG_LEVEL=""). # UNTRACKED_LOG_LEVEL= # # UNTRACKED_LOG_LEVEL=log-level[:log-tag] # # Added in Shorewall 4.5.13. Packets in the UNTRACKED state that do not match # any rule in the UNTRACKED section of shorewall6-rules (5) are logged at # this level. The default value is empty which means no logging is performed. # ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall # # CONFIG_PATH=[directory[:directory]...] # # Specifies where configuration files other than shorewall6.conf may be # found. CONFIG_PATH is specifies as a list of directory names separated by # colons (":"). When looking for a configuration file: # # □ If the command is "try" or a "" was specified # in the command (e.g., shorewall6 check ./gateway) then the directory # given in the command is searched first. # # □ Next, each directory in the CONFIG_PATH setting is searched in # sequence. # # If CONFIG_PATH is not given or if it is set to the empty value then the # contents of /usr/share/shorewall6/configpath are used. As released from # shorewall.net, that file sets the CONFIG_PATH to /etc/shorewall6:/usr/share # /shorewall6:/usr/share/shorewall but your particular distribution may set # it differently. See the output of shorewall6 show config for the default on # your system. # GEOIPDIR=/usr/share/xt_geoip/LE # # GEOIPDIR=[pathname] # # Added in Shorewall 4.5.4. Specifies the pathname of the directory # containing the GeoIP Match database. See http://www.shorewall.net/ # ISO-3661.html. If not specified, the default value is /usr/share/xt_geoip/ # LE which is the default location of the little-endian database. # IP6TABLES= # # IP6TABLES=[pathname] # # This parameter names the ip6tables executable to be used by Shorewall6. If # not specified or if specified as a null value, then the ip6tables # executable located using the PATH option is used. # # Regardless of how the ip6tables utility is located (specified via IP6TABLES # = or located via PATH), Shorewall6 uses the ip6tables-restore and # ip6tables-save utilities from that same directory. # IP= # # IP=[pathname] # # If specified, gives the pathname of the 'ip' executable. If not specified, # 'ip' is assumed and the utility will be located using the current PATH # setting. # IPSET= # # IPSET=[pathname] # # If specified, gives the pathname of the 'ipset' executable. If not # specified, 'ipset' is assumed and the utility will be located using the # current PATH setting. # LOCKFILE= # # LOCKFILE=[pathname] # # Specifies the name of the Shorewall6 lock file, used to prevent # simultaneous state-changing commands. If not specified, ${VARDIR}/ # shorewall6/lock is assumed (${VARDIR} is normally /var/lib but can be # changed when Shorewall-core is installed -- see the output of shorewall6 # show vardir). # MODULESDIR= # # MODULESDIR=[pathname[:pathname]...] # # This parameter specifies the directory/directories where your kernel # netfilter modules may be found. If you leave the variable empty, Shorewall # will supply the value "/lib/modules/$uname/kernel/net/ipv${g_family}/ # netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/ # kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset" # where uname holds the output of 'uname -r' and g_family holds '6'. # NFACCT= # # NFACCT=[pathname] # # Added in Shorewall 4.5.7. Specifies the pathname of the nfacct utility. If # not specified, Shorewall will use the PATH setting to find the program. # PERL=/usr/bin/perl # # PERL=pathname # # Added in Shorewall 4.4.11 RC1. Specifies the path name of the Perl # executable. Default is /usr/bin/perl. If the pathname specified by this # option does not exist or the named file is not executable, then Shorewall6 # falls back to /usr/bin/perl # PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin # # PATH=pathname[:pathname]... # # Determines the order in which Shorewall6 searches directories for # executable files. # RESTOREFILE= # # RESTOREFILE=filename # # Specifies the simple name of a file in /var/lib/shorewall6 to be used as # the default restore script in the shorewall6 save, shorewall6 restore, # shorewall6 forget and shorewall6 -f start commands. # SHOREWALL_SHELL=/bin/sh # # SHOREWALL_SHELL=[pathname] # # This option is used to specify the shell program to be used to interpret # the compiled script. If not specified or specified as a null value, /bin/sh # is assumed. Using a light-weight shell such as ash or dash can # significantly improve performance. # SUBSYSLOCK= # # SUBSYSLOCK=[pathname] # # This parameter should be set to the name of a file that the firewall should # create if it starts successfully and remove when it stops. Creating and # removing this file allows Shorewall6 to work with your distribution's # initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall6. # For Debian, the value is /var/lock/shorewall6 and in LEAF it is /var/run/ # shorewall. # TC= # # TC=[pathname] # # If specified, gives the pathname of the 'tc' executable. If not specified, # 'tc' is assumed and the utility will be located using the current PATH # setting. # ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### ACCEPT_DEFAULT="none" # # ACCEPT_DEFAULT={action[(parameters)][:level]|none} # DROP_DEFAULT="Drop" # # DROP_DEFAULT={action[(parameters)][:level]|none} # NFQUEUE_DEFAULT="none" # # NFQUEUE_DEFAULT={action[(parameters)][:level]|none} # QUEUE_DEFAULT="none" # # QUEUE_DEFAULT={action[(parameters)][:level]|none} # REJECT_DEFAULT="Reject" # # REJECT_DEFAULT={action[(parameters)][:level]|none} # # DROP_DEFAULT describes the rules to be applied before a connection request # is dropped by a DROP policy; REJECT_DEFAULT describes the rules to be # applied if a connection request is rejected by a REJECT policy. The other # three are similar for ACCEPT, QUEUE and NFQUEUE policies. # # The value applied to these may be: # # a) The name of an action. The name may optionally be followed by a # comma-separated list of parameters enclosed in parentheses if the specified # action accepts parameters (e.g., 'Drop(audit)'). # c) None or none # # The default values are: # # DROP_DEFAULT="Drop" # REJECT_DEFAULT="Reject" # ACCEPT_DEFAULT="none" # QUEUE_DEFAULT="none" # NFQUEUE_DEFAULT="None" # # If you set the value of either option to "None" then no default action will # be used and the default action or macro must be specified in # shorewall6-policy(5). # # You can pass parameters to the specified action or macro (e.g., myaction # (audit,DROP)). # # Beginning with Shorewall 4.5.10, the action name can be followed optionally # by a colon and a log level. The level will be applied to each rule in the # action or macro body that does not already have a log level. # ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' # # RCP_COMMAND="command" # RSH_COMMAND='ssh ${root}@${system} ${command}' # # RSH_COMMAND="command" # # Earlier generations of Shorewall6 Lite required that remote root login via # ssh be enabled in order to use the load and reload commands. Beginning with # release 3.9.5, you may define an alternative means for accessing the remote # firewall system. In that release, two new options were added to # shorewall6.conf: # # RSH_COMMAND # RCP_COMMAND # # The default values for these are as follows: # # RSH_COMMAND: ssh ${root}@${system} ${command} # RCP_COMMAND: scp ${files} ${root}@${system}:${destination} # # Shell variables that will be set when the commands are invoked are as # follows: # # root - root user. Normally root but may be overridden using the '-r' # option. # system - The name/IP address of the remote firewall system. # command - For RSH_COMMAND, the command to be executed on the firewall # system. # files - For RCP_COMMAND, a space-separated list of files to be copied to # the remote firewall system. # destination - The directory on the remote system that the files are to be # copied into. # ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### ACCOUNTING=Yes # # ACCOUNTING=[Yes|No] # # Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting is enabled # (see shorewall6-accounting(5)). If not specified or set to the