amlp
asked on
iptables/shorewall: how to set up so no visibility from outside?
Trying to set up a host on a network so that it looks like an open wire to everything else on said network. Â I'm using iptables with shorewall. Â
I have it set up so that there is no answer (DROP) to the usual nmap scans, but there is still some information leakage because nmap can still determine the MAC.
Here's the details. Â First is the nmap responses. Â Next are the pertinent shorewall rules. Â Last is an iptables -L listing.
~ # nmap -sS -O 192.168.0.54
Starting Nmap 4.01 ( http://www.insecure.org/nmap/Â ) at 2006-06-22 15:55 AKDT
Warning: Â OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1672 scanned ports on 192.168.0.54 are: filtered
MAC Address: 00:04:23:B2:14:F1 (Intel)
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 47.564 seconds
~ # nmap -P0 192.168.0.54
Starting Nmap 4.01 ( http://www.insecure.org/nmap/Â ) at 2006-06-22 15:53 AKDT
All 1672 scanned ports on 192.168.0.54 are: filtered
MAC Address: 00:04:23:B2:14:F1 (Intel)
Nmap finished: 1 IP address (1 host up) scanned in 35.595 seconds
~ # nmap -sT -O -p1-65535 192.168.0.54
Starting Nmap 4.01 ( http://www.insecure.org/nmap/Â ) at 2006-06-22 10:51 AKDT
Warning: Â OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 65535 scanned ports on 192.168.0.54 are: filtered
MAC Address: 00:04:23:B2:14:F1 (Intel)
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 1332.545 seconds
-------------------------- ---------- ---------- ---------- -----
[root@netmon ~]# cd /etc/shorewall/
[root@netmon shorewall]# cat zones interfaces policy rules
#
# Shorewall version 3.0 - Zones File
#
# /etc/shorewall/zones
#
# Â Â Â This file determines your network zones.
#
# Â Â Â WARNING: The format of this file changed in Shorewall 3.0.0. You can
# Â Â Â Â Â Â Â Â continue to use your old records provided that you set
# Â Â Â Â Â Â Â Â IPSECFILE=ipsec in /etc/shorewall/shorewall.c onf. This will
# Â Â Â Â Â Â Â Â signal Shorewall that the IPSEC-related zone options are
# Â Â Â Â Â Â Â Â still specified in /etc/shorewall/ipsec rather than in this
# Â Â Â Â Â Â Â Â file.
#
# Â Â Â Â Â Â Â Â To use records in the format described below, you must have
# Â Â Â Â Â Â Â Â IPSECFILE=zones specified in /etc/shorewall/shorewall.c onf.
#
# Columns are:
#
# Â Â Â ZONE Â Â Short name of the zone (5 Characters or less in length).
# Â Â Â Â Â Â Â The names "all" and "none" are reserved and may not be
# Â Â Â Â Â Â Â used as zone names.
#
# Â Â Â Â Â Â Â Where a zone is nested in one or more other zones,
# Â Â Â Â Â Â Â you may follow the (sub)zone name by ":" and a
# Â Â Â Â Â Â Â comma-separated list of the parent zones. The parent
# Â Â Â Â Â Â Â zones must have been defined in earlier records in this
# Â Â Â Â Â Â Â file.
#
# Â Â Â Â Â Â Â Example:
#
# Â Â Â Â Â Â Â Â Â Â Â #ZONE Â Â TYPE Â Â OPTIONS
#            a     ipv4
#            b     ipv4
#            c:a,b   ipv4
#
# Â Â Â Â Â Â Â Currently, Shorewall uses this information only to reorder the
# Â Â Â Â Â Â Â zone list so that parent zones appear after their subzones in
# Â Â Â Â Â Â Â the list. In the future, Shorewall may make more extensive use
# Â Â Â Â Â Â Â of that information.
#
# Â Â Â TYPE Â Â ipv4 - Â This is the standard Shorewall zone type and is the
# Â Â Â Â Â Â Â Â Â Â Â default if you leave this column empty or if you enter
# Â Â Â Â Â Â Â Â Â Â Â "-" in the column. Communication with some zone hosts
# Â Â Â Â Â Â Â Â Â Â Â may be encrypted. Encrypted hosts are designated using
# Â Â Â Â Â Â Â Â Â Â Â the 'ipsec'option in /etc/shorewall/hosts.
# Â Â Â Â Â Â Â ipsec - Communication with all zone hosts is encrypted
# Â Â Â Â Â Â Â Â Â Â Â Your kernel and iptables must include policy
# Â Â Â Â Â Â Â Â Â Â Â match support.
# Â Â Â Â Â Â Â firewall
# Â Â Â Â Â Â Â Â Â Â - Designates the firewall itself. You must have
# Â Â Â Â Â Â Â Â Â Â Â exactly one 'firewall' zone. No options are
# Â Â Â Â Â Â Â Â Â Â Â permitted with a 'firewall' zone. The name that you
# Â Â Â Â Â Â Â Â Â Â Â enter in the ZONE column will be stored in the shell
# Â Â Â Â Â Â Â Â Â Â Â variable $FW which you may use in other configuration
# Â Â Â Â Â Â Â Â Â Â Â files to designate the firewall zone.
#
# Â Â Â OPTIONS, Â Â Â Â A comma-separated list of options as follows:
# Â Â Â IN OPTIONS,
# Â Â Â OUT OPTIONS Â Â reqid=<number> where <number> is specified
# Â Â Â Â Â Â Â Â Â Â Â using setkey(8) using the 'unique:<number>
# Â Â Â Â Â Â Â Â Â Â Â option for the SPD level.
#
# Â Â Â Â Â Â Â Â Â Â Â spi=<number> where <number> is the SPI of
# Â Â Â Â Â Â Â Â Â Â Â the SA used to encrypt/decrypt packets.
#
# Â Â Â Â Â Â Â Â Â Â Â proto=ah|esp|ipcomp
#
# Â Â Â Â Â Â Â Â Â Â Â mss=<number> (sets the MSS field in TCP packets)
#
# Â Â Â Â Â Â Â Â Â Â Â mode=transport|tunnel
#
# Â Â Â Â Â Â Â Â Â Â Â tunnel-src=<address>[/<mas k>] (only
# Â Â Â Â Â Â Â Â Â Â Â available with mode=tunnel)
#
# Â Â Â Â Â Â Â Â Â Â Â tunnel-dst=<address>[/<mas k>] (only
# Â Â Â Â Â Â Â Â Â Â Â available with mode=tunnel)
#
#            strict  Means that packets must match all rules.
#
#            next   Separates rules; can only be used with
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â strict..
#
# Â Â Â Â Â Â Â Example:
# Â Â Â Â Â Â Â Â Â Â Â mode=transport,reqid=44
#
# Â Â Â The options in the OPTIONS column are applied to both incoming
# Â Â Â and outgoing traffic. The IN OPTIONS are applied to incoming
# Â Â Â traffic (in addition to OPTIONS) and the OUT OPTIONS are
# Â Â Â applied to outgoing traffic.
#
# Â Â Â If you wish to leave a column empty but need to make an entry
# Â Â Â in a following column, use "-".
#------------------------- ---------- ---------- ---------- ---------- ---------- ---
# Example zones:
#
# Â Â Â You have a three interface firewall with internet, local and DMZ
# Â Â Â interfaces.
#
# Â Â Â #ZONE Â TYPE Â Â Â Â Â Â OPTIONS Â Â Â Â IN Â Â Â Â Â Â Â Â Â Â Â OUT
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â OPTIONS Â Â Â Â Â Â Â Â OPTIONS
#    fw    firewall
#    net   ipv4
#    loc   ipv4
#    dmz   ipv4
#
#
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
#
########################## ########## ########## ########## ########## ########## ###
#ZONE Â TYPE Â Â Â Â Â Â OPTIONS Â Â Â Â IN Â Â Â Â Â Â Â Â Â Â Â OUT
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â OPTIONS Â Â Â Â Â Â Â Â OPTIONS
fw    firewall
LANA Â Â ipv4
LANB Â Â ipv4
PCLAN Â ipv4
MGMT Â Â ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall version 3.0 - Interfaces File
#
# /etc/shorewall/interfaces
#
# Â Â Â You must add an entry in this file for each network interface on your
# Â Â Â firewall system.
#
# Columns are:
#
# Â Â Â ZONE Â Â Â Â Â Â Zone for this interface. Must match the name of a
# Â Â Â Â Â Â Â Â Â Â Â zone defined in /etc/shorewall/zones. You may not
# Â Â Â Â Â Â Â Â Â Â Â list the firewall zone in this column.
#
# Â Â Â Â Â Â Â Â Â Â Â If the interface serves multiple zones that will be
# Â Â Â Â Â Â Â Â Â Â Â defined in the /etc/shorewall/hosts file, you should
# Â Â Â Â Â Â Â Â Â Â Â place "-" in this column.
#
# Â Â Â Â Â Â Â Â Â Â Â If there are multiple interfaces to the same zone,
# Â Â Â Â Â Â Â Â Â Â Â you must list them in separate entries:
#
# Â Â Â Â Â Â Â Â Â Â Â Example:
#
#                loc   eth1   -
#                loc   eth2   -
#
# Â Â Â INTERFACE Â Â Â Name of interface. Each interface may be listed only
# Â Â Â Â Â Â Â Â Â Â Â once in this file. You may NOT specify the name of
# Â Â Â Â Â Â Â Â Â Â Â an alias (e.g., eth0:0) here; see
# Â Â Â Â Â Â Â Â Â Â Â http://www.shorewall.net/FAQ.htm#faq18
#
# Â Â Â Â Â Â Â Â Â Â Â You may specify wildcards here. For example, if you
# Â Â Â Â Â Â Â Â Â Â Â want to make an entry that applies to all PPP
# Â Â Â Â Â Â Â Â Â Â Â interfaces, use 'ppp+'.
#
# Â Â Â Â Â Â Â Â Â Â Â There is no need to define the loopback interface (lo)
# Â Â Â Â Â Â Â Â Â Â Â in this file.
#
# Â Â Â BROADCAST Â Â Â The broadcast address for the subnetwork to which the
# Â Â Â Â Â Â Â Â Â Â Â interface belongs. For P-T-P interfaces, this
# Â Â Â Â Â Â Â Â Â Â Â column is left blank.If the interface has multiple
# Â Â Â Â Â Â Â Â Â Â Â addresses on multiple subnets then list the broadcast
# Â Â Â Â Â Â Â Â Â Â Â addresses as a comma-separated list.
#
# Â Â Â Â Â Â Â Â Â Â Â If you use the special value "detect", the firewall
# Â Â Â Â Â Â Â Â Â Â Â will detect the broadcast address for you. If you
# Â Â Â Â Â Â Â Â Â Â Â select this option, the interface must be up before
# Â Â Â Â Â Â Â Â Â Â Â the firewall is started, you must have iproute
# Â Â Â Â Â Â Â Â Â Â Â installed.
#
# Â Â Â Â Â Â Â Â Â Â Â If you don't want to give a value for this column but
# Â Â Â Â Â Â Â Â Â Â Â you want to enter a value in the OPTIONS column, enter
# Â Â Â Â Â Â Â Â Â Â Â "-" in this column.
#
# Â Â Â OPTIONS Â Â Â Â A comma-separated list of options including the
# Â Â Â Â Â Â Â Â Â Â Â following:
#
#            dhcp     - Specify this option when any of
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the following are true:
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 1. the interface gets its IP address
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â via DHCP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2. the interface is used by
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â a DHCP server running on the firewall
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 3. you have a static IP but are on a LAN
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â segment with lots of Laptop DHCP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â clients.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 4. the interface is a bridge with
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â a DHCP server on one port and DHCP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â clients on another port.
#
# Â Â Â Â Â Â Â Â Â Â Â norfc1918 Â Â - This interface should not receive
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â any packets whose source is in one
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â of the ranges reserved by RFC 1918
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (i.e., private or "non-routable"
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses. If packet mangling or
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â connection-tracking match is enabled in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â your kernel, packets whose destination
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses are reserved by RFC 1918 are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â also rejected.
#
#            routefilter  - turn on kernel route filtering for this
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â interface (anti-spoofing measure). This
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â option can also be enabled globally in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the /etc/shorewall/shorewall.c onf file.
#
#            logmartians  - turn on kernel martian logging (logging
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â of packets with impossible source
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses. It is suggested that if you
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â set routefilter on an interface that
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â you also set logmartians. This option
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â may also be enabled globally in the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/shorewall.c onf file.
#
#            blacklist   - Check packets arriving on this interface
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â against the /etc/shorewall/blacklist
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â file.