empty value, # ACCOUNTING=Yes is assumed. # ACCOUNTING_TABLE=filter # # ACCOUNTING_TABLE=[filter|mangle] # # Added in Shorewall 4.4.20. This setting determines which Netfilter table # the accounting rules are added in. By default, ACCOUNTING_TABLE=filter is # assumed. See also shorewall6-accounting(5). # ADMINISABSENTMINDED=Yes # # ADMINISABSENTMINDED=[Yes|No] # # The value of this variable affects Shorewall's stopped state. The behavior # differs depending on whether shorewall-routestopped(5) or # shorewall-stoppedrules(5) is used: # # routestopped # # When ADMINISABSENTMINDED=No, only traffic to/from those addresses # listed in routestopped is accepted when Shorewall is stopped. When # ADMINISABSENTMINDED=Yes, in addition to traffic to/from addresses in # routestopped, connections that were active when Shorewall stopped # continue to work and all new connections from the firewall system # itself are allowed. # # stoppedrules # # All existing connections continue to work. To sever all existing # connections when the firewall is stopped, install the conntrack utility # and place the command conntrack -F in the stopped user exit (/etc/ # shorewall6/stopped). # # If ADMINISABSENTMINDED=No, only new connections matching entries in # stoppedrules are accepted when Shorewall is stopped. Response packets # and related connections are automatically accepted. # # If ADMINISABSENTMINDED=Yes, in addition to connections matching entries # in stoppedrules, all new connections from the firewall system itself # are allowed when the firewall is stopped. Response packets and related # connections are automatically accepted. # # If this variable is not set or is given the empty value then # ADMINISABSENTMINDED=No is assumed. # BASIC_FILTERS=No # # BASIC_FILTERS=[Yes|No] # # Added in Shorewall-4.6.0. When set to Yes, causes entries in # shorewall6-tcfilters(5) to generate a basic filter rather than a u32 # filter. This setting requires the Basic Ematch capability in your kernel # and iptables. # # Note # # One of the advantages of basic filters is that ipset matches are supported # in newer iproute2 and kernel versions. Because Shorewall6 cannot reliably # detect this capability, use of basic filters is controlled by this option. # # The default value is No which causes u32 filters to be generated. # IGNOREUNKNOWNVARIABLES=No # # IGNOREUNKNOWNVARIABLES=[Yes|No] # # Added in Shorewall 4.5.11. Normally, if an unknown shell variable is # encountered in a configuration file (except in ?IF and ?ELSIF directives), # the compiler raises a fatal error. If IGNOREUNKNOWNVARIABLES is set to Yes, # then such variables simply expand to an empty string. Default is No. # AUTOCOMMENT=Yes # # AUTOCOMMENT=[Yes|No] # # Formerly named AUTO_COMMENT. If set, if there is not a current comment when # a macro is invoked, the behavior is as if the first line of the macro file # was "COMMENT ". The AUTO_COMMENT option has a default value of # 'Yes'. # AUTOHELPERS=Yes # # AUTOHELPERS=[Yes|No] # # Added in Shorewall 4.5.7. When set to Yes (the default), the generated # ruleset will automatically associate helpers with applications that require # them (FTP, IRC, etc.). When configuring your firewall on systems running # kernel 3.5 or later, it is recommended that you: # # 1. Set AUTOHELPERS=No. # # 2. Modify the HELPERS setting (see below) to list the helpers that you # need. # # 3. Either: # # a. Modify shorewall6-conntrack (5) to only apply helpers where they # are required; or # # b. Specify the appropriate helper in the HELPER column in # shorewall6-rules (5). # # Note # # The macros for those applications requiring a helper automatically # specify the appropriate HELPER where required. # AUTOMAKE=No # # AUTOMAKE=[Yes|No] # # If set, the behavior of the start, reload and restart commands is changed; # if no files in the CONFIG_PATH (see below) have been changed since the last # successful start, reload or restart command, then the compilation step is # skipped and the compiled script that executed the last start, reload or # restart command is used. The default is AUTOMAKE=No. # # The setting of the AUTOMAKE option is ignored if the start, reload or # restart command includes a directory name (e.g., shorewall6 restart /etc/ # shorewall.new). # BLACKLIST="NEW,INVALID,UNTRACKED" # # BLACKLIST=[{ALL|state[,...]}] # # where state is one of NEW, ESTABLISHED, RELATED, INVALID,or UNTRACKED. # # Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY option. Specifies # the connection tracking states that are to be subject to blacklist # screening. If BLACKLIST is not specified then the states subject to # blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED. # # Note: The ESTABLISHED state may not be specified if FASTACCEPT is # specified. # CHAIN_SCRIPTS=No # # CHAIN_SCRIPTS={Yes|No} # # Added in Shorewall 4.5.16. Prior to the availability of BEGIN PERL....END # PERL in configuration files, the only way to execute a chain-specific # script was to create a script file with the same name as the chain and # place it in a directory on the CONFIG_PATH. That facility has the drawback # that the compiler will attempt to run a non-script file just because it has # the same name as a chain. To disable this facility, set CHAIN_SCRIPTS=No. # If not specified or specified as the empty value, CHAIN_SCRIPTS=Yes is # assumed. # CLAMPMSS=No # # CLAMPMSS=[Yes|No|value] # # This parameter enables the TCP Clamp MSS to PMTU feature of Netfilter and # is usually required when your internet connection is through PPPoE or PPTP. # If set to Yes or yes, the feature is enabled. If left blank or set to No or # no, the feature is not enabled. # # Important: This option requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel. # # You may also set CLAMPMSS to a numeric value (e.g., CLAMPMSS=1400). This # will set the MSS field in TCP SYN packets going through the firewall to the # value that you specify. # CLEAR_TC=Yes # # CLEAR_TC=[Yes|No] # # If this option is set to No then Shorewall6 won't clear the current traffic # control rules during [re]start. This setting is intended for use by people # that prefer to configure traffic shaping when the network interfaces come # up rather than when the firewall is started. If that is what you want to # do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall6 # /tcstart file. That way, your traffic shaping rules can still use the # “fwmark” classifier based on packet marking defined in shorewall6-tcrules # (5). If not specified, CLEAR_TC=No is assumed. # # Warning # # If you also run Shorewall and if you have TC_ENABLED=Internal in your # shorewall-conf(5), then you will want CLEAR_TC=No in this file. # COMPLETE=Yes # # COMPLETE=[Yes|No] # # Added in Shorewall6 4.4.12. When you set this option to Yes, you are # asserting that the configuration is complete so that your set of zones # encompasses any hosts that can send or receive traffic to/from/through the # firewall. This causes Shorewall6 to omit the rules that catch packets in # which the source or destination IP address is outside of any of your zones. # Default is No. It is recommended that this option only be set to Yes if: # # □ You have defined an interface whose effective physical setting is '+'. # # □ That interface is assigned to a zone. # # □ You have no CONTINUE policies or rules. # DEFER_DNS_RESOLUTION=Yes # # DEFER_DNS_RESOLUTION=[Yes|No] # # Added in Shorewall 4.5.12. When set to 'Yes' (the default), DNS names are # validated in the compiler and then passed on to the generated script where # they are resolved by ip6tables-restore. This is an advantage if you use # AUTOMAKE=Yes and the IP address associated with the DNS name is subject to # change. When DEFER_DNS_RESOLUTION=No, DNS names are converted into IP # addresses by the compiler. This has the advantage that when AUTOMAKE=Yes # the start, reload and restart commands will succeed even if no DNS server # is reachable (assuming that the configuration hasn't changed since the # compiled script was last generated). # DELETE_THEN_ADD=Yes # # DELETE_THEN_ADD={Yes|No} # # If set to Yes (the default value), entries in the /etc/shorewall6/ # route_stopped files cause an 'ip rule del' command to be generated in # addition to an 'ip rule add' command. Setting this option to No, causes the # 'ip rule del' command to be omitted. # DONT_LOAD= # # DONT_LOAD=[module[,module]...] # # Causes Shorewall6 to not load the listed kernel modules. # DYNAMIC_BLACKLIST=Yes # # DYNAMIC_BLACKLIST={Yes|No} # # Added in Shorewall 4.4.7. When set to No or no, dynamic blacklisting using # the shorewall6 drop, shorewall6 reject, shorewall6 logdrop and shorewall6 # logreject is disabled. Default is Yes. # EXPAND_POLICIES=Yes # # EXPAND_POLICIES={Yes|No} # # Normally, when the SOURCE or DEST columns in shorewall-policy(5) contains # 'all', a single policy chain is created and the policy is enforced in that # chain. For example, if the policy entry is # # #SOURCE DEST POLICY LOG # # LEVEL # net all DROP info # # then the chain name is 'net-all' ("net2all" if ZONE2ZONE=2) which is also # the chain named in Shorewall log messages generated as a result of the # policy. If EXPAND_POLICIES=Yes, then Shorewall will create a separate chain # for each pair of zones covered by the policy. This makes the resulting log # messages easier to interpret since the chain in the messages will have a # name of the form 'a2b' where 'a' is the SOURCE zone and 'b' is the DEST # zone. # EXPORTMODULES=Yes # # EXPORTMODULES=[Yes|No] # # Added in Shorewall 4.4.17. When set to Yes when compiling for use by # Shorewall6 Lite (shorewall6 load, shorewall6 reload or shorewall6 export # commands), the compiler will copy the modules or helpers file from the # administrative system into the script. When set to No or not specified, the # compiler will not copy the modules or helpers file from /usr/share/ # shorewall6 but will copy the found in another location on the CONFIG_PATH. # # When compiling for direct use by Shorewall6, causes the contents of the # local module or helpers file to be copied into the compiled script. When # set to No or not set, the compiled script reads the file itself. # FASTACCEPT=Yes # # FASTACCEPT={Yes|No} # # Normally, Shorewall6 defers accepting ESTABLISHED/RELATED packets until # these packets reach the chain in which the original connection was # accepted. So for packets going from the 'loc' zone to the 'net' zone, # ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net' chain. # # If you set FASTACCEPT=Yes, then ESTABLISHED/RELATED packets are accepted # early in the INPUT, FORWARD and OUTPUT chains. If you set FASTACCEPT=Yes # then you may not include rules in the ESTABLISHED or RELATED sections of # shorewall6-rules(5). # FORWARD_CLEAR_MARK= # # FORWARD_CLEAR_MARK={Yes|No} # # Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has cleared the # packet mark in the first rule in the mangle FORWARD chain. This behavior is # maintained with the default setting of this option (FORWARD_CLEAR_MARK= # Yes). If FORWARD_CLEAR_MARK is set to 'No', packet marks set in the mangle # PREROUTING chain are retained in the FORWARD chains. # HELPERS= # # HELPERS=[helper[,helper...]] # # Added in Shorewall 4.5.7. This option specifies a comma-separated list # naming the Netfilter application helpers that are to be enabled. If not # specified, the default is to enable all helpers. # # Possible values for helper are: # # □ amanda # # □ ftp # # □ h323 # # □ irc # # □ netbios-ns # # □ none - This special value was added in Shorewall 4.5.16 and indicates # that no helpers are to be enabled. It also prevents the compiler for # probing for helper support; such probing generates messages on the # system log of the form "xt_CT: No such helper XXX" where XXX is the # helper name. When used, none must be the only helper specified. # # □ pptp # # □ sane # # □ sip # # □ snmp # # □ tftp # # When HELPERS is specified on a system running Kernel 3.5.0 or later, # automatic association of helpers to connections is disabled. # IMPLICIT_CONTINUE=No # # IMPLICIT_CONTINUE={Yes|No} # # When this option is set to Yes, it causes subzones to be treated # differently with respect to policies. # # Subzones are defined by following their name with ":" and a list of parent # zones (in shorewall6-zones(5)). Normally, you want to have a set of special # rules for the subzone and if a connection doesn't match any of those # subzone-specific rules then you want the parent zone rules and policies to # be applied; see shorewall6-nesting(5). With IMPLICIT_CONTINUE=Yes, that # happens automatically. # # If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set, then subzones # are not subject to this special treatment. With IMPLICIT_CONTINUE=Yes, an # implicit CONTINUE policy may be overridden by including an explicit policy # (one that does not specify "all" in either the SOURCE or the DEST columns). # INLINE_MATCHES=Yes # # INLINE_MATCHES={Yes|No} # # Added in Shorewall 4.6.0. Traditionally in shorewall6-rules(5), a semicolon # separates column-oriented specifications on the left from alternative # specificaitons on the right.. When INLINE_MATCHES=Yes is specified, the # specifications on the right are interpreted as if INLINE had been specified # in the ACTION column. This also applies to shorewall6-masq(5) and # shorewall6-mangle(5) which also support INLINE. If not specified or if # specified as the empty value, the value 'No' is assumed for backward # compatibility. # # Beginning with Shorewall 5.0.0, it is no longer necessary to set # INLINE_MATCHES=Yes in order to be able to specify your own iptables text in # a rule. You may simply preface that text with a pair of semicolons (";;"). # If alternate input is also specified in the rule, it should appear before # the semicolons and may be seperated from normal column input by a single # semicolon. # IPSET_WARNINGS=Yes # # IPSET_WARNINGS={Yes|No} # # Added in Shorewall 4.5.2. Default is Yes. When set, causes the rules # compiler to issue a warning when: # # □ The compiler is being run by root and an ipset specified in the # configuration does not exists. Only one warning is issued for each # missing ipset. # # □ When [src] is specified in a destination column and when [dst] is # specified in a source column. # IP_FORWARDING=keep # # IP_FORWARDING=[On|Off|Keep] # # This rather useless parameter determines whether Shorewall6 enables or # disables IPV6 Packet Forwarding on all interfaces (/proc/sys/net/ipv6/ # config/all/forwarding). Possible values are: # # On or on # # packet forwarding will be enabled. # # Off or off # # packet forwarding will be disabled. # # Keep or keep # # Shorewall6 will neither enable nor disable packet forwarding # # If this variable is not set or is given an empty value (IP_FORWARD="") # then IP_FORWARD=On is assumed. # KEEP_RT_TABLES=Yes # # KEEP_RT_TABLES={Yes|No} # # When set to Yes, this option prevents scripts generated by Shorewall6 from # altering the /etc/iproute2/rt_tables database when there are entries in / # etc/shorewall6/providers. If you set this option to Yes while Shorewall6 # (Shorewall6-lite) is running, you should remove the file /var/lib/ # shorewall6/rt_tables (/var/lib/shorewall6-lite/rt_tables) before your next # stop, refresh, restore, reload or restart command. # # The default is KEEP_RT_TABLES=No. # LOAD_HELPERS_ONLY=Yes # # LOAD_HELPERS_ONLY={Yes|No} # # Added in Shorewall 4.4.7. When set to Yes, restricts the set of modules # loaded by shorewall to those listed in /var/lib/shorewall6/helpers and # those that are actually used. When not set, or set to the empty value, # LOAD_HELPERS_ONLY=No is assumed. # MACLIST_TABLE=filter # # MACLIST_TABLE=[filter|mangle] # # Normally, MAC verification occurs in the filter table (INPUT and FORWARD) # chains. When forwarding a packet from an interface with MAC verification to # a bridge interface, that doesn't work. # # This problem can be worked around by setting MACLIST_TABLE=mangle which # will cause Mac verification to occur out of the PREROUTING chain. Because # REJECT isn't available in that environment, you