#
#            maclist    - Connection requests from this interface
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â are compared against the contents of
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/maclist. If this option
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â is specified, the interface must be
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â an ethernet NIC and must be up before
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Shorewall is started.
#
#            tcpflags   - Packets arriving on this interface are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â checked for certain illegal combinations
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â of TCP flags. Packets found to have
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â such a combination of flags are handled
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â according to the setting of
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â TCP_FLAGS_DISPOSITION after having been
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â logged according to the setting of
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â TCP_FLAGS_LOG_LEVEL.
#
#            proxyarp   -
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Sets
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /proc/sys/net/ipv4/conf/<i nterface>/ proxy_arp.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Do NOT use this option if you are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â employing Proxy ARP through entries in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/proxyarp. This option is
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â intended soley for use with Proxy ARP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â sub-networking as described at:
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
#            routeback   - If specified, indicates that Shorewall
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â should include rules that allow
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â filtering traffic arriving on this
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â interface back out that same interface.
#
#            arp_filter  - If specified, this interface will only
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â respond to ARP who-has requests for IP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses configured on the interface.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â If not specified, the interface can
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â respond to ARP who-has requests for
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â IP addresses on any of the firewall's
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â interface. The interface must be up
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â when Shorewall is started.
#
# Â Â Â Â Â Â Â Â Â Â Â arp_ignore[=<number>]
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â - If specified, this interface will
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â respond to arp requests based on the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â value of <number>.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 1 - reply only if the target IP address
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â is local address configured on the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â incoming interface
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2 - reply only if the target IP address
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â is local address configured on the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â incoming interface and both with the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â sender's IP address are part from same
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â subnet on this interface
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 3 - do not reply for local addresses
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â configured with scope host, only
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â resolutions for global and link
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses are replied
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 4-7 - reserved
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 8 - do not reply for all local
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â If no <number> is given then the value
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 1 is assumed
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â WARNING -- DO NOT SPECIFY arp_ignore
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
#            nosmurfs   - Filter packets for smurfs
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (packets with a broadcast
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â address as the source).
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Smurfs will be optionally logged based
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â on the setting of SMURF_LOG_LEVEL in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â shorewall.conf. After logging, the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â packets are dropped.
#
#            detectnets  - Automatically taylors the zone named
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â in the ZONE column to include only those
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â hosts routed through the interface.
#
#            upnp     - Incoming requests from this interface
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â may be remapped via UPNP (upnpd).
#
# Â Â Â Â Â Â Â Â Â Â Â WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â INTERNET INTERFACE.
#
# Â Â Â Â Â Â Â Â Â Â Â The order in which you list the options is not
# Â Â Â Â Â Â Â Â Â Â Â significant but the list should have no embedded white
# Â Â Â Â Â Â Â Â Â Â Â space.
#
# Â Â Â Example 1: Â Â Â Suppose you have eth0 connected to a DSL modem and
# Â Â Â Â Â Â Â Â Â Â Â eth1 connected to your local network and that your
# Â Â Â Â Â Â Â Â Â Â Â local subnet is 192.168.1.0/24. The interface gets
# Â Â Â Â Â Â Â Â Â Â Â it's IP address via DHCP from subnet
# Â Â Â Â Â Â Â Â Â Â Â 206.191.149.192/27. You have a DMZ with subnet
# Â Â Â Â Â Â Â Â Â Â Â 192.168.2.0/24 using eth2.
#
# Â Â Â Â Â Â Â Â Â Â Â Your entries for this setup would look like:
#
#            net   eth0   206.191.149.223 dhcp
#            local  eth1   192.168.1.255
#            dmz   eth2   192.168.2.255
#
# Â Â Â Example 2: Â Â Â The same configuration without specifying broadcast
# Â Â Â Â Â Â Â Â Â Â Â addresses is:
#
#            net   eth0   detect      dhcp
#            loc   eth1   detect
#            dmz   eth2   detect
#
# Â Â Â Example 3: Â Â Â You have a simple dial-in system with no ethernet
# Â Â Â Â Â Â Â Â Â Â Â connections.
#
#            net   ppp0   -
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
########################## ########## ########## ########## ########## ########## ###
#ZONE Â INTERFACE Â Â Â BROADCAST Â Â Â OPTIONS
LANA Â Â eth0
LANB Â Â eth1
PCLAN Â eth2
MGMT Â Â eth3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.0 - Policy File
#
# /etc/shorewall/policy
#
# Â Â Â Â Â Â Â Â Â Â THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# Â Â Â This file determines what to do with a new connection request if we
# Â Â Â don't get a match from the /etc/shorewall/rules file . For each
# Â Â Â source/destination pair, the file is processed in order until a
# Â Â Â match is found ("all" will match any client or server).
#
# Â Â Â Â Â Â Â Â Â Â Â INTRA-ZONE POLICIES ARE PRE-DEFINED
#
# Â Â Â For $FW and for all of the zoned defined in /etc/shorewall/zones,
# Â Â Â the POLICY for connections from the zone to itself is ACCEPT (with no
# Â Â Â logging or TCP connection rate limiting but may be overridden by an
# Â Â Â entry in this file. The overriding entry must be explicit (cannot use
# Â Â Â "all" in the SOURCE or DEST).
#
# Columns are:
#
# Â Â Â SOURCE Â Â Â Â Â Source zone. Must be the name of a zone defined
# Â Â Â Â Â Â Â Â Â Â Â in /etc/shorewall/zones, $FW or "all".
#
# Â Â Â DEST Â Â Â Â Â Â Destination zone. Must be the name of a zone defined
# Â Â Â Â Â Â Â Â Â Â Â in /etc/shorewall/zones, $FW or "all"
#
# Â Â Â POLICY Â Â Â Â Â Policy if no match from the rules file is found. Must
# Â Â Â Â Â Â Â Â Â Â Â be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# Â Â Â Â Â Â Â Â Â Â Â ACCEPT Â Â Â Â Â - Accept the connection
# Â Â Â Â Â Â Â Â Â Â Â DROP Â Â Â Â Â Â - Ignore the connection request
# Â Â Â Â Â Â Â Â Â Â Â REJECT Â Â Â Â Â - For TCP, send RST. For all other,
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â send "port unreachable" ICMP.
# Â Â Â Â Â Â Â Â Â Â Â QUEUE Â Â Â Â Â - Send the request to a user-space
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â application using the QUEUE target.
# Â Â Â Â Â Â Â Â Â Â Â CONTINUE Â Â Â Â - Pass the connection request past
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â any other rules that it might also
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â match (where the source or
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â destination zone in those rules is
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â a superset of the SOURCE or DEST
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â in this policy).
# Â Â Â Â Â Â Â Â Â Â Â NONE Â Â Â Â Â Â - Assume that there will never be any
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â packets from this SOURCE
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â to this DEST. Shorewall will not set
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â up any infrastructure to handle such
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â packets and you may not have any
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â rules with this SOURCE and DEST in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the /etc/shorewall/rules file. If
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â such a packet _is_ received, the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â result is undefined. NONE may not be
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â used if the SOURCE or DEST columns
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â contain the firewall zone ($FW) or
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "all".
#
# Â Â Â Â Â Â Â Â Â Â Â If this column contains ACCEPT, DROP or REJECT and a
# Â Â Â Â Â Â Â Â Â Â Â corresponding common action is defined in
# Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/actions (or
# Â Â Â Â Â Â Â Â Â Â Â /usr/share/shorewall/actio ns.std) then that action
# Â Â Â Â Â Â Â Â Â Â Â will be invoked before the policy named in this column
# Â Â Â Â Â Â Â Â Â Â Â is enforced.
#
# Â Â Â LOG LEVEL Â Â Â If supplied, each connection handled under the default
# Â Â Â Â Â Â Â Â Â Â Â POLICY is logged at that level. If not supplied, no
# Â Â Â Â Â Â Â Â Â Â Â log message is generated. See syslog.conf(5) for a
# Â Â Â Â Â Â Â Â Â Â Â description of log levels.
#
# Â Â Â Â Â Â Â Â Â Â Â Beginning with Shorewall version 1.3.12, you may
# Â Â Â Â Â Â Â Â Â Â Â also specify ULOG (must be in upper case). This will
# Â Â Â Â Â Â Â Â Â Â Â log to the ULOG target and sent to a separate log
# Â Â Â Â Â Â Â Â Â Â Â through use of ulogd
# Â Â Â Â Â Â Â Â Â Â Â (http://www.gnumonks.org/projects/ulogd).
#
# Â Â Â Â Â Â Â Â Â Â Â If you don't want to log but need to specify the
# Â Â Â Â Â Â Â Â Â Â Â following column, place "-" here.
#
# Â Â Â LIMIT:BURST Â Â If passed, specifies the maximum TCP connection rate
# Â Â Â Â Â Â Â Â Â Â Â and the size of an acceptable burst. If not specified,
# Â Â Â Â Â Â Â Â Â Â Â TCP connections are not limited.
#
# Â Â Â Example:
#
# Â Â Â a) All connections from the local network to the internet are allowed
# Â Â Â b) All connections from the internet are ignored but logged at syslog
# Â Â Â Â Â level KERNEL.INFO.
# Â Â Â d) All other connection requests are rejected and logged at level
# Â Â Â Â Â KERNEL.INFO.
#
# Â Â Â #SOURCE Â Â Â Â DEST Â Â Â Â Â Â POLICY Â Â Â Â Â LOG
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â LEVEL
#    loc       net       ACCEPT
#    net       all       DROP       info
# Â Â Â #
# Â Â Â # THE FOLLOWING POLICY MUST BE LAST
# Â Â Â #
#    all       all       REJECT      info
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
########################## ########## ########## ########## ########## ########## ###
#SOURCE Â Â Â Â DEST Â Â Â Â Â Â POLICY Â Â Â Â Â LOG Â Â Â Â Â Â LIMIT:BURST
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â LEVEL
$FW   all   DROP
all   $FW   DROP
all   all   DROP
$FW Â Â MGMT Â Â DROP
MGMT Â Â $FW Â Â DROP
all   MGMT   DROP
MGMT   all   DROP
#LAST LINE -- DO NOT REMOVE
#
# Shorewall version 3.0 - Rules File
#
# /etc/shorewall/rules
#
# Â Â Â Rules in this file govern connection establishment. Requests and
# Â Â Â responses are automatically allowed using connection tracking. For any
# Â Â Â particular (source,dest) pair of zones, the rules are evaluated in the
# Â Â Â order in which they appear in this file and the first match is the one
# Â Â Â that determines the disposition of the request.
#
# Â Â Â In most places where an IP address or subnet is allowed, you
# Â Â Â can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# Â Â Â indicate that the rule matches all addresses except the address/subnet
# Â Â Â given. Notice that no white space is permitted between "!" and the
# Â Â Â address/subnet.
#------------------------- ---------- ---------- ---------- ---------- ---------- ---
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# Â Â Â Â Â you cannot use an ACCEPT rule to allow traffic from the internet to
# Â Â Â Â Â that system. You *must* use a DNAT rule instead.
#------------------------- ---------- ---------- ---------- ---------- ---------- ---
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
# Â Â Â ESTABLISHED Â Â Â Â Â Â Packets in the ESTABLISHED state are processed
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â by rules in this section.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â The only ACTIONs allowed in this section are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ACCEPT, DROP, REJECT, LOG and QUEUE
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â There is an implicit ACCEPT rule inserted
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â at the end of this section.
#
# Â Â Â RELATED Â Â Â Â Â Â Â Â Packets in the RELATED state are processed by
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â rules in this section.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â The only ACTIONs allowed in this section are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ACCEPT, DROP, REJECT, LOG and QUEUE
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â There is an implicit ACCEPT rule inserted
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â at the end of this section.
#
# Â Â Â NEW Â Â Â Â Â Â Â Â Â Â Packets in the NEW and INVALID states are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
# Â Â Â Â Â ESTABLISHED and RELATED sections must be empty.
#
# Note: If you are not familiar with Netfilter to the point where you are
# Â Â Â comfortable with the differences between the various connection
# Â Â Â tracking states, then I suggest that you omit the ESTABLISHED and
# Â Â Â RELATED sections and place all of your rules in the NEW section.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are:
#
# Â Â Â ACTION Â Â Â Â Â ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# Â Â Â Â Â Â Â Â Â Â Â LOG, QUEUE or an <action>.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ACCEPT Â -- allow the connection request
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ACCEPT+ Â -- like ACCEPT but also excludes the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â connection from any subsequent
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DNAT[-] or REDIRECT[-] rules
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â NONAT Â Â -- Excludes the connection from any
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â subsequent DNAT[-] or REDIRECT[-]
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â rules but doesn't generate a rule
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â to accept the traffic.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DROP Â Â -- ignore the request
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â REJECT Â -- disallow the request and return an
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â icmp-unreachable or an RST packet.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DNAT Â Â -- Forward the request to another
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â system (and optionally another
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â port).