may not specify # MACLIST_DISPOSITION=REJECT with MACLIST_TABLE=mangle. # MACLIST_TTL= # # MACLIST_TTL=[number] # # The performance of configurations with a large numbers of entries in # shorewall6-maclist(5) can be improved by setting the MACLIST_TTL variable # in shorewall6.conf(5). # # If your iptables and kernel support the "Recent Match" (see the output of # "shorewall check" near the top), you can cache the results of a 'maclist' # file lookup and thus reduce the overhead associated with MAC Verification. # # When a new connection arrives from a 'maclist' interface, the packet passes # through then list of entries for that interface in shorewall6-maclist(5). # If there is a match then the source IP address is added to the 'Recent' set # for that interface. Subsequent connection attempts from that IP address # occurring within $MACLIST_TTL seconds will be accepted without having to # scan all of the entries. After $MACLIST_TTL from the first accepted # connection request from an IP address, the next connection request from # that IP address will be checked against the entire list. # # If MACLIST_TTL is not specified or is specified as empty (e.g, MACLIST_TTL= # "" or is specified as zero then 'maclist' lookups will not be cached). # MANGLE_ENABLED=Yes # # MANGLE_ENABLED=[Yes|No] # # Determines whether Shorewall will generate rules in the Netfilter mangle # table. Setting MANGLE_ENABLED=No disables all Shorewall features that # require the mangle table. The default is MANGLE_ENABLED=Yes. # MARK_IN_FORWARD_CHAIN=No # # MARK_IN_FORWARD_CHAIN=[Yes|No] # # If your kernel has a FORWARD chain in the mangle table, you may set # MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified in the tcrules # file to occur in that chain rather than in the PREROUTING chain. This # permits you to mark inbound traffic based on its destination address when # DNAT is in use. To determine if your kernel has a FORWARD chain in the # mangle table, use the /shorewall6 show mangle command; if a FORWARD chain # is displayed then your kernel will support this option. If this option is # not specified or if it is given the empty value (e.g., # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. # MODULE_SUFFIX="ko ko.xz" # # MODULE_SUFFIX=["extension ..."] # # The value of this option determines the possible file extensions of kernel # modules. The default value is "ko ko.gz ko.xz o o.gz o.xz gz xz". # MUTEX_TIMEOUT=60 # # MUTEX_TIMEOUT=[seconds] # # The value of this variable determines the number of seconds that programs # will wait for exclusive access to the Shorewall6 lock file. After the # number of seconds corresponding to the value of this variable, programs # will assume that the last program to hold the lock died without releasing # the lock. # # If not set or set to the empty value, a value of 60 (60 seconds) is # assumed. # # An appropriate value for this parameter would be twice the length of time # that it takes your firewall system to process a shorewall6 restart command. # OPTIMIZE=All # # OPTIMIZE=[value] # # The specified value enables certain optimizations. Each optimization # category is associated with a power of two. To enable multiple optimization # categories, simply add their corresponding numbers together. # # Beginning with Shorewall 4.5.20, you may specify OPTIMIZE=All to enable all # optimization categories, and you may also specify OPTIMIZE=None to disable # optimization. # # □ Optimization category 1 - Traditionally, Shorewall has created rules # for the complete matrix of host groups defined by the zones, interfaces # and hosts files. Any traffic that didn't correspond to an element of # that matrix was rejected in one of the built-in chains. When the matrix # is sparse, this results in lots of largely useless rules. # # These extra rules can be eliminated by setting the 1 bit in OPTIMIZE. # # The 1 bit setting also controls the suppression of redundant wildcard # rules (those specifying "all" in the SOURCE or DEST column). A wildcard # rule is considered to be redundant when it has the same ACTION and Log # Level as the applicable policy. # # Note # # Optimization level 1 is ignored when optimization level 4 is also # selected, since level 4 performs similar optimizations in a more robust # way. # # □ Optimization category 2 - Added in Shorewall 4.4.7. When set, # suppresses superfluous ACCEPT rules in a policy chain that implements # an ACCEPT policy. Any ACCEPT rules that immediately precede the final # blanket ACCEPT rule in the chain are now omitted. # # □ Optimization category 4 - Added in Shorewall 4.4.7. When set, causes # short chains (those with less than 2 rules) to be optimized away. The # following chains are excluded from optimization: # # ☆ accounting chains (unless OPTIMIZE_ACCOUNTING=Yes) # # ☆ action chains (user-defined) # # ☆ 'blacklst' chain # # ☆ dynamic # # Additionally: # # ☆ If a built-in chain has a single rule that branches to a second # chain, then the rules from the second chain are moved to the # built-in chain and the target chain is omitted. # # ☆ Chains with no references are deleted. # # ☆ Accounting chains are subject to optimization if the # OPTIMIZE_ACCOUNTING option is set to 'Yes'. # # ☆ If a chain ends with an unconditional branch to a second chain # (other than to 'reject'), then the branch is deleted from the first # chain and the rules from the second chain are appended to it. # # An additional optimization was added in Shorewall 4.5.4. If the last # rule in a chain is an unqualified jump to a simple target, then all # immediately preceding rules with the same simple target are omitted. # # For example, consider this chain: # # -A fw-net -p udp --dport 67:68 -j ACCEPT # -A fw-net -p udp --sport 1194 -j ACCEPT # -A fw-net -p 41 -j ACCEPT # -A fw-net -j ACCEPT # # Since all of the rules are jumps to the simple target ACCEPT, this # chain is totally optimized away and jumps to the chain are replace with # jumps to ACCEPT. # # □ Optimization category 8 - Added in Shorewall 4.4.9. When set, causes # chains with identical rules to be collapsed into a single chain. # # □ Optimization category 16 - Added in Shorewall 4.4.26. When set, causes # sequences of compatible rules to be combined into a single rule. Rules # are considered compatible if they differ only in their destination # ports and comments. # # A sequence of compatible rules is often generated when macros are # invoked in sequence. # # The ability to combine adjacent rules is limited by two factors: # # ☆ Destination port lists may only be combined up to a maximum of 15 # ports, where a port-pair counts as two ports. # # ☆ Rules may only be combined until the length of their concatenated # comment reaches 255 characters. # # When either of these limits would be exceeded, the current combined # rule is emitted and the compiler attempts to combine rules beginning # with the one that would have exceeded the limit. Adjacent combined # comments are separated by ', '. Empty comments at the front of a group # of combined comments are replaced by 'Others and'. Empty comments at # the end of a group of combined comments are replaced by 'and others'. # # Beginning in Shorewall 4.5.10, this option also suppresses duplicate # adjacent rules and duplicate non-adjacent rules that don't include mark # , connmark, dscp, ecn, set, tos or u32 matches. # # Example 1: # # Rules with comments "FOO", and "BAR" would result in the # combined comment "FOO and others, BAR". # # Example 2: # # Rules with comments , "FOO" and "BAR" would result in the # combined comment "Others and FOO, BAR". Note: Optimize level 16 # requires "Extended Multi-port Match" in your iptables and kernel. # # The default value is zero which disables all optimizations. # OPTIMIZE_ACCOUNTING=No # # OPTIMIZE_ACCOUNTING=[Yes|No] # # Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting changes are # subject to optimization (OPTIMIZE=4,5,6 or 7). If not specified or set to # the empty value, OPTIMIZE_ACCOUNTING=No is assumed. # REJECT_ACTION= # # REJECT_ACTION=action # # Added