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DNAT- Â Â -- Advanced users only.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Like DNAT but only generates the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DNAT iptables rule and not
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the companion ACCEPT rule.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â SAME Â Â -- Similar to DNAT except that the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â port may not be remapped and when
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â multiple server addresses are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â listed, all requests from a given
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â remote system go to the same
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â server.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â SAME- Â Â -- Advanced users only.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Like SAME but only generates the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â NAT iptables rule and not
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the companion ACCEPT rule.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â REDIRECT -- Redirect the request to a local
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â port on the firewall.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â REDIRECT-
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â -- Advanced users only.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Like REDIRET but only generates the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â REDIRECT iptables rule and not
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the companion ACCEPT rule.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â CONTINUE -- (For experts only). Do not process
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â any of the following rules for this
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (source zone,destination zone). If
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â The source and/or destination IP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â address falls into a zone defined
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â later in /etc/shorewall/zones, this
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â connection request will be passed
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â to the rules defined for that
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (those) zone(s).
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â LOG Â Â Â -- Simply log the packet and continue.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â QUEUE Â Â -- Queue the packet to a user-space
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â application such as ftwall
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (http://p2pwall.sf.net).
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â <action> -- The name of an action defined in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/actions or in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /usr/share/shorewall/actio ns.std.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â <macro> Â -- The name of a macro defined in a
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â file named macro.<macro-name>. If
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the macro accepts an action
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â parameter (Look at the macro
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â source to see if it has PARAM in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the TARGET column) then the macro
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â name is followed by "/" and the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â action (ACCEPT, DROP, REJECT, ...)
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â to be substituted for the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â parameter. Example: FTP/ACCEPT.
#
# Â Â Â Â Â Â Â Â Â Â Â The ACTION may optionally be followed
# Â Â Â Â Â Â Â Â Â Â Â by ":" and a syslog log level (e.g, REJECT:info or
# Â Â Â Â Â Â Â Â Â Â Â DNAT:debug). This causes the packet to be
# Â Â Â Â Â Â Â Â Â Â Â logged at the specified level.
#
# Â Â Â Â Â Â Â Â Â Â Â If the ACTION names an action defined in
# Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/actions or in
# Â Â Â Â Â Â Â Â Â Â Â /usr/share/shorewall/actio ns.std then:
#
# Â Â Â Â Â Â Â Â Â Â Â - If the log level is followed by "!' then all rules
# Â Â Â Â Â Â Â Â Â Â Â Â in the action are logged at the log level.
#
# Â Â Â Â Â Â Â Â Â Â Â - If the log level is not followed by "!" then only
# Â Â Â Â Â Â Â Â Â Â Â Â those rules in the action that do not specify
# Â Â Â Â Â Â Â Â Â Â Â Â logging are logged at the specified level.
#
# Â Â Â Â Â Â Â Â Â Â Â - The special log level 'none!' suppresses logging
# Â Â Â Â Â Â Â Â Â Â Â Â by the action.
#
# Â Â Â Â Â Â Â Â Â Â Â You may also specify ULOG (must be in upper case) as a
# Â Â Â Â Â Â Â Â Â Â Â log level.This will log to the ULOG target for routing
# Â Â Â Â Â Â Â Â Â Â Â to a separate log through use of ulogd
# Â Â Â Â Â Â Â Â Â Â Â (http://www.gnumonks.org/projects/ulogd).
#
# Â Â Â Â Â Â Â Â Â Â Â Actions specifying logging may be followed by a
# Â Â Â Â Â Â Â Â Â Â Â log tag (a string of alphanumeric characters)
# Â Â Â Â Â Â Â Â Â Â Â are appended to the string generated by the
# Â Â Â Â Â Â Â Â Â Â Â LOGPREFIX (in /etc/shorewall/shorewall.c onf).
#
# Â Â Â Â Â Â Â Â Â Â Â Example: ACCEPT:info:ftp would include 'ftp '
# Â Â Â Â Â Â Â Â Â Â Â at the end of the log prefix generated by the
# Â Â Â Â Â Â Â Â Â Â Â LOGPREFIX setting.
#
# Â Â Â SOURCE Â Â Â Â Â Source hosts to which the rule applies. May be a zone
# Â Â Â Â Â Â Â Â Â Â Â defined in /etc/shorewall/zones, $FW to indicate the
# Â Â Â Â Â Â Â Â Â Â Â firewall itself, "all", "all+" or "none" If the ACTION
# Â Â Â Â Â Â Â Â Â Â Â is DNAT or REDIRECT, sub-zones of the specified zone
# Â Â Â Â Â Â Â Â Â Â Â may be excluded from the rule by following the zone
# Â Â Â Â Â Â Â Â Â Â Â name with "!' and a comma-separated list of sub-zone
# Â Â Â Â Â Â Â Â Â Â Â names.
#
# Â Â Â Â Â Â Â Â Â Â Â When "none" is used either in the SOURCE or DEST
# Â Â Â Â Â Â Â Â Â Â Â column, the rule is ignored.
#
# Â Â Â Â Â Â Â Â Â Â Â When "all" is used either in the SOURCE or DEST column
# Â Â Â Â Â Â Â Â Â Â Â intra-zone traffic is not affected. When "all+" is
# Â Â Â Â Â Â Â Â Â Â Â used, intra-zone traffic is affected.
#
# Â Â Â Â Â Â Â Â Â Â Â Except when "all[+]" is specified, clients may be
# Â Â Â Â Â Â Â Â Â Â Â further restricted to a list of subnets and/or hosts by
# Â Â Â Â Â Â Â Â Â Â Â appending ":" and a comma-separated list of subnets
# Â Â Â Â Â Â Â Â Â Â Â and/or hosts. Hosts may be specified by IP or MAC
# Â Â Â Â Â Â Â Â Â Â Â address; mac addresses must begin with "~" and must use
# Â Â Â Â Â Â Â Â Â Â Â "-" as a separator.
#
# Â Â Â Â Â Â Â Â Â Â Â Hosts may be specified as an IP address range using the
# Â Â Â Â Â Â Â Â Â Â Â syntax <low address>-<high address>. This requires that
# Â Â Â Â Â Â Â Â Â Â Â your kernel and iptables contain iprange match support.
# Â Â Â Â Â Â Â Â Â Â Â If you kernel and iptables have ipset match support
# Â Â Â Â Â Â Â Â Â Â Â then you may give the name of an ipset prefaced by "+".
# Â Â Â Â Â Â Â Â Â Â Â The ipset name may be optionally followed by a number
# Â Â Â Â Â Â Â Â Â Â Â from 1 to 6 enclosed in square brackets ([]) to
# Â Â Â Â Â Â Â Â Â Â Â indicate the number of levels of source bindings to be
# Â Â Â Â Â Â Â Â Â Â Â matched.
#
# Â Â Â Â Â Â Â Â Â Â Â dmz:192.168.2.2 Â Â Â Â Host 192.168.2.2 in the DMZ
#
# Â Â Â Â Â Â Â Â Â Â Â net:155.186.235.0/24 Â Â Subnet 155.186.235.0/24 on the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Internet
#
# Â Â Â Â Â Â Â Â Â Â Â loc:192.168.1.1,192.168.1. 2
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Hosts 192.168.1.1 and
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 192.168.1.2 in the local zone.
# Â Â Â Â Â Â Â Â Â Â Â loc:~00-A0-C9-15-39-78 Â Host in the local zone with
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â MAC address 00:A0:C9:15:39:78.
#
# Â Â Â Â Â Â Â Â Â Â Â net:192.0.2.11-192.0.2.17
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Hosts 192.0.2.11-192.0.2.17 in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the net zone.
#
# Â Â Â Â Â Â Â Â Â Â Â Alternatively, clients may be specified by interface
# Â Â Â Â Â Â Â Â Â Â Â by appending ":" to the zone name followed by the
# Â Â Â Â Â Â Â Â Â Â Â interface name. For example, loc:eth1 specifies a
# Â Â Â Â Â Â Â Â Â Â Â client that communicates with the firewall system
# Â Â Â Â Â Â Â Â Â Â Â through eth1. This may be optionally followed by
# Â Â Â Â Â Â Â Â Â Â Â another colon (":") and an IP/MAC/subnet address
# Â Â Â Â Â Â Â Â Â Â Â as described above (e.g., loc:eth1:192.168.1.5).
#
# Â Â Â DEST Â Â Â Â Â Â Location of Server. May be a zone defined in
# Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/zones, $FW to indicate the firewall
# Â Â Â Â Â Â Â Â Â Â Â itself, "all". "all+" or "none".
#
# Â Â Â Â Â Â Â Â Â Â Â When "none" is used either in the SOURCE or DEST
# Â Â Â Â Â Â Â Â Â Â Â column, the rule is ignored.
#
# Â Â Â Â Â Â Â Â Â Â Â When "all" is used either in the SOURCE or DEST column
# Â Â Â Â Â Â Â Â Â Â Â intra-zone traffic is not affected. When "all+" is
# Â Â Â Â Â Â Â Â Â Â Â used, intra-zone traffic is affected.
#
# Â Â Â Â Â Â Â Â Â Â Â Except when "all[+]" is specified, the server may be
# Â Â Â Â Â Â Â Â Â Â Â further restricted to a particular subnet, host or
# Â Â Â Â Â Â Â Â Â Â Â interface by appending ":" and the subnet, host or
# Â Â Â Â Â Â Â Â Â Â Â interface. See above.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Restrictions:
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 1. MAC addresses are not allowed.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2. In DNAT rules, only IP addresses are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â allowed; no FQDNs or subnet addresses
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â are permitted.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 3. You may not specify both an interface and
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â an address.
#
# Â Â Â Â Â Â Â Â Â Â Â Like in the SOURCE column, you may specify a range of
# Â Â Â Â Â Â Â Â Â Â Â up to 256 IP addresses using the syntax
# Â Â Â Â Â Â Â Â Â Â Â <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# Â Â Â Â Â Â Â Â Â Â Â the connections will be assigned to addresses in the
# Â Â Â Â Â Â Â Â Â Â Â range in a round-robin fashion.
#
# Â Â Â Â Â Â Â Â Â Â Â If you kernel and iptables have ipset match support
# Â Â Â Â Â Â Â Â Â Â Â then you may give the name of an ipset prefaced by "+".
# Â Â Â Â Â Â Â Â Â Â Â The ipset name may be optionally followed by a number
# Â Â Â Â Â Â Â Â Â Â Â from 1 to 6 enclosed in square brackets ([]) to
# Â Â Â Â Â Â Â Â Â Â Â indicate the number of levels of destination bindings
# Â Â Â Â Â Â Â Â Â Â Â to be matched. Only one of the SOURCE and DEST columns
# Â Â Â Â Â Â Â Â Â Â Â may specify an ipset name.
#
# Â Â Â Â Â Â Â Â Â Â Â The port that the server is listening on may be
# Â Â Â Â Â Â Â Â Â Â Â included and separated from the server's IP address by
# Â Â Â Â Â Â Â Â Â Â Â ":". If omitted, the firewall will not modifiy the
# Â Â Â Â Â Â Â Â Â Â Â destination port. A destination port may only be
# Â Â Â Â Â Â Â Â Â Â Â included if the ACTION is DNAT or REDIRECT.
#
# Â Â Â Â Â Â Â Â Â Â Â Example: loc:192.168.1.3:3128 specifies a local
# Â Â Â Â Â Â Â Â Â Â Â server at IP address 192.168.1.3 and listening on port
# Â Â Â Â Â Â Â Â Â Â Â 3128. The port number MUST be specified as an integer
# Â Â Â Â Â Â Â Â Â Â Â and not as a name from /etc/services.
#
# Â Â Â Â Â Â Â Â Â Â Â if the ACTION is REDIRECT, this column needs only to
# Â Â Â Â Â Â Â Â Â Â Â contain the port number on the firewall that the
# Â Â Â Â Â Â Â Â Â Â Â request should be redirected to.
#
# Â Â Â PROTO Â Â Â Â Â Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# Â Â Â Â Â Â Â Â Â Â Â "ipp2p:udp", "ipp2p:all" a number, or "all".
# Â Â Â Â Â Â Â Â Â Â Â "ipp2p*" requires ipp2p match support in your kernel
# Â Â Â Â Â Â Â Â Â Â Â and iptables.
#
# Â Â Â DEST PORT(S) Â Â Destination Ports. A comma-separated list of Port
# Â Â Â Â Â Â Â Â Â Â Â names (from /etc/services), port numbers or port
# Â Â Â Â Â Â Â Â Â Â Â ranges; if the protocol is "icmp", this column is
# Â Â Â Â Â Â Â Â Â Â Â interpreted as the destination icmp-type(s).
#
# Â Â Â Â Â Â Â Â Â Â Â If the protocol is ipp2p, this column is interpreted
# Â Â Â Â Â Â Â Â Â Â Â as an ipp2p option without the leading "--" (example
# Â Â Â Â Â Â Â Â Â Â Â "bit" for bit-torrent). If no port is given, "ipp2p" is
# Â Â Â Â Â Â Â Â Â Â Â assumed.
#
# Â Â Â Â Â Â Â Â Â Â Â A port range is expressed as <low port>:<high port>.
#
# Â Â Â Â Â Â Â Â Â Â Â This column is ignored if PROTOCOL = all but must be
# Â Â Â Â Â Â Â Â Â Â Â entered if any of the following ields are supplied.
# Â Â Â Â Â Â Â Â Â Â Â In that case, it is suggested that this field contain
# Â Â Â Â Â Â Â Â Â Â Â Â "-"
#
# Â Â Â Â Â Â Â Â Â Â Â If your kernel contains multi-port match support, then
# Â Â Â Â Â Â Â Â Â Â Â only a single Netfilter rule will be generated if in
# Â Â Â Â Â Â Â Â Â Â Â this list and the CLIENT PORT(S) list below:
# Â Â Â Â Â Â Â Â Â Â Â 1. There are 15 or less ports listed.
# Â Â Â Â Â Â Â Â Â Â Â 2. No port ranges are included.
# Â Â Â Â Â Â Â Â Â Â Â Otherwise, a separate rule will be generated for each
# Â Â Â Â Â Â Â Â Â Â Â port.
#
# Â Â Â CLIENT PORT(S) Â (Optional) Port(s) used by the client. If omitted,
# Â Â Â Â Â Â Â Â Â Â Â any source port is acceptable. Specified as a comma-
# Â Â Â Â Â Â Â Â Â Â Â separated list of port names, port numbers or port
# Â Â Â Â Â Â Â Â Â Â Â ranges.
#
# Â Â Â Â Â Â Â Â Â Â Â If you don't want to restrict client ports but need to
# Â Â Â Â Â Â Â Â Â Â Â specify an ORIGINAL DEST in the next column, then
# Â Â Â Â Â Â Â Â Â Â Â place "-" in this column.
#
# Â Â Â Â Â Â Â Â Â Â Â If your kernel contains multi-port match support, then
# Â Â Â Â Â Â Â Â Â Â Â only a single Netfilter rule will be generated if in
# Â Â Â Â Â Â Â Â Â Â Â this list and the DEST PORT(S) list above:
# Â Â Â Â Â Â Â Â Â Â Â 1. There are 15 or less ports listed.
# Â Â Â Â Â Â Â Â Â Â Â 2. No port ranges are included.
# Â Â Â Â Â Â Â Â Â Â Â Otherwise, a separate rule will be generated for each
# Â Â Â Â Â Â Â Â Â Â Â port.
#
# Â Â Â ORIGINAL DEST Â (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# Â Â Â Â Â Â Â Â Â Â Â then if included and different from the IP
# Â Â Â Â Â Â Â Â Â Â Â address given in the SERVER column, this is an address
# Â Â Â Â Â Â Â Â Â Â Â on some interface on the firewall and connections to
# Â Â Â Â Â Â Â Â Â Â Â that address will be forwarded to the IP and port
# Â Â Â Â Â Â Â Â Â Â Â specified in the DEST column.
#
# Â Â Â Â Â Â Â Â Â Â Â A comma-separated list of addresses may also be used.
# Â Â Â Â Â Â Â Â Â Â Â This is usually most useful with the REDIRECT target
# Â Â Â Â Â Â Â Â Â Â Â where you want to redirect traffic destined for
# Â Â Â Â Â Â Â Â Â Â Â particular set of hosts.
#
# Â Â Â Â Â Â Â Â Â Â Â Finally, if the list of addresses begins with "!" then
# Â Â Â Â Â Â Â Â Â Â Â the rule will be followed only if the original
# Â Â Â Â Â Â Â Â Â Â Â destination address in the connection request does not
# Â Â Â Â Â Â Â Â Â Â Â match any of the addresses listed.
#
# Â Â Â Â Â Â Â Â Â Â Â For other actions, this column may be included and may
# Â Â Â Â Â Â Â Â Â Â Â contain one or more addresses (host or network)
# Â Â Â Â Â Â Â Â Â Â Â separated by commas. Address ranges are not allowed.
# Â Â Â Â Â Â Â Â Â Â Â When this column is supplied, rules are generated
# Â Â Â Â Â Â Â Â Â Â Â that require that the original destination address
# Â Â Â Â Â Â Â Â Â Â Â matches one of the listed addresses. This feature is
# Â Â Â Â Â Â Â Â Â Â Â most useful when you want to generate a filter rule
# Â Â Â Â Â Â Â Â Â Â Â that corresponds to a DNAT- or REDIRECT- rule. In this
# Â Â Â Â Â Â Â Â Â Â Â usage, the list of addresses should not begin with "!".
#
#            See http://shorewall.net/PortKnocking.html for an
# Â Â Â Â Â Â Â Â Â Â Â example of using an entry in this column with a
# Â Â Â Â Â Â Â Â Â Â Â user-defined action rule.
#
# Â Â Â RATE LIMIT Â Â Â You may rate-limit the rule by placing a value in
# Â Â Â Â Â Â Â Â Â Â Â this colume:
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â <rate>/<interval>[:<burst> ]
#
# Â Â Â Â Â Â Â Â Â Â Â where <rate> is the number of connections per
# Â Â Â Â Â Â Â Â Â Â Â <interval> ("sec" or "min") and <burst> is the
# Â Â Â Â Â Â Â Â Â Â Â largest burst permitted. If no <burst> is given,
# Â Â Â Â Â Â Â Â Â Â Â a value of 5 is assumed. There may be no
# Â Â Â Â Â Â Â Â Â Â Â no whitespace embedded in the specification.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Example: 10/sec:20
#
# Â Â Â USER/GROUP Â Â Â This column may only be non-empty if the SOURCE is
# Â Â Â Â Â Â Â Â Â Â Â the firewall itself.
#
# Â Â Â Â Â Â Â Â Â Â Â The column may contain:
#
# Â Â Â [!][<user name or number>][:<group name or number>][+<program name>]
#
# Â Â Â Â Â Â Â Â Â Â Â When this column is non-empty, the rule applies only
# Â Â Â Â Â Â Â Â Â Â Â if the program generating the output is running under
# Â Â Â Â Â Â Â Â Â Â Â the effective <user> and/or <group> specified (or is
# Â Â Â Â Â Â Â Â Â Â Â NOT running under that id if "!" is given).
#
# Â Â Â Â Â Â Â Â Â Â Â Examples:
#
#                joe   #program must be run by joe
#                :kids  #program must be run by a member of
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #the 'kids' group
#                !:kids  #program must not be run by a member
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #of the 'kids' group
#                +upnpd  #program named upnpd (This feature was
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #removed from Netfilter in kernel
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #version 2.6.14).
#
# Â Â Â Example: Accept SMTP requests from the DMZ to the internet
#
# Â Â Â #ACTION SOURCE Â DEST PROTO Â Â Â DEST Â Â SOURCE Â ORIGINAL
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) DEST
#    ACCEPT  dmz   net    tcp  smtp
#
# Â Â Â Example: Forward all ssh and http connection requests from the
# Â Â Â Â Â Â Â Â internet to local system 192.168.1.3
#
# Â Â Â #ACTION SOURCE Â DEST Â Â Â Â Â Â PROTO Â DEST Â Â SOURCE Â ORIGINAL
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) DEST
#    DNAT   net   loc:192.168.1.3 tcp   ssh,http
#
# Â Â Â Example: Forward all http connection requests from the internet
# Â Â Â Â Â Â Â Â to local system 192.168.1.3 with a limit of 3 per second and
# Â Â Â Â Â Â Â Â a maximum burst of 10
#
# Â Â Â #ACTION SOURCE DEST Â Â Â Â Â Â PROTO Â DEST Â SOURCE Â ORIGINAL RATE
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â PORT(S) DEST Â Â LIMIT
#    DNAT   net   loc:192.168.1.3 tcp   http  -    -     3/sec:10
#
# Â Â Â Example: Redirect all locally-originating www connection requests to
# Â Â Â Â Â Â Â Â port 3128 on the firewall (Squid running on the firewall
# Â Â Â Â Â Â Â Â system) except when the destination address is 192.168.2.2
#
# Â Â Â #ACTION Â SOURCE DEST Â Â Â PROTO DEST Â Â SOURCE Â ORIGINAL
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) DEST
#    REDIRECT loc   3128    tcp  www    -    !192.168.2.2
#
# Â Â Â Example: All http requests from the internet to address
# Â Â Â Â Â Â Â Â 130.252.100.69 are to be forwarded to 192.168.1.3
#
# Â Â Â #ACTION Â SOURCE DEST Â Â Â Â Â Â PROTO Â DEST Â Â SOURCE Â ORIGINAL
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) DEST
#    DNAT    net  loc:192.168.1.3 tcp   80    -    130.252.100.69
#
# Â Â Â Example: You want to accept SSH connections to your firewall only
# Â Â Â Â Â Â Â Â from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# Â Â Â #ACTION Â SOURCE DEST Â Â Â Â Â Â PROTO Â DEST Â Â SOURCE Â ORIGINAL
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) DEST
# Â Â Â ACCEPT Â net:130.252.100.69,130.252 .100.70 $FW \
#                    tcp   22
########################## ########## ########## ########## ########## ########## ########## ########## ########## ###
#ACTION SOURCE Â Â Â Â Â DEST Â Â Â Â Â Â PROTO Â DEST Â Â SOURCE Â Â Â Â Â ORIGINAL Â Â Â Â RATE Â Â Â Â Â Â USER/
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) Â Â Â Â DEST Â Â Â Â Â Â LIMIT Â Â Â Â Â GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT Â LANA Â Â $FW Â Â TCP Â Â ssh