in Shorewall 4.5.21. When a REJECT target is specified, Shorewall # normally handles the response as follows: # # □ If the destination address of the packet is a broadcast or multicast # address, the packet is dropped. # # □ if the protocol is ICMP (58) then the packet is dropped. # # □ if the protocol is TCP (6) then the packet is rejected with an RST. # # □ if the protocol is UDP (17) then the packet is rejected with an # 'port-unreachable' ICMP (ICMP6). # # □ if the protocol is ICMP (1) then the packet is rejected with a # 'addr-unreachable' ICMP. # # □ otherwise, the packet is rejected with a 'adm-prohibited' ICMP. # # You can modify this behavior by implementing your own action that handles # REJECT and specifying it's name in this option. The nolog and inline # options will automatically be assumed for the specified action. # # The following action implements the standard behavior: # # ?format 2 # #TARGET SOURCE DEST PROTO # Broadcast(DROP) - - - # DROP - - 2 # INLINE - - 6 ; -j REJECT --reject-with tcp-reset # ?if __ENHANCED_REJECT # INLINE - - 17 ; -j REJECT # ?if __IPV4 # INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable # INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited # ?else # INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable # INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited # ?endif # ?else # INLINE - - - ; -j REJECT # ?endif # REQUIRE_INTERFACE=Yes # # REQUIRE_INTERFACE=[Yes|No] # # Added in Shorewall 4.4.10. The default is No. If set to Yes, at least one # optional interface must be up in order for the firewall to be in the # started state. Intended to be used with the Shorewall Init Package. # RESTART=restart # # RESTART=[restart|reload] # # Added in Shorewall 5.0.1 to replace LEGACY_RESTART which was added in # Shorewall 5.0.0. In that release, the reload command was redefined to do # what restart had done in earlier releases and restart became a true restart # (equivalent to stop followed by start). When RESTART=reload, the restart # command performs the same operation as the reload command making it # compatible with earlier releases. If not specified, RESTART=reload is # assumed. # RESTORE_ROUTEMARKS=Yes # # RESTORE_ROUTEMARKS=[Yes|No] # # Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are # restored unconditionally at the top of the mangle OUTPUT and PREROUTING # chains, even if the saved mark is zero. When this option is set to No, the # mark is restored even when it is zero. If you have problems with IPSEC ESP # packets not being routed correctly on output, try setting this option to No # . # SAVE_IPSETS=No # # SAVE_IPSETS={Yes|No|setlist} # # Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the current # contents of your ipsets will be saved by the shorewall stop and shorewall # save commands and restored by the shorewall start and shorewall restore # commands. # # Beginning with Shorewall 4.6.4, you can restrict the set of ipsets saved by # specifying a setlist (a comma-separated list of ipv6 ipset names). # TC_ENABLED=No # # TC_ENABLED=[Yes|No|Internal|Simple|Shared] # # If you say Yes or yes here, Shorewall6 will use a script that you supply to # configure traffic shaping. The script must be named 'tcstart' and must be # placed in a directory on your CONFIG_PATH. # # If you say No or no then traffic shaping is not enabled. # # If you set TC_ENABLED=Internal or internal or leave the option empty then # Shorewall6 will use its builtin traffic shaper (tc4shorewall6 written by # Arne Bernin. # # If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later), simple traffic # shaping using shorewall-tcinterfaces(5) and shorewall-tcpri(5) is enabled. # # Beginning with Shorewall 4.4.15, if you set TC_ENABLED=Shared or shared, # then you should create symbolic links from your Shorewall6 configuration # directory (normally /etc/shorewall6/) to your Shorewall tcdevices and # tcclasses files. This allows the compiler to have access to your Shorewall # traffic shaping configuration so that it can validate CLASSIFY rules in # shorewall6-tcrules (5). # # Warning # # If you also run Shorewall and if you have TC_ENABLED=Internal in your # shorewall-conf(5), then you will want TC_ENABLED=No or TC_ENABLED=Shared in # this file. # TC_EXPERT=No # # TC_EXPERT={Yes|No} # # Normally, Shorewall6 tries to protect users from themselves by preventing # PREROUTING and OUTPUT tcrules from being applied to packets that have been # marked by the 'track' option in shorewall6-providers(5). # # If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall6 # will not include these cautionary checks. # TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" # # TC_PRIOMAP=map # # Added in Shorewall 4.4.6. Determines the mapping of a packet's TOS field to # priority bands. See shorewall6-tcpri(5). The map consists of 16 # space-separated digits with values 1, 2 or 3. A value of 1 corresponds to # Linux priority 0, 2 to Linux priority 1, and 3 to Linux Priority 2. The # first entry gives the priority of TOS value 0, the second of TOS value 1, # and so on. See tc-prio(8) for additional information. # # The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2". # TRACK_PROVIDERS=Yes # # TRACK_PROVIDERS={Yes|No} # # Added in Shorewall 4.4.3. When set to Yes, causes the track option to be # assumed on all providers defined in shorewall6-providers(5). May be # overridden on an individual provider through use of the notrack option. The # default value is 'No'. # # Beginning in Shorewall 4.4.6, setting this option to 'Yes' also simplifies # PREROUTING rules in shorewall6-tcrules(5). Previously, when TC_EXPERT=No, # packets arriving through 'tracked' provider interfaces were unconditionally # passed to the PREROUTING tcrules. This was done so that tcrules could reset # the packet mark to zero, thus allowing the packet to be routed using the # 'main' routing table. Using the main table allowed dynamic routes (such as # those added for VPNs) to be effective. The shorewall6-rtrules(5) file was # created to provide a better alternative to clearing the packet mark. As a # consequence, passing these packets to PREROUTING complicates things without # providing any real benefit. Beginning with Shorewall 4.4.6, when # TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through 'tracked' # interfaces will not be passed to the PREROUTING rules. Since # TRACK_PROVIDERS was just introduced in 4.4.3, this change should be # transparent to most, if not all, users. # TRACK_RULES=No # # TRACK_RULES={Yes|No} # # Added in Shorewall 4.5.20. If set to Yes, causes the compiler to add a # comment to iptables rules to indicate the file name and line number of the # configuration entry that generated the rule. If set to No (the default), # then no such comments are added. # # Setting this option to Yes requires the Comments capability in ip6tables # and kernel. # USE_DEFAULT_RT=Yes # # USE_DEFAULT_RT=[Yes|No] # # Added in Shorewall6 4.4.25. When set to 'Yes', this option causes the # Shorewall6 multi-ISP feature to create a set of routing rules which are # resilient to changes in the main routing table. Such changes can occur for # a number of reasons, VPNs going up and down being an example. The idea is # to send packets through the main table prior to applying any of the # Shorewall6-generated routing rules. So changes to the main table will # affect the routing of packets by default. # # When USE_DEFAULT_RT=Yes: # # 1. Both the DUPLICATE and the COPY columns in shorewall6-providers(5) file # must remain empty (or contain "-"). # # 2. The default route is added to the the 'default' table rather than to # the main table. # # 3. balance is assumed unless loose is specified. # # 4. Packets are sent through the main routing table by a rule with priority # 999. In shorewall6-routing_rules(5), the range 1-998 may be used for # inserting rules that bypass the main table. # # 5. All provider gateways must be specified explicitly in the GATEWAY # column. detect may not be specified. # # 6. You should disable all default route management outside of Shorewall6. # If a default route is added to the main table while Shorewall is # started, then all policy routing will stop working (except for those # routing rules in the priority range 1-998). # # Prior to Shorewall 4.6.0, if USE_DEFAULT_RT was not set or if it was set to # the empty string then USE_DEFAULT_RT=No was assumed. Beginning with # Shorewall 4.6.0, the default is USE_DEFAULT_RT=Yes and use of # USE_DEFAULT_RT=No is deprecated. # USE_PHYSICAL_NAMES=No # # USE_PHYSICAL_NAMES=[Yes|No] # # Added in Shorewall 4.4.27. Normally, when Shorewall creates a Netfilter # chain that relates to an interface, it uses the interface's logical name as # the base of the chain name. For example, if the logical name for an # interface is OAKLAND, then the input chain for traffic arriving on that # interface would be 'OAKLAND_in'. If this option is set to Yes, then the # physical name of the interface will be used the base of the chain name. # USE_RT_NAMES=No # # USE_RT_NAMES=[Yes|No] # # Added in Shorewall 4.5.15. When set to 'Yes', Shorewall will use routing # table (provider) names in the generated script rather than table numbers. # When set to 'No' (the default), routing table numbers will be used. # # Caution # # If you set USE_RT_NAMES=Yes and KEEP_RT_TABLES=Yes, then you must insure # that all of your providers have entries in /etc/iproute2/rt_tables as well # as the following entries: # # 255 local # 254 main # 253 default # 250 balance # 0 unspec # # Without these entries, the firewall will fail to start. # WARNOLDCAPVERSION=Yes # # WARNOLDCAPVERSION=[Yes|No] # # Added in Shorewall 4.5.12. When set to Yes (the default), the compiler # issues a warning when it finds a capabilities file that doesn't specify all # of the capabilities supported by the compiler. When WARNOLDCAPVERSION is # set to No, no warning is issued. # WORKAROUNDS=No # # WORKAROUNDS=[Yes|No] # # Added in Shorewall 4.6.11. Over time, there have been a number of changes # in Shorewall that work around defects in other products such as iptables # and ipset. When WORKAROUNDS=Yes, these workarounds are enabled; when # WORKAROUNDS=No, they are disabled. If not specified or if specified as # empty, WORKAROUNDS=Yes is assumed. # # Warning # # Do not set WORKAROUNDS=Yes if you need to be able to use # Shorewall-generated scripts (such as created by the save command) built by # Shorewall 4.4.7 or older. # ZONE2ZONE=- # # ZONE2ZONE={2|-} # # Added in Shorewall 4.4.4. This option determines how Shorewall constructs # chain names involving zone names and/or 'all'. Beginning with Shorewall # 4.6.0, the default is '-' (e.g., fw-net); prior to that release, the # default was '2' (e.g., fw2net). # ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP # # BLACKLIST_DISPOSITION=[DROP|A_DROP|REJECT|A_REJECT] # # This parameter determines the disposition of packets from blacklisted # hosts. It may have the value DROP if the packets are to be dropped or # REJECT if the packets are to be replied with an ICMP port unreachable reply # or a TCP RST (tcp only). If you do not assign a value or if you assign an # empty value then DROP is assumed. The setting determines the disposition of # packets sent to the blacklog target of shorewall6-blrules(5). # INVALID_DISPOSITION=CONTINUE # # INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.5.13. Shorewall has traditionally passed INVALID # packets through the NEW section of shorewall-rules (5). When a packet in # INVALID state fails to match any rule in the INVALID section, the packet is # disposed of based on this setting. The default value is CONTINUE for # compatibility with earlier versions. # MACLIST_DISPOSITION=REJECT # # MACLIST_DISPOSITION=[ACCEPT|DROP|REJECT|A_DROP|A_REJECT] # # Determines the disposition of connections requests that fail MAC # Verification and must have the value ACCEPT (accept the connection request # anyway), REJECT (reject the connection request) or DROP (ignore the # connection request). If not set or if set to the empty value (e.g., # MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT is assumed. # # A_DROP and A_REJECT are audited versions of DROP and REJECT respectively # and were added in Shorewall 4.4.20. They require AUDIT_TARGET in the kernel # and ip6tables. # RELATED_DISPOSITION=ACCEPT # # RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.4.27. Shorewall has traditionally ACCEPTed RELATED # packets that don't match any rule in the RELATED section of # shorewall6-rules (5). Concern about the safety of this practice resulted in # the addition of this option. When a packet in RELATED state fails to match # any rule in the RELATED section, the packet is disposed of based on this # setting. The default value is ACCEPT for compatibility with earlier # versions. # SFILTER_DISPOSITION=DROP # # SFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] # # Added in Shorewall 4.4.20. Determines the disposition of packets matching # the sfilter option (see shorewall6-interfaces(5)) and of hairpin packets on # interfaces without the routeback option.^[1] interfaces without the # routeback option. # RPFILTER_DISPOSITION=DROP # # RPFILTER_DISPOSITION=[DROP|REJECT|A_DROP|A_REJECT] # # Added in Shorewall 4.5.7. Determines the disposition of packets entering # from interfaces with the rpfilter option (see shorewall6-interfaces(5)). # Packets disposed of by this option are those whose response packets would # not be sent through the same interface receiving the packet. # SMURF_DISPOSITION=DROP # # SMURF_DISPOSITION=[DROP|A_DROP] # # Added in Shorewall 4.4.20. The default setting is DROP which causes smurf # packets (see the nosmurfs option in shorewall6-interfaces(5)) to be # dropped. A_DROP causes the packets to be audited prior to being dropped and # requires AUDIT_TARGET support in the kernel and ip6tables. # TCP_FLAGS_DISPOSITION=DROP # # TCP_FLAGS_DISPOSITION=[ACCEPT|DROP|REJECT] # # Determines the disposition of TCP packets that fail the checks enabled by # the tcpflags interface option (see shorewall6-interfaces(5)) and must have # a value of ACCEPT (accept the packet), REJECT (send an RST response) or # DROP (ignore the packet). If not set or if set to the empty value (e.g., # TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed. # UNTRACKED_DISPOSITION=CONTINUE # # UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE] # # Added in Shorewall 4.5.13. Shorewall has traditionally passed UNTRACKED # packets through the NEW section of shorewall6-rules (5). When a packet in # UNTRACKED state fails to match any rule in the UNTRACKED section, the # packet is disposed of based on this setting. The default value is CONTINUE # for compatibility with earlier versions. # ################################################################################ # P A C K E T M A R K L A Y O U T ################################################################################ TC_BITS= # # TC_BITS=[number] # # Added in Shorewall 4.4.26. The number of bits at the low end of the 32-bit # packet mark to be used for traffic shaping marking. May be zero. See # MASK_BITS above for default value. # PROVIDER_BITS= # # PROVIDER_BITS=[number] # # Added in Shorewall 4.4.26. The number of bits in the 32-bit packet mark to # be used for provider numbers. May be zero. See MASK_BITS above for default # value. # PROVIDER_OFFSET= # # PROVIDER_OFFSET=[number] # # Added in Shorewall 4.4.26. The offset from the right (low-order end) of the # provider number field in the 32-bit packet mark. If non-zero, must be >= # TC_BITS (Shorewall automatically adjusts PROVIDER_OFFSET's value). # PROVIDER_OFFSET + PROVIDER_BITS + ZONE_BITS must be < 32. See MASK_BITS # above for default value. # MASK_BITS= # # MASK_BITS=[number] # # Added in Shorewall 4.4.26. Number of bits on the right of the 32-bit packet # mark to be masked when clearing the traffic shaping mark. Must be >= # TC_BITS and <= PROVIDER_OFFSET (if PROVIDER_OFFSET > 0). Prior to Shorewall # 5.0.0, default value and the default values of the other mark layout # options is determined as follows: # # Table 1. Default Packet Mark Layout # # WIDE_TC_MARKS=No, TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=No 0, MASK_BITS=8 # WIDE_TC_MARKS=No, TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=Yes 8, MASK_BITS=8 # WIDE_TC_MARKS=Yes, TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=No 0, MASK_BITS=16 # WIDE_TC_MARKS=Yes, TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET= # HIGH_ROUTE_MARKS=Yes 16, MASK_BITS=16 # # # From 5.0.0 onward, the default value of MASK_BITS is 8, the default value # of PROVIDER_BITS, TC_BITS, MASK_BITS and PROVIDER_OFFSET is 8. # ZONE_BITS=0 # # ZONE_BITS=[number] # # Added in Shorewall 4.4.26. When non-zero, enables automatic packet marking # by source zone and determines the number of bits in the 32-bit packet mark # to be used for the zone mark. Default value is 0. # #LAST LINE -- DO NOT REMOVE shorewall6-5.0.4/Samples6/Universal/interfaces.annotated0000644000000000000000000003112312650244177022000 0ustar rootroot# # Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### # # The interfaces file serves to define the firewall's network interfaces to # shorewall6. The order of entries in this file is not significant in determining # zone composition. # # Beginning with Shorewall 4.5.3, the interfaces file supports two different # formats: # # FORMAT 1 (default - deprecated) # # There is a ANYCAST column which provides compatibility with older versions # of Shorewall.. # # FORMAT 2 # # The BROADCAST column is omitted. # # The format is specified by a line as follows: # # ?FORMAT {1|2} # # The columns in the file are as follows. # # ZONE - zone-name # # Zone for this interface. Must match the name of a zone declared in /etc/ # shorewall6/zones. You may not list the firewall zone in this column. # # If the interface serves multiple zones that will be defined in the # shorewall6-hosts(5) file, you should place "-" in this column. # # If there are multiple interfaces to the same zone, you must list them in # separate entries. # # Example: # # #ZONE INTERFACE BROADCAST # loc eth1 - # loc eth2 - # # Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo' # interface, then that zone must be defined as type local in shorewall6-zones # (5). # # INTERFACE - interface[:port] # # Logical name of interface. Each interface may be listed only once in this # file. You may NOT specify the name of a "virtual" interface (e.g., eth0:0) # here; see http://www.shorewall.net/FAQ.htm#faq18. If the physical option is # not specified, then the logical name is also the name of the actual # interface. # # You may use wildcards here by specifying a prefix followed by the plus sign # ("+"). For example, if you want to make an entry that applies to all PPP # interfaces, use 'ppp+'; that would match ppp0, ppp1, ppp2, …Please note # that the '+' means 'one or more additional characters' so 'ppp' does not # match 'ppp+'. # # Care must be exercised when using wildcards where there is another zone # that uses a matching specific interface. See shorewall6-nesting(5) for a # discussion of this problem. # # Shorewall6 allows '+' as an interface name. # # There is no need to define the loopback interface (lo) in this file. # # If a port is given, then the interface must have been defined previously # with the bridge option. The OPTIONS column must be empty when a port is # given. # # ANYCAST - - # # Enter '-' in this column. It is here for compatibility between Shorewall6 # and Shorewall and is omitted if FORMAT is 2. # # OPTIONS (Optional) - [option[,option]...] # # A comma-separated list of options from the following list. The order in # which you list the options is not significant but the list should have no # embedded white-space. # # accept_ra[={0|1|2}] # # Added in Shorewall 4.5.16. Values are: # # 0 # # Do not accept Router Advertisements. # # 1 # # Accept Route Advertisements if forwarding is disabled. # # 2 # # Overrule forwarding behavior. Accept Route Advertisements even if # forwarding is enabled. # # If the option is specified without a value, then the value 1 is # assumed. # # blacklist # # Check packets arriving on this interface against the # shorewall6-blacklist(5) file. # # Beginning with Shorewall 4.4.13: # # ☆ If a zone is given in the ZONES column, then the behavior is as if # blacklist had been specified in the IN_OPTIONS column of # shorewall6-zones(5). # # ☆ Otherwise, the option is ignored with a warning: # # WARNING: The 'blacklist' option is ignored on multi-zone # interfaces # # bridge # # Designates the interface as a bridge. Beginning with Shorewall 4.4.7, # setting this option also sets routeback. # # destonly # # Added in Shorewall 4.5.17. Causes the compiler to omit rules to handle # traffic from this interface. # # dhcp # # Specify this option when any of the following are true: # # 1. the interface gets its IP address via DHCP # # 2. the interface is used by a DHCP server running on the firewall # # 3. the interface has a static IP but is on a LAN segment with lots of # DHCP clients. # # 4. the interface is a simple bridge with a DHCP server on one port and # DHCP clients on another port. # # Note # # If you use Shorewall-perl for firewall/bridging, then you need to # include DHCP-specific rules in shorewall-rules(8). DHCP uses UDP # ports 546 and 547. # # This option allows DHCP datagrams to enter and leave the interface. # # forward[={0|1}] # # Sets the /proc/sys/net/ipv6/conf/interface/forwarding option to the # specified value. If no value is supplied, then 1 is assumed. # # ignore[=1] # # When specified, causes the generated script to ignore up/down events # from Shorewall-init for this device. Additionally, the option exempts # the interface from hairpin filtering. When '=1' is omitted, the ZONE # column must contain '-' and ignore must be the only OPTION. # # Beginning with Shorewall 4.5.5, may be specified as 'ignore=1' which # only causes the generated script to ignore up/down events from # Shorewall-init; hairpin filtering is still applied. In this case, the # above restrictions on the ZONE and OPTIONS columns are lifted. # # loopback # # Added in Shorewall 4.6.6. Designates the interface as the loopback # interface. This option is assumed if the interface's physical name is # 'lo'. Only one interface man have the loopback option specified. # # mss=number # # Causes forwarded TCP SYN packets entering or leaving on this interface # to have their MSS field set to the specified number. # # nets=(net[,...]) # # Limit the zone named in the ZONE column to only the listed networks. If # you specify this option, be sure to include the link-local network # (ff80::/10). # # nets=dynamic # # Added in Shorewall 4.4.21. Defines the zone as dynamic. Requires ipset # match support in your iptables and kernel. See http://www.shorewall.net # /Dynamic.html for further information. # # optional # # When optional is specified for an interface, shorewall6 will be silent # when: # # ☆ a /proc/sys/net/ipv6/conf/ entry for the interface cannot be # modified. # # ☆ The first global IPv6 address of the interface cannot be obtained. # # This option may not be specified together with required. # # physical=name # # Added in Shorewall 4.4.4. When specified, the interface or port name in # the INTERFACE column is a logical name that refers to the name given in # this option. It is useful when you want to specify the same wildcard # port name on two or more bridges. See http://www.shorewall.net/ # bridge-Shorewall-perl.html#Multiple. # # If the interface name is a wildcard name (ends with '+'), then the # physical name must also end in '+'. # # If physical is not specified, then it's value defaults to the interface # name. # # required # # Added in Shorewall 4.4.10. When specified, the firewall will fail to # start if the interface named in the INTERFACE column is not usable. May # not be specified together with optional. # # routeback[={0|1}] # # If specified, indicates that shorewall6 should include rules that allow # traffic arriving on this interface to be routed back out that same # interface. This option is also required when you have used a wildcard # in the INTERFACE column if you want to allow traffic between the # interfaces that match the wildcard. # # If you specify this option, then you should also specify rpfilter (see # below) if you are running Shorewall 4.5.7 or later; otherwise, you # should specify sfilter (see below). # # Beginning with Shorewall 4.5.18, you may specify this option to # explicitly reset (e.g., routeback=0). This can be used to override # Shorewall's default setting for bridge devices which is routeback=1. # # rpfilter # # Added in Shorewall 4.5.7. This is an anti-spoofing measure that # requires the 'RPFilter Match' capability in your iptables and kernel. # It provides a more efficient alternative to the sfilter option below. # # sourceroute[={0|1}] # # If this option is not specified for an interface, then source-routed # packets will not be accepted from that interface unless explicitly # enabled via sysconf. Only set this option to 1 (enable source routing) # if you know what you are doing. This might represent a security risk # and is not usually needed. # # Only those interfaces with the sourceroute option will have their # setting changed; the value assigned to the setting will be the value # specified (if any) or 1 if no value is given. # # Note # # This option does not work with a wild-card interface name (e.g., # eth0.+) in the INTERFACE column. # # sfilter=(net[,...]) # # Added in Shorewall 4.4.20. At this writing (spring 2011), Linux does # not support reverse path filtering (RFC3704) for IPv6. In its absence, # sfilter may be used as an anti-spoofing measure. # # This option should be used on bridges or other interfaces with the # routeback option. On these interfaces, sfilter should list those local # networks that are connected to the firewall through other interfaces. # # tcpflags[={0|1}] # # Packets arriving on this interface are checked for certain illegal # combinations of TCP flags. Packets found to have such a combination of # flags are handled according to the setting of TCP_FLAGS_DISPOSITION # after having been logged according to the setting of # TCP_FLAGS_LOG_LEVEL. # # Beginning with Shorewall 4.6.0, tcpflags=1 is the default. To disable # this option, specify tcpflags=0. # # proxyndp[={0|1}] # # Sets /proc/sys/net/ipv6/conf/interface/proxy_ndp. # # Note: This option does not work with a wild-card interface name (e.g., # eth0.+) in the INTERFACE column. # # Only those interfaces with the proxyndp option will have their setting # changed; the value assigned to the setting will be the value specified # (if any) or 1 if no value is given. # # unmanaged # # Added in Shorewall 4.5.18. Causes all traffic between the firewall and # hosts on the interface to be accepted. When this option is given: # # ☆ The ZONE column must contain '-'. # # ☆ Only the following other options are allowed with unmanaged: # # accept_ra # forward # ignore # optional # physical # sourceroute # proxyndp # # wait=seconds # # Added in Shorewall 4.4.10. Causes the generated script to wait up to # seconds seconds for the interface to become usable before applying the # required or optional options. # # Example # # Example 1: # # Suppose you have eth0 connected to a DSL modem and eth1 connected to your # local network You have a DMZ using eth2. # # Your entries for this setup would look like: # # FORMAT 2 # #ZONE INTERFACE OPTIONS # net eth0 - # loc eth1 - # dmz eth2 - # # Example 4 (Shorewall 4.4.9 and later): # # You have a bridge with no IP address and you want to allow traffic through # the bridge. # # FORMAT 2 # #ZONE INTERFACE OPTIONS # - br0 bridge # ############################################################################### ?FORMAT 2 ############################################################################### shorewall6-5.0.4/Samples6/LICENSE0000644000000000000000000006346512647470621015032 0ustar rootroot GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice That's all there is to it! shorewall6-5.0.4/shorewallrc.apple0000644000000000000000000000226212650243750015662 0ustar rootroot# # Apple OS X Shorewall 5.0 rc file # BUILD=apple HOST=apple PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR=${SHAREDIR}/man #Directory where manpages are installed. INITDIR= #Unused on OS X INITFILE= #Unused on OS X INITSOURCE= #Unused on OS X ANNOTATED= #Unused on OS X SERVICEDIR= #Unused on OS X SERVICEFILE= #Unused on OS X SYSCONFDIR= #Unused on OS X SPARSE=Yes #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR. VARLIB=/var/lib #Unused on OS X shorewall6-5.0.4/shorewallrc.debian.sysvinit0000644000000000000000000000337712650243750017702 0ustar rootroot# # Debian Shorewall 4.5 rc file # BUILD= #Default is to detect the build system HOST=debian PREFIX=/usr #Top-level directory for shared files, libraries, etc. SHAREDIR=${PREFIX}/share #Directory for arch-neutral files. LIBEXECDIR=${PREFIX}/share #Directory for executable scripts. PERLLIBDIR=${PREFIX}/share/shorewall #Directory to install Shorewall Perl module directory CONFDIR=/etc #Directory where subsystem configurations are installed SBINDIR=/sbin #Directory where system administration programs are installed MANDIR=${PREFIX}/share/man #Directory where manpages are installed. INITDIR=/etc/init.d #Directory where SysV init scripts are installed. INITFILE=$PRODUCT #Name of the product's installed SysV init script INITSOURCE=init.debian.sh #Name of the distributed file to be installed as the SysV init script ANNOTATED= #If non-zero, annotated configuration files are installed SYSCONFFILE=default.debian #Name of the distributed file to be installed in $SYSCONFDIR SERVICEFILE= #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service SYSCONFDIR=/etc/default #Directory where SysV init parameter files are installed SERVICEDIR= #Directory where .service files are installed (systems running systemd only) SPARSE=Yes #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR VARLIB=/var/lib #Directory where product variable data is stored. VARDIR=${VARLIB}/$PRODUCT #Directory where product variable data is stored. shorewall6-5.0.4/action.A_Reject0000644000000000000000000000246612647470621015200 0ustar rootroot# # Shorewall6 version 5 - Audited Reject Action # # /usr/share/shorewall6/action.A_Reject # # The audited default REJECT action common rules # # This action is invoked before a REJECT policy is enforced. The purpose # of the action is: # # a) Avoid logging lots of useless cruft. # b) Ensure that certain ICMP packets that are necessary for successful # internet operation are always ACCEPTed. # # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!! ############################################################################### #TARGET SOURCE DEST PROTO # # Don't log 'auth' -- REJECT # Auth(A_REJECT) # # Drop Multicasts so they don't clutter up the log # (broadcasts must *not* be rejected). # A_AllowICMPs - - ipv6-icmp # # Drop Broadcasts so they don't clutter up the log # (broadcasts must *not* be rejected). # dropBcast(audit) # # Drop packets that are in the INVALID state -- these are usually ICMP packets # and just confuse people when they appear in the log (these ICMPs cannot be # rejected). # dropInvalid(audit) # # Reject Microsoft noise so that it doesn't clutter up the log. # SMB(A_REJECT) # # Drop 'newnotsyn' traffic so that it doesn't get logged. # dropNotSyn(audit) - - tcp # # Drop late-arriving DNS replies. These are just a nuisance and clutter up # the log. # A_DropDNSrep shorewall6-5.0.4/configure0000755000000000000000000001220412650243750014216 0ustar rootroot#!/bin/bash # # Shorewall Packet Filtering Firewall RPM configuration program - V4.6 # # (c) 2012,2014 - Tom Eastep (teastep@shorewall.net) # # Shorewall documentation is available at http://www.shorewall.net # # This program is part of Shorewall. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by the # Free Software Foundation, either version 2 of the license or, at your # option, any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # Usage: ./configure [