ACCEPT Â LANB Â Â $FW Â Â TCP Â Â ssh
ACCEPT Â PCLAN Â $FW Â Â TCP Â Â ssh
#ACCEPT Â MGMT Â Â $FW Â Â TCP Â Â ssh
ACCEPT Â LANA Â Â $FW Â Â TCP Â Â http
ACCEPT Â LANB Â Â $FW Â Â TCP Â Â http
ACCEPT Â PCLAN Â $FW Â Â TCP Â Â http
#ACCEPT Â MGMT Â Â $FW Â Â TCP Â Â http
ACCEPT Â LANA Â Â $FW Â Â TCP Â Â https
ACCEPT Â LANB Â Â $FW Â Â TCP Â Â https
ACCEPT Â PCLAN Â $FW Â Â TCP Â Â https
#ACCEPT Â MGMT Â Â $FW Â Â TCP Â Â https
ACCEPT Â $FW Â Â MGMT Â Â UDP Â Â 53
ACCEPT Â $FW Â Â MGMT Â Â TCP Â Â 53
DROP Â Â MGMT Â Â $FW Â Â TCP Â Â 113
DROP Â Â MGMT Â Â $FW Â Â UDP Â Â 113
# 514 is syslog port. Â accept both TCP (syslog-ng) and UDP (sysklogd)
ACCEPT Â LANA Â Â $FW Â Â TCP Â Â 514
ACCEPT Â LANA Â Â $FW Â Â UDP Â Â 514
ACCEPT Â LANB Â Â $FW Â Â TCP Â Â 514
ACCEPT Â LANB Â Â $FW Â Â UDP Â Â 514
ACCEPT Â PCLAN Â $FW Â Â TCP Â Â 514
ACCEPT Â PCLAN Â $FW Â Â UDP Â Â 514
# allow any icmp out.
ACCEPT Â $FW Â Â LANA Â Â ICMP
ACCEPT Â $FW Â Â LANB Â Â ICMP
ACCEPT Â $FW Â Â PCLAN Â ICMP
ACCEPT Â $FW Â Â LANA Â Â TCP Â Â ssh
ACCEPT Â $FW Â Â LANB Â Â TCP Â Â ssh
ACCEPT Â $FW Â Â PCLAN Â TCP Â Â ssh
ACCEPT Â $FW Â Â LANA Â Â TCP Â Â snmp
ACCEPT Â $FW Â Â LANB Â Â TCP Â Â snmp
ACCEPT Â $FW Â Â PCLAN Â TCP Â Â snmp
ACCEPT Â $FW Â Â LANA Â Â UDP Â Â snmp
ACCEPT Â $FW Â Â LANB Â Â UDP Â Â snmp
ACCEPT Â $FW Â Â PCLAN Â UDP Â Â snmp
ACCEPT Â $FW Â Â LANA Â Â TCP Â Â ntp
ACCEPT Â $FW Â Â LANB Â Â TCP Â Â ntp
# 10000 is webmin. Â Accept temporarily until everyone
# understands how to ssh portforward
# 113 is identd. Â Irrelevent and idiotic.
ACCEPT  PCLAN  $FW   tcp   10000
DROP Â Â LANA Â Â $FW Â Â TCP Â Â 113
DROP Â Â LANB Â Â $FW Â Â TCP Â Â 113
DROP Â Â PCLAN Â $FW Â Â TCP Â Â 113
DROP Â Â LANA Â Â $FW Â Â UDP Â Â 113
DROP Â Â LANB Â Â $FW Â Â UDP Â Â 113
DROP Â Â PCLAN Â $FW Â Â UDP Â Â 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------------------- ---------- ---------- --
[root@netmon shorewall]# iptables -L
Chain INPUT (policy DROP)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere
eth0_in   all  --  anywhere       anywhere
eth1_in   all  --  anywhere       anywhere
eth2_in   all  --  anywhere       anywhere
eth3_in   all  --  anywhere       anywhere
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain FORWARD (policy DROP)
target   prot opt source        destination
eth0_fwd  all  --  anywhere       anywhere
eth1_fwd  all  --  anywhere       anywhere
eth2_fwd  all  --  anywhere       anywhere
eth3_fwd  all  --  anywhere       anywhere
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain OUTPUT (policy DROP)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere
fw2LANA   all  --  anywhere       anywhere
fw2LANB   all  --  anywhere       anywhere
fw2PCLAN  all  --  anywhere       anywhere
fw2MGMT   all  --  anywhere       anywhere
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain Drop (10 references)
target   prot opt source        destination
reject   tcp  --  anywhere       anywhere       tcp dpt:auth
dropBcast  all  --  anywhere       anywhere
ACCEPT   icmp --  anywhere       anywhere       icmp fragmentation-needed
ACCEPT   icmp --  anywhere       anywhere       icmp time-exceeded
dropInvalid  all  --  anywhere       anywhere
DROP    udp  --  anywhere       anywhere       multiport dports 135,microsoft-ds
DROP    udp  --  anywhere       anywhere       udp dpts:netbios-ns:netbios-ss n
DROP    udp  --  anywhere       anywhere       udp spt:netbios-ns dpts:1024:65535
DROP    tcp  --  anywhere       anywhere       multiport dports 135,netbios-ssn,microsoft- ds
DROP    udp  --  anywhere       anywhere       udp dpt:1900
dropNotSyn  tcp  --  anywhere       anywhere
DROP    udp  --  anywhere       anywhere       udp spt:domain
Chain LANA2fw (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:http
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:https
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:shell
ACCEPT   udp  --  anywhere       anywhere       udp dpt:syslog
DROP    tcp  --  anywhere       anywhere       tcp dpt:auth
DROP    udp  --  anywhere       anywhere       udp dpt:auth
all2fw   all  --  anywhere       anywhere
Chain LANB2fw (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:http
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:https
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:shell
ACCEPT   udp  --  anywhere       anywhere       udp dpt:syslog
DROP    tcp  --  anywhere       anywhere       tcp dpt:auth
DROP    udp  --  anywhere       anywhere       udp dpt:auth
all2fw   all  --  anywhere       anywhere
Chain MGMT2all (0 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain MGMT2fw (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
DROP    tcp  --  anywhere       anywhere       tcp dpt:auth
DROP    udp  --  anywhere       anywhere       udp dpt:auth
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain PCLAN2fw (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:http
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:https
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:shell
ACCEPT   udp  --  anywhere       anywhere       udp dpt:syslog
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:10000
DROP    tcp  --  anywhere       anywhere       tcp dpt:auth
DROP    udp  --  anywhere       anywhere       udp dpt:auth
all2fw   all  --  anywhere       anywhere
Chain Reject (0 references)
target   prot opt source        destination
reject   tcp  --  anywhere       anywhere       tcp dpt:auth
dropBcast  all  --  anywhere       anywhere
ACCEPT   icmp --  anywhere       anywhere       icmp fragmentation-needed
ACCEPT   icmp --  anywhere       anywhere       icmp time-exceeded
dropInvalid  all  --  anywhere       anywhere
reject   udp  --  anywhere       anywhere       multiport dports 135,microsoft-ds
reject   udp  --  anywhere       anywhere       udp dpts:netbios-ns:netbios-ss n
reject   udp  --  anywhere       anywhere       udp spt:netbios-ns dpts:1024:65535
reject   tcp  --  anywhere       anywhere       multiport dports 135,netbios-ssn,microsoft- ds
DROP    udp  --  anywhere       anywhere       udp dpt:1900
dropNotSyn  tcp  --  anywhere       anywhere
DROP    udp  --  anywhere       anywhere       udp spt:domain
Chain all2MGMT (0 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain all2all (12 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain all2fw (3 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain dropBcast (2 references)
target   prot opt source        destination
DROP    all  --  anywhere       anywhere       PKTTYPE = broadcast
DROP    all  --  anywhere       anywhere       PKTTYPE = multicast
Chain dropInvalid (2 references)
target   prot opt source        destination
DROP    all  --  anywhere       anywhere       state INVALID
Chain dropNotSyn (2 references)
target   prot opt source        destination
DROP    tcp  --  anywhere       anywhere       tcp flags:!SYN,RST,ACK/SYN
Chain dynamic (8 references)
target   prot opt source        destination
Chain eth0_fwd (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
Chain eth0_in (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
LANA2fw   all  --  anywhere       anywhere
Chain eth1_fwd (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
Chain eth1_in (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
LANB2fw   all  --  anywhere       anywhere
Chain eth2_fwd (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
Chain eth2_in (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
PCLAN2fw  all  --  anywhere       anywhere
Chain eth3_fwd (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
Chain eth3_in (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
MGMT2fw   all  --  anywhere       anywhere
Chain fw2LANA (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   icmp --  anywhere       anywhere
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:snmp
ACCEPT   udp  --  anywhere       anywhere       udp dpt:snmp
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ntp
fw2all   all  --  anywhere       anywhere
Chain fw2LANB (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   icmp --  anywhere       anywhere
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:snmp
ACCEPT   udp  --  anywhere       anywhere       udp dpt:snmp
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ntp
fw2all   all  --  anywhere       anywhere
Chain fw2MGMT (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   udp  --  anywhere       anywhere       udp dpt:domain
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:domain
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain fw2PCLAN (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   icmp --  anywhere       anywhere
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:snmp
ACCEPT   udp  --  anywhere       anywhere       udp dpt:snmp
fw2all   all  --  anywhere       anywhere
Chain fw2all (3 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain reject (6 references)
target   prot opt source        destination
DROP    all  --  anywhere       anywhere       PKTTYPE = broadcast
DROP    all  --  anywhere       anywhere       PKTTYPE = multicast
DROP    all  --  255.255.255.255    anywhere
DROP    all  --  224.0.0.0/4      anywhere
REJECT   tcp  --  anywhere       anywhere       reject-with tcp-reset
REJECT   udp  --  anywhere       anywhere       reject-with icmp-port-unreachable
REJECT   icmp --  anywhere       anywhere       reject-with icmp-host-unreachable
REJECT   all  --  anywhere       anywhere       reject-with icmp-host-prohibited
Chain shorewall (0 references)
target   prot opt source        destination
Chain smurfs (0 references)
target   prot opt source        destination
LOG     all  --  255.255.255.255    anywhere       LOG level info prefix `Shorewall:smurfs:DROP:'
DROP    all  --  255.255.255.255    anywhere
LOG     all  --  224.0.0.0/4      anywhere       LOG level info prefix `Shorewall:smurfs:DROP:'
DROP    all  --  224.0.0.0/4      anywhere
[root@netmon shorewall]# Â
I have it set up so that there is no answer (DROP) to the usual nmap scans, but there is still some information leakage because nmap can still determine the MAC.
Here's the details. Â First is the nmap responses. Â Next are the pertinent shorewall rules. Â Last is an iptables -L listing.
~ # nmap -sS -O 192.168.0.54
Starting Nmap 4.01 ( http://www.insecure.org/nmap/Â ) at 2006-06-22 15:55 AKDT
Warning: Â OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1672 scanned ports on 192.168.0.54 are: filtered
MAC Address: 00:04:23:B2:14:F1 (Intel)
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 47.564 seconds
~ # nmap -P0 192.168.0.54
Starting Nmap 4.01 ( http://www.insecure.org/nmap/Â ) at 2006-06-22 15:53 AKDT
All 1672 scanned ports on 192.168.0.54 are: filtered
MAC Address: 00:04:23:B2:14:F1 (Intel)
Nmap finished: 1 IP address (1 host up) scanned in 35.595 seconds
~ # nmap -sT -O -p1-65535 192.168.0.54
Starting Nmap 4.01 ( http://www.insecure.org/nmap/Â ) at 2006-06-22 10:51 AKDT
Warning: Â OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 65535 scanned ports on 192.168.0.54 are: filtered
MAC Address: 00:04:23:B2:14:F1 (Intel)
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 1332.545 seconds
--------------------------
[root@netmon ~]# cd /etc/shorewall/
[root@netmon shorewall]# cat zones interfaces policy rules
#
# Shorewall version 3.0 - Zones File
#
# /etc/shorewall/zones
#
# Â Â Â This file determines your network zones.
#
# Â Â Â WARNING: The format of this file changed in Shorewall 3.0.0. You can
# Â Â Â Â Â Â Â Â continue to use your old records provided that you set
# Â Â Â Â Â Â Â Â IPSECFILE=ipsec in /etc/shorewall/shorewall.c
# Â Â Â Â Â Â Â Â signal Shorewall that the IPSEC-related zone options are
# Â Â Â Â Â Â Â Â still specified in /etc/shorewall/ipsec rather than in this
# Â Â Â Â Â Â Â Â file.
#
# Â Â Â Â Â Â Â Â To use records in the format described below, you must have
# Â Â Â Â Â Â Â Â IPSECFILE=zones specified in /etc/shorewall/shorewall.c
#
# Columns are:
#
# Â Â Â ZONE Â Â Short name of the zone (5 Characters or less in length).
# Â Â Â Â Â Â Â The names "all" and "none" are reserved and may not be
# Â Â Â Â Â Â Â used as zone names.
#
# Â Â Â Â Â Â Â Where a zone is nested in one or more other zones,
# Â Â Â Â Â Â Â you may follow the (sub)zone name by ":" and a
# Â Â Â Â Â Â Â comma-separated list of the parent zones. The parent
# Â Â Â Â Â Â Â zones must have been defined in earlier records in this
# Â Â Â Â Â Â Â file.
#
# Â Â Â Â Â Â Â Example:
#
# Â Â Â Â Â Â Â Â Â Â Â #ZONE Â Â TYPE Â Â OPTIONS
#            a     ipv4
#            b     ipv4
#            c:a,b   ipv4
#
# Â Â Â Â Â Â Â Currently, Shorewall uses this information only to reorder the
# Â Â Â Â Â Â Â zone list so that parent zones appear after their subzones in
# Â Â Â Â Â Â Â the list. In the future, Shorewall may make more extensive use
# Â Â Â Â Â Â Â of that information.
#
# Â Â Â TYPE Â Â ipv4 - Â This is the standard Shorewall zone type and is the
# Â Â Â Â Â Â Â Â Â Â Â default if you leave this column empty or if you enter
# Â Â Â Â Â Â Â Â Â Â Â "-" in the column. Communication with some zone hosts
# Â Â Â Â Â Â Â Â Â Â Â may be encrypted. Encrypted hosts are designated using
# Â Â Â Â Â Â Â Â Â Â Â the 'ipsec'option in /etc/shorewall/hosts.
# Â Â Â Â Â Â Â ipsec - Communication with all zone hosts is encrypted
# Â Â Â Â Â Â Â Â Â Â Â Your kernel and iptables must include policy
# Â Â Â Â Â Â Â Â Â Â Â match support.
# Â Â Â Â Â Â Â firewall
# Â Â Â Â Â Â Â Â Â Â - Designates the firewall itself. You must have
# Â Â Â Â Â Â Â Â Â Â Â exactly one 'firewall' zone. No options are
# Â Â Â Â Â Â Â Â Â Â Â permitted with a 'firewall' zone. The name that you
# Â Â Â Â Â Â Â Â Â Â Â enter in the ZONE column will be stored in the shell
# Â Â Â Â Â Â Â Â Â Â Â variable $FW which you may use in other configuration
# Â Â Â Â Â Â Â Â Â Â Â files to designate the firewall zone.
#
# Â Â Â OPTIONS, Â Â Â Â A comma-separated list of options as follows:
# Â Â Â IN OPTIONS,
# Â Â Â OUT OPTIONS Â Â reqid=<number> where <number> is specified
# Â Â Â Â Â Â Â Â Â Â Â using setkey(8) using the 'unique:<number>
# Â Â Â Â Â Â Â Â Â Â Â option for the SPD level.
#
# Â Â Â Â Â Â Â Â Â Â Â spi=<number> where <number> is the SPI of
# Â Â Â Â Â Â Â Â Â Â Â the SA used to encrypt/decrypt packets.
#
# Â Â Â Â Â Â Â Â Â Â Â proto=ah|esp|ipcomp
#
# Â Â Â Â Â Â Â Â Â Â Â mss=<number> (sets the MSS field in TCP packets)
#
# Â Â Â Â Â Â Â Â Â Â Â mode=transport|tunnel
#
# Â Â Â Â Â Â Â Â Â Â Â tunnel-src=<address>[/<mas
# Â Â Â Â Â Â Â Â Â Â Â available with mode=tunnel)
#
# Â Â Â Â Â Â Â Â Â Â Â tunnel-dst=<address>[/<mas
# Â Â Â Â Â Â Â Â Â Â Â available with mode=tunnel)
#
#            strict  Means that packets must match all rules.
#
#            next   Separates rules; can only be used with
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â strict..
#
# Â Â Â Â Â Â Â Example:
# Â Â Â Â Â Â Â Â Â Â Â mode=transport,reqid=44
#
# Â Â Â The options in the OPTIONS column are applied to both incoming
# Â Â Â and outgoing traffic. The IN OPTIONS are applied to incoming
# Â Â Â traffic (in addition to OPTIONS) and the OUT OPTIONS are
# Â Â Â applied to outgoing traffic.
#
# Â Â Â If you wish to leave a column empty but need to make an entry
# Â Â Â in a following column, use "-".
#-------------------------
# Example zones:
#
# Â Â Â You have a three interface firewall with internet, local and DMZ
# Â Â Â interfaces.
#
# Â Â Â #ZONE Â TYPE Â Â Â Â Â Â OPTIONS Â Â Â Â IN Â Â Â Â Â Â Â Â Â Â Â OUT
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â OPTIONS Â Â Â Â Â Â Â Â OPTIONS
#    fw    firewall
#    net   ipv4
#    loc   ipv4
#    dmz   ipv4
#
#
# For more information, see http://www.shorewall.net/Documentation.htm#Zones
#
##########################
#ZONE Â TYPE Â Â Â Â Â Â OPTIONS Â Â Â Â IN Â Â Â Â Â Â Â Â Â Â Â OUT
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â OPTIONS Â Â Â Â Â Â Â Â OPTIONS
fw    firewall
LANA Â Â ipv4
LANB Â Â ipv4
PCLAN Â ipv4
MGMT Â Â ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall version 3.0 - Interfaces File
#
# /etc/shorewall/interfaces
#
# Â Â Â You must add an entry in this file for each network interface on your
# Â Â Â firewall system.
#
# Columns are:
#
# Â Â Â ZONE Â Â Â Â Â Â Zone for this interface. Must match the name of a
# Â Â Â Â Â Â Â Â Â Â Â zone defined in /etc/shorewall/zones. You may not
# Â Â Â Â Â Â Â Â Â Â Â list the firewall zone in this column.
#
# Â Â Â Â Â Â Â Â Â Â Â If the interface serves multiple zones that will be
# Â Â Â Â Â Â Â Â Â Â Â defined in the /etc/shorewall/hosts file, you should
# Â Â Â Â Â Â Â Â Â Â Â place "-" in this column.
#
# Â Â Â Â Â Â Â Â Â Â Â If there are multiple interfaces to the same zone,
# Â Â Â Â Â Â Â Â Â Â Â you must list them in separate entries:
#
# Â Â Â Â Â Â Â Â Â Â Â Example:
#
#                loc   eth1   -
#                loc   eth2   -
#
# Â Â Â INTERFACE Â Â Â Name of interface. Each interface may be listed only
# Â Â Â Â Â Â Â Â Â Â Â once in this file. You may NOT specify the name of
# Â Â Â Â Â Â Â Â Â Â Â an alias (e.g., eth0:0) here; see
# Â Â Â Â Â Â Â Â Â Â Â http://www.shorewall.net/FAQ.htm#faq18
#
# Â Â Â Â Â Â Â Â Â Â Â You may specify wildcards here. For example, if you
# Â Â Â Â Â Â Â Â Â Â Â want to make an entry that applies to all PPP
# Â Â Â Â Â Â Â Â Â Â Â interfaces, use 'ppp+'.
#
# Â Â Â Â Â Â Â Â Â Â Â There is no need to define the loopback interface (lo)
# Â Â Â Â Â Â Â Â Â Â Â in this file.
#
# Â Â Â BROADCAST Â Â Â The broadcast address for the subnetwork to which the
# Â Â Â Â Â Â Â Â Â Â Â interface belongs. For P-T-P interfaces, this
# Â Â Â Â Â Â Â Â Â Â Â column is left blank.If the interface has multiple
# Â Â Â Â Â Â Â Â Â Â Â addresses on multiple subnets then list the broadcast
# Â Â Â Â Â Â Â Â Â Â Â addresses as a comma-separated list.
#
# Â Â Â Â Â Â Â Â Â Â Â If you use the special value "detect", the firewall
# Â Â Â Â Â Â Â Â Â Â Â will detect the broadcast address for you. If you
# Â Â Â Â Â Â Â Â Â Â Â select this option, the interface must be up before
# Â Â Â Â Â Â Â Â Â Â Â the firewall is started, you must have iproute
# Â Â Â Â Â Â Â Â Â Â Â installed.
#
# Â Â Â Â Â Â Â Â Â Â Â If you don't want to give a value for this column but
# Â Â Â Â Â Â Â Â Â Â Â you want to enter a value in the OPTIONS column, enter
# Â Â Â Â Â Â Â Â Â Â Â "-" in this column.
#
# Â Â Â OPTIONS Â Â Â Â A comma-separated list of options including the
# Â Â Â Â Â Â Â Â Â Â Â following:
#
#            dhcp     - Specify this option when any of
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the following are true:
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 1. the interface gets its IP address
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â via DHCP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2. the interface is used by
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â a DHCP server running on the firewall
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 3. you have a static IP but are on a LAN
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â segment with lots of Laptop DHCP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â clients.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 4. the interface is a bridge with
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â a DHCP server on one port and DHCP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â clients on another port.
#
# Â Â Â Â Â Â Â Â Â Â Â norfc1918 Â Â - This interface should not receive
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â any packets whose source is in one
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â of the ranges reserved by RFC 1918
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (i.e., private or "non-routable"
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses. If packet mangling or
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â connection-tracking match is enabled in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â your kernel, packets whose destination
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses are reserved by RFC 1918 are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â also rejected.
#
#            routefilter  - turn on kernel route filtering for this
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â interface (anti-spoofing measure). This
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â option can also be enabled globally in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the /etc/shorewall/shorewall.c
#
#            logmartians  - turn on kernel martian logging (logging
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â of packets with impossible source
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses. It is suggested that if you
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â set routefilter on an interface that
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â you also set logmartians. This option
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â may also be enabled globally in the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/shorewall.c
#
#            blacklist   - Check packets arriving on this interface
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â against the /etc/shorewall/blacklist
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â file.
#
#            maclist    - Connection requests from this interface
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â are compared against the contents of
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/maclist. If this option
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â is specified, the interface must be
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â an ethernet NIC and must be up before
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Shorewall is started.
#
#            tcpflags   - Packets arriving on this interface are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â checked for certain illegal combinations
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â of TCP flags. Packets found to have
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â such a combination of flags are handled
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â according to the setting of
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â TCP_FLAGS_DISPOSITION after having been
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â logged according to the setting of
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â TCP_FLAGS_LOG_LEVEL.
#
#            proxyarp   -
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Sets
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /proc/sys/net/ipv4/conf/<i
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Do NOT use this option if you are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â employing Proxy ARP through entries in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/proxyarp. This option is
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â intended soley for use with Proxy ARP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â sub-networking as described at:
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
#            routeback   - If specified, indicates that Shorewall
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â should include rules that allow
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â filtering traffic arriving on this
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â interface back out that same interface.
#
#            arp_filter  - If specified, this interface will only
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â respond to ARP who-has requests for IP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses configured on the interface.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â If not specified, the interface can
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â respond to ARP who-has requests for
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â IP addresses on any of the firewall's
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â interface. The interface must be up
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â when Shorewall is started.
#
# Â Â Â Â Â Â Â Â Â Â Â arp_ignore[=<number>]
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â - If specified, this interface will
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â respond to arp requests based on the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â value of <number>.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 1 - reply only if the target IP address
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â is local address configured on the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â incoming interface
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2 - reply only if the target IP address
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â is local address configured on the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â incoming interface and both with the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â sender's IP address are part from same
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â subnet on this interface
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 3 - do not reply for local addresses
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â configured with scope host, only
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â resolutions for global and link
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses are replied
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 4-7 - reserved
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 8 - do not reply for all local
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â addresses
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â If no <number> is given then the value
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 1 is assumed
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â WARNING -- DO NOT SPECIFY arp_ignore
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â FOR ANY INTERFACE INVOLVED IN PROXY ARP.
#
#            nosmurfs   - Filter packets for smurfs
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (packets with a broadcast
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â address as the source).
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Smurfs will be optionally logged based
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â on the setting of SMURF_LOG_LEVEL in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â shorewall.conf. After logging, the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â packets are dropped.
#
#            detectnets  - Automatically taylors the zone named
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â in the ZONE column to include only those
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â hosts routed through the interface.
#
#            upnp     - Incoming requests from this interface
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â may be remapped via UPNP (upnpd).
#
# Â Â Â Â Â Â Â Â Â Â Â WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â INTERNET INTERFACE.
#
# Â Â Â Â Â Â Â Â Â Â Â The order in which you list the options is not
# Â Â Â Â Â Â Â Â Â Â Â significant but the list should have no embedded white
# Â Â Â Â Â Â Â Â Â Â Â space.
#
# Â Â Â Example 1: Â Â Â Suppose you have eth0 connected to a DSL modem and
# Â Â Â Â Â Â Â Â Â Â Â eth1 connected to your local network and that your
# Â Â Â Â Â Â Â Â Â Â Â local subnet is 192.168.1.0/24. The interface gets
# Â Â Â Â Â Â Â Â Â Â Â it's IP address via DHCP from subnet
# Â Â Â Â Â Â Â Â Â Â Â 206.191.149.192/27. You have a DMZ with subnet
# Â Â Â Â Â Â Â Â Â Â Â 192.168.2.0/24 using eth2.
#
# Â Â Â Â Â Â Â Â Â Â Â Your entries for this setup would look like:
#
#            net   eth0   206.191.149.223 dhcp
#            local  eth1   192.168.1.255
#            dmz   eth2   192.168.2.255
#
# Â Â Â Example 2: Â Â Â The same configuration without specifying broadcast
# Â Â Â Â Â Â Â Â Â Â Â addresses is:
#
#            net   eth0   detect      dhcp
#            loc   eth1   detect
#            dmz   eth2   detect
#
# Â Â Â Example 3: Â Â Â You have a simple dial-in system with no ethernet
# Â Â Â Â Â Â Â Â Â Â Â connections.
#
#            net   ppp0   -
#
# For additional information, see
# http://shorewall.net/Documentation.htm#Interfaces
#
##########################
#ZONE Â INTERFACE Â Â Â BROADCAST Â Â Â OPTIONS
LANA Â Â eth0
LANB Â Â eth1
PCLAN Â eth2
MGMT Â Â eth3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall version 3.0 - Policy File
#
# /etc/shorewall/policy
#
# Â Â Â Â Â Â Â Â Â Â THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
#
# Â Â Â This file determines what to do with a new connection request if we
# Â Â Â don't get a match from the /etc/shorewall/rules file . For each
# Â Â Â source/destination pair, the file is processed in order until a
# Â Â Â match is found ("all" will match any client or server).
#
# Â Â Â Â Â Â Â Â Â Â Â INTRA-ZONE POLICIES ARE PRE-DEFINED
#
# Â Â Â For $FW and for all of the zoned defined in /etc/shorewall/zones,
# Â Â Â the POLICY for connections from the zone to itself is ACCEPT (with no
# Â Â Â logging or TCP connection rate limiting but may be overridden by an
# Â Â Â entry in this file. The overriding entry must be explicit (cannot use
# Â Â Â "all" in the SOURCE or DEST).
#
# Columns are:
#
# Â Â Â SOURCE Â Â Â Â Â Source zone. Must be the name of a zone defined
# Â Â Â Â Â Â Â Â Â Â Â in /etc/shorewall/zones, $FW or "all".
#
# Â Â Â DEST Â Â Â Â Â Â Destination zone. Must be the name of a zone defined
# Â Â Â Â Â Â Â Â Â Â Â in /etc/shorewall/zones, $FW or "all"
#
# Â Â Â POLICY Â Â Â Â Â Policy if no match from the rules file is found. Must
# Â Â Â Â Â Â Â Â Â Â Â be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# Â Â Â Â Â Â Â Â Â Â Â ACCEPT Â Â Â Â Â - Accept the connection
# Â Â Â Â Â Â Â Â Â Â Â DROP Â Â Â Â Â Â - Ignore the connection request
# Â Â Â Â Â Â Â Â Â Â Â REJECT Â Â Â Â Â - For TCP, send RST. For all other,
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â send "port unreachable" ICMP.
# Â Â Â Â Â Â Â Â Â Â Â QUEUE Â Â Â Â Â - Send the request to a user-space
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â application using the QUEUE target.
# Â Â Â Â Â Â Â Â Â Â Â CONTINUE Â Â Â Â - Pass the connection request past
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â any other rules that it might also
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â match (where the source or
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â destination zone in those rules is
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â a superset of the SOURCE or DEST
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â in this policy).
# Â Â Â Â Â Â Â Â Â Â Â NONE Â Â Â Â Â Â - Assume that there will never be any
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â packets from this SOURCE
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â to this DEST. Shorewall will not set
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â up any infrastructure to handle such
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â packets and you may not have any
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â rules with this SOURCE and DEST in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the /etc/shorewall/rules file. If
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â such a packet _is_ received, the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â result is undefined. NONE may not be
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â used if the SOURCE or DEST columns
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â contain the firewall zone ($FW) or
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "all".
#
# Â Â Â Â Â Â Â Â Â Â Â If this column contains ACCEPT, DROP or REJECT and a
# Â Â Â Â Â Â Â Â Â Â Â corresponding common action is defined in
# Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/actions (or
# Â Â Â Â Â Â Â Â Â Â Â /usr/share/shorewall/actio
# Â Â Â Â Â Â Â Â Â Â Â will be invoked before the policy named in this column
# Â Â Â Â Â Â Â Â Â Â Â is enforced.
#
# Â Â Â LOG LEVEL Â Â Â If supplied, each connection handled under the default
# Â Â Â Â Â Â Â Â Â Â Â POLICY is logged at that level. If not supplied, no
# Â Â Â Â Â Â Â Â Â Â Â log message is generated. See syslog.conf(5) for a
# Â Â Â Â Â Â Â Â Â Â Â description of log levels.
#
# Â Â Â Â Â Â Â Â Â Â Â Beginning with Shorewall version 1.3.12, you may
# Â Â Â Â Â Â Â Â Â Â Â also specify ULOG (must be in upper case). This will
# Â Â Â Â Â Â Â Â Â Â Â log to the ULOG target and sent to a separate log
# Â Â Â Â Â Â Â Â Â Â Â through use of ulogd
# Â Â Â Â Â Â Â Â Â Â Â (http://www.gnumonks.org/projects/ulogd).
#
# Â Â Â Â Â Â Â Â Â Â Â If you don't want to log but need to specify the
# Â Â Â Â Â Â Â Â Â Â Â following column, place "-" here.
#
# Â Â Â LIMIT:BURST Â Â If passed, specifies the maximum TCP connection rate
# Â Â Â Â Â Â Â Â Â Â Â and the size of an acceptable burst. If not specified,
# Â Â Â Â Â Â Â Â Â Â Â TCP connections are not limited.
#
# Â Â Â Example:
#
# Â Â Â a) All connections from the local network to the internet are allowed
# Â Â Â b) All connections from the internet are ignored but logged at syslog
# Â Â Â Â Â level KERNEL.INFO.
# Â Â Â d) All other connection requests are rejected and logged at level
# Â Â Â Â Â KERNEL.INFO.
#
# Â Â Â #SOURCE Â Â Â Â DEST Â Â Â Â Â Â POLICY Â Â Â Â Â LOG
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â LEVEL
#    loc       net       ACCEPT
#    net       all       DROP       info
# Â Â Â #
# Â Â Â # THE FOLLOWING POLICY MUST BE LAST
# Â Â Â #
#    all       all       REJECT      info
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
##########################
#SOURCE Â Â Â Â DEST Â Â Â Â Â Â POLICY Â Â Â Â Â LOG Â Â Â Â Â Â LIMIT:BURST
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â LEVEL
$FW   all   DROP
all   $FW   DROP
all   all   DROP
$FW Â Â MGMT Â Â DROP
MGMT Â Â $FW Â Â DROP
all   MGMT   DROP
MGMT   all   DROP
#LAST LINE -- DO NOT REMOVE
#
# Shorewall version 3.0 - Rules File
#
# /etc/shorewall/rules
#
# Â Â Â Rules in this file govern connection establishment. Requests and
# Â Â Â responses are automatically allowed using connection tracking. For any
# Â Â Â particular (source,dest) pair of zones, the rules are evaluated in the
# Â Â Â order in which they appear in this file and the first match is the one
# Â Â Â that determines the disposition of the request.
#
# Â Â Â In most places where an IP address or subnet is allowed, you
# Â Â Â can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# Â Â Â indicate that the rule matches all addresses except the address/subnet
# Â Â Â given. Notice that no white space is permitted between "!" and the
# Â Â Â address/subnet.
#-------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# Â Â Â Â Â you cannot use an ACCEPT rule to allow traffic from the internet to
# Â Â Â Â Â that system. You *must* use a DNAT rule instead.
#-------------------------
#
# The rules file is divided into sections. Each section is introduced by
# a "Section Header" which is a line beginning with SECTION followed by the
# section name.
#
# Sections are as follows and must appear in the order listed:
#
# Â Â Â ESTABLISHED Â Â Â Â Â Â Packets in the ESTABLISHED state are processed
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â by rules in this section.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â The only ACTIONs allowed in this section are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ACCEPT, DROP, REJECT, LOG and QUEUE
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â There is an implicit ACCEPT rule inserted
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â at the end of this section.
#
# Â Â Â RELATED Â Â Â Â Â Â Â Â Packets in the RELATED state are processed by
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â rules in this section.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â The only ACTIONs allowed in this section are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ACCEPT, DROP, REJECT, LOG and QUEUE
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â There is an implicit ACCEPT rule inserted
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â at the end of this section.
#
# Â Â Â NEW Â Â Â Â Â Â Â Â Â Â Packets in the NEW and INVALID states are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â processed by rules in this section.
#
# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
# Â Â Â Â Â ESTABLISHED and RELATED sections must be empty.
#
# Note: If you are not familiar with Netfilter to the point where you are
# Â Â Â comfortable with the differences between the various connection
# Â Â Â tracking states, then I suggest that you omit the ESTABLISHED and
# Â Â Â RELATED sections and place all of your rules in the NEW section.
#
# You may omit any section that you don't need. If no Section Headers appear
# in the file then all rules are assumed to be in the NEW section.
#
# Columns are:
#
# Â Â Â ACTION Â Â Â Â Â ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# Â Â Â Â Â Â Â Â Â Â Â LOG, QUEUE or an <action>.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ACCEPT Â -- allow the connection request
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ACCEPT+ Â -- like ACCEPT but also excludes the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â connection from any subsequent
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DNAT[-] or REDIRECT[-] rules
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â NONAT Â Â -- Excludes the connection from any
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â subsequent DNAT[-] or REDIRECT[-]
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â rules but doesn't generate a rule
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â to accept the traffic.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DROP Â Â -- ignore the request
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â REJECT Â -- disallow the request and return an
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â icmp-unreachable or an RST packet.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DNAT Â Â -- Forward the request to another
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â system (and optionally another
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â port).
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DNAT- Â Â -- Advanced users only.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Like DNAT but only generates the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â DNAT iptables rule and not
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the companion ACCEPT rule.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â SAME Â Â -- Similar to DNAT except that the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â port may not be remapped and when
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â multiple server addresses are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â listed, all requests from a given
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â remote system go to the same
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â server.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â SAME- Â Â -- Advanced users only.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Like SAME but only generates the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â NAT iptables rule and not
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the companion ACCEPT rule.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â REDIRECT -- Redirect the request to a local
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â port on the firewall.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â REDIRECT-
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â -- Advanced users only.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Like REDIRET but only generates the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â REDIRECT iptables rule and not
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the companion ACCEPT rule.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â CONTINUE -- (For experts only). Do not process
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â any of the following rules for this
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (source zone,destination zone). If
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â The source and/or destination IP
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â address falls into a zone defined
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â later in /etc/shorewall/zones, this
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â connection request will be passed
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â to the rules defined for that
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (those) zone(s).
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â LOG Â Â Â -- Simply log the packet and continue.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â QUEUE Â Â -- Queue the packet to a user-space
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â application such as ftwall
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â (http://p2pwall.sf.net).
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â <action> -- The name of an action defined in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/actions or in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â /usr/share/shorewall/actio
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â <macro> Â -- The name of a macro defined in a
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â file named macro.<macro-name>. If
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the macro accepts an action
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â parameter (Look at the macro
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â source to see if it has PARAM in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the TARGET column) then the macro
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â name is followed by "/" and the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â action (ACCEPT, DROP, REJECT, ...)
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â to be substituted for the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â parameter. Example: FTP/ACCEPT.
#
# Â Â Â Â Â Â Â Â Â Â Â The ACTION may optionally be followed
# Â Â Â Â Â Â Â Â Â Â Â by ":" and a syslog log level (e.g, REJECT:info or
# Â Â Â Â Â Â Â Â Â Â Â DNAT:debug). This causes the packet to be
# Â Â Â Â Â Â Â Â Â Â Â logged at the specified level.
#
# Â Â Â Â Â Â Â Â Â Â Â If the ACTION names an action defined in
# Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/actions or in
# Â Â Â Â Â Â Â Â Â Â Â /usr/share/shorewall/actio
#
# Â Â Â Â Â Â Â Â Â Â Â - If the log level is followed by "!' then all rules
# Â Â Â Â Â Â Â Â Â Â Â Â in the action are logged at the log level.
#
# Â Â Â Â Â Â Â Â Â Â Â - If the log level is not followed by "!" then only
# Â Â Â Â Â Â Â Â Â Â Â Â those rules in the action that do not specify
# Â Â Â Â Â Â Â Â Â Â Â Â logging are logged at the specified level.
#
# Â Â Â Â Â Â Â Â Â Â Â - The special log level 'none!' suppresses logging
# Â Â Â Â Â Â Â Â Â Â Â Â by the action.
#
# Â Â Â Â Â Â Â Â Â Â Â You may also specify ULOG (must be in upper case) as a
# Â Â Â Â Â Â Â Â Â Â Â log level.This will log to the ULOG target for routing
# Â Â Â Â Â Â Â Â Â Â Â to a separate log through use of ulogd
# Â Â Â Â Â Â Â Â Â Â Â (http://www.gnumonks.org/projects/ulogd).
#
# Â Â Â Â Â Â Â Â Â Â Â Actions specifying logging may be followed by a
# Â Â Â Â Â Â Â Â Â Â Â log tag (a string of alphanumeric characters)
# Â Â Â Â Â Â Â Â Â Â Â are appended to the string generated by the
# Â Â Â Â Â Â Â Â Â Â Â LOGPREFIX (in /etc/shorewall/shorewall.c
#
# Â Â Â Â Â Â Â Â Â Â Â Example: ACCEPT:info:ftp would include 'ftp '
# Â Â Â Â Â Â Â Â Â Â Â at the end of the log prefix generated by the
# Â Â Â Â Â Â Â Â Â Â Â LOGPREFIX setting.
#
# Â Â Â SOURCE Â Â Â Â Â Source hosts to which the rule applies. May be a zone
# Â Â Â Â Â Â Â Â Â Â Â defined in /etc/shorewall/zones, $FW to indicate the
# Â Â Â Â Â Â Â Â Â Â Â firewall itself, "all", "all+" or "none" If the ACTION
# Â Â Â Â Â Â Â Â Â Â Â is DNAT or REDIRECT, sub-zones of the specified zone
# Â Â Â Â Â Â Â Â Â Â Â may be excluded from the rule by following the zone
# Â Â Â Â Â Â Â Â Â Â Â name with "!' and a comma-separated list of sub-zone
# Â Â Â Â Â Â Â Â Â Â Â names.
#
# Â Â Â Â Â Â Â Â Â Â Â When "none" is used either in the SOURCE or DEST
# Â Â Â Â Â Â Â Â Â Â Â column, the rule is ignored.
#
# Â Â Â Â Â Â Â Â Â Â Â When "all" is used either in the SOURCE or DEST column
# Â Â Â Â Â Â Â Â Â Â Â intra-zone traffic is not affected. When "all+" is
# Â Â Â Â Â Â Â Â Â Â Â used, intra-zone traffic is affected.
#
# Â Â Â Â Â Â Â Â Â Â Â Except when "all[+]" is specified, clients may be
# Â Â Â Â Â Â Â Â Â Â Â further restricted to a list of subnets and/or hosts by
# Â Â Â Â Â Â Â Â Â Â Â appending ":" and a comma-separated list of subnets
# Â Â Â Â Â Â Â Â Â Â Â and/or hosts. Hosts may be specified by IP or MAC
# Â Â Â Â Â Â Â Â Â Â Â address; mac addresses must begin with "~" and must use
# Â Â Â Â Â Â Â Â Â Â Â "-" as a separator.
#
# Â Â Â Â Â Â Â Â Â Â Â Hosts may be specified as an IP address range using the
# Â Â Â Â Â Â Â Â Â Â Â syntax <low address>-<high address>. This requires that
# Â Â Â Â Â Â Â Â Â Â Â your kernel and iptables contain iprange match support.
# Â Â Â Â Â Â Â Â Â Â Â If you kernel and iptables have ipset match support
# Â Â Â Â Â Â Â Â Â Â Â then you may give the name of an ipset prefaced by "+".
# Â Â Â Â Â Â Â Â Â Â Â The ipset name may be optionally followed by a number
# Â Â Â Â Â Â Â Â Â Â Â from 1 to 6 enclosed in square brackets ([]) to
# Â Â Â Â Â Â Â Â Â Â Â indicate the number of levels of source bindings to be
# Â Â Â Â Â Â Â Â Â Â Â matched.
#
# Â Â Â Â Â Â Â Â Â Â Â dmz:192.168.2.2 Â Â Â Â Host 192.168.2.2 in the DMZ
#
# Â Â Â Â Â Â Â Â Â Â Â net:155.186.235.0/24 Â Â Subnet 155.186.235.0/24 on the
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Internet
#
# Â Â Â Â Â Â Â Â Â Â Â loc:192.168.1.1,192.168.1.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Hosts 192.168.1.1 and
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 192.168.1.2 in the local zone.
# Â Â Â Â Â Â Â Â Â Â Â loc:~00-A0-C9-15-39-78 Â Host in the local zone with
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â MAC address 00:A0:C9:15:39:78.
#
# Â Â Â Â Â Â Â Â Â Â Â net:192.0.2.11-192.0.2.17
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Hosts 192.0.2.11-192.0.2.17 in
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â the net zone.
#
# Â Â Â Â Â Â Â Â Â Â Â Alternatively, clients may be specified by interface
# Â Â Â Â Â Â Â Â Â Â Â by appending ":" to the zone name followed by the
# Â Â Â Â Â Â Â Â Â Â Â interface name. For example, loc:eth1 specifies a
# Â Â Â Â Â Â Â Â Â Â Â client that communicates with the firewall system
# Â Â Â Â Â Â Â Â Â Â Â through eth1. This may be optionally followed by
# Â Â Â Â Â Â Â Â Â Â Â another colon (":") and an IP/MAC/subnet address
# Â Â Â Â Â Â Â Â Â Â Â as described above (e.g., loc:eth1:192.168.1.5).
#
# Â Â Â DEST Â Â Â Â Â Â Location of Server. May be a zone defined in
# Â Â Â Â Â Â Â Â Â Â Â /etc/shorewall/zones, $FW to indicate the firewall
# Â Â Â Â Â Â Â Â Â Â Â itself, "all". "all+" or "none".
#
# Â Â Â Â Â Â Â Â Â Â Â When "none" is used either in the SOURCE or DEST
# Â Â Â Â Â Â Â Â Â Â Â column, the rule is ignored.
#
# Â Â Â Â Â Â Â Â Â Â Â When "all" is used either in the SOURCE or DEST column
# Â Â Â Â Â Â Â Â Â Â Â intra-zone traffic is not affected. When "all+" is
# Â Â Â Â Â Â Â Â Â Â Â used, intra-zone traffic is affected.
#
# Â Â Â Â Â Â Â Â Â Â Â Except when "all[+]" is specified, the server may be
# Â Â Â Â Â Â Â Â Â Â Â further restricted to a particular subnet, host or
# Â Â Â Â Â Â Â Â Â Â Â interface by appending ":" and the subnet, host or
# Â Â Â Â Â Â Â Â Â Â Â interface. See above.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Restrictions:
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 1. MAC addresses are not allowed.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2. In DNAT rules, only IP addresses are
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â allowed; no FQDNs or subnet addresses
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â are permitted.
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 3. You may not specify both an interface and
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â an address.
#
# Â Â Â Â Â Â Â Â Â Â Â Like in the SOURCE column, you may specify a range of
# Â Â Â Â Â Â Â Â Â Â Â up to 256 IP addresses using the syntax
# Â Â Â Â Â Â Â Â Â Â Â <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# Â Â Â Â Â Â Â Â Â Â Â the connections will be assigned to addresses in the
# Â Â Â Â Â Â Â Â Â Â Â range in a round-robin fashion.
#
# Â Â Â Â Â Â Â Â Â Â Â If you kernel and iptables have ipset match support
# Â Â Â Â Â Â Â Â Â Â Â then you may give the name of an ipset prefaced by "+".
# Â Â Â Â Â Â Â Â Â Â Â The ipset name may be optionally followed by a number
# Â Â Â Â Â Â Â Â Â Â Â from 1 to 6 enclosed in square brackets ([]) to
# Â Â Â Â Â Â Â Â Â Â Â indicate the number of levels of destination bindings
# Â Â Â Â Â Â Â Â Â Â Â to be matched. Only one of the SOURCE and DEST columns
# Â Â Â Â Â Â Â Â Â Â Â may specify an ipset name.
#
# Â Â Â Â Â Â Â Â Â Â Â The port that the server is listening on may be
# Â Â Â Â Â Â Â Â Â Â Â included and separated from the server's IP address by
# Â Â Â Â Â Â Â Â Â Â Â ":". If omitted, the firewall will not modifiy the
# Â Â Â Â Â Â Â Â Â Â Â destination port. A destination port may only be
# Â Â Â Â Â Â Â Â Â Â Â included if the ACTION is DNAT or REDIRECT.
#
# Â Â Â Â Â Â Â Â Â Â Â Example: loc:192.168.1.3:3128 specifies a local
# Â Â Â Â Â Â Â Â Â Â Â server at IP address 192.168.1.3 and listening on port
# Â Â Â Â Â Â Â Â Â Â Â 3128. The port number MUST be specified as an integer
# Â Â Â Â Â Â Â Â Â Â Â and not as a name from /etc/services.
#
# Â Â Â Â Â Â Â Â Â Â Â if the ACTION is REDIRECT, this column needs only to
# Â Â Â Â Â Â Â Â Â Â Â contain the port number on the firewall that the
# Â Â Â Â Â Â Â Â Â Â Â request should be redirected to.
#
# Â Â Â PROTO Â Â Â Â Â Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
# Â Â Â Â Â Â Â Â Â Â Â "ipp2p:udp", "ipp2p:all" a number, or "all".
# Â Â Â Â Â Â Â Â Â Â Â "ipp2p*" requires ipp2p match support in your kernel
# Â Â Â Â Â Â Â Â Â Â Â and iptables.
#
# Â Â Â DEST PORT(S) Â Â Destination Ports. A comma-separated list of Port
# Â Â Â Â Â Â Â Â Â Â Â names (from /etc/services), port numbers or port
# Â Â Â Â Â Â Â Â Â Â Â ranges; if the protocol is "icmp", this column is
# Â Â Â Â Â Â Â Â Â Â Â interpreted as the destination icmp-type(s).
#
# Â Â Â Â Â Â Â Â Â Â Â If the protocol is ipp2p, this column is interpreted
# Â Â Â Â Â Â Â Â Â Â Â as an ipp2p option without the leading "--" (example
# Â Â Â Â Â Â Â Â Â Â Â "bit" for bit-torrent). If no port is given, "ipp2p" is
# Â Â Â Â Â Â Â Â Â Â Â assumed.
#
# Â Â Â Â Â Â Â Â Â Â Â A port range is expressed as <low port>:<high port>.
#
# Â Â Â Â Â Â Â Â Â Â Â This column is ignored if PROTOCOL = all but must be
# Â Â Â Â Â Â Â Â Â Â Â entered if any of the following ields are supplied.
# Â Â Â Â Â Â Â Â Â Â Â In that case, it is suggested that this field contain
# Â Â Â Â Â Â Â Â Â Â Â Â "-"
#
# Â Â Â Â Â Â Â Â Â Â Â If your kernel contains multi-port match support, then
# Â Â Â Â Â Â Â Â Â Â Â only a single Netfilter rule will be generated if in
# Â Â Â Â Â Â Â Â Â Â Â this list and the CLIENT PORT(S) list below:
# Â Â Â Â Â Â Â Â Â Â Â 1. There are 15 or less ports listed.
# Â Â Â Â Â Â Â Â Â Â Â 2. No port ranges are included.
# Â Â Â Â Â Â Â Â Â Â Â Otherwise, a separate rule will be generated for each
# Â Â Â Â Â Â Â Â Â Â Â port.
#
# Â Â Â CLIENT PORT(S) Â (Optional) Port(s) used by the client. If omitted,
# Â Â Â Â Â Â Â Â Â Â Â any source port is acceptable. Specified as a comma-
# Â Â Â Â Â Â Â Â Â Â Â separated list of port names, port numbers or port
# Â Â Â Â Â Â Â Â Â Â Â ranges.
#
# Â Â Â Â Â Â Â Â Â Â Â If you don't want to restrict client ports but need to
# Â Â Â Â Â Â Â Â Â Â Â specify an ORIGINAL DEST in the next column, then
# Â Â Â Â Â Â Â Â Â Â Â place "-" in this column.
#
# Â Â Â Â Â Â Â Â Â Â Â If your kernel contains multi-port match support, then
# Â Â Â Â Â Â Â Â Â Â Â only a single Netfilter rule will be generated if in
# Â Â Â Â Â Â Â Â Â Â Â this list and the DEST PORT(S) list above:
# Â Â Â Â Â Â Â Â Â Â Â 1. There are 15 or less ports listed.
# Â Â Â Â Â Â Â Â Â Â Â 2. No port ranges are included.
# Â Â Â Â Â Â Â Â Â Â Â Otherwise, a separate rule will be generated for each
# Â Â Â Â Â Â Â Â Â Â Â port.
#
# Â Â Â ORIGINAL DEST Â (0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
# Â Â Â Â Â Â Â Â Â Â Â then if included and different from the IP
# Â Â Â Â Â Â Â Â Â Â Â address given in the SERVER column, this is an address
# Â Â Â Â Â Â Â Â Â Â Â on some interface on the firewall and connections to
# Â Â Â Â Â Â Â Â Â Â Â that address will be forwarded to the IP and port
# Â Â Â Â Â Â Â Â Â Â Â specified in the DEST column.
#
# Â Â Â Â Â Â Â Â Â Â Â A comma-separated list of addresses may also be used.
# Â Â Â Â Â Â Â Â Â Â Â This is usually most useful with the REDIRECT target
# Â Â Â Â Â Â Â Â Â Â Â where you want to redirect traffic destined for
# Â Â Â Â Â Â Â Â Â Â Â particular set of hosts.
#
# Â Â Â Â Â Â Â Â Â Â Â Finally, if the list of addresses begins with "!" then
# Â Â Â Â Â Â Â Â Â Â Â the rule will be followed only if the original
# Â Â Â Â Â Â Â Â Â Â Â destination address in the connection request does not
# Â Â Â Â Â Â Â Â Â Â Â match any of the addresses listed.
#
# Â Â Â Â Â Â Â Â Â Â Â For other actions, this column may be included and may
# Â Â Â Â Â Â Â Â Â Â Â contain one or more addresses (host or network)
# Â Â Â Â Â Â Â Â Â Â Â separated by commas. Address ranges are not allowed.
# Â Â Â Â Â Â Â Â Â Â Â When this column is supplied, rules are generated
# Â Â Â Â Â Â Â Â Â Â Â that require that the original destination address
# Â Â Â Â Â Â Â Â Â Â Â matches one of the listed addresses. This feature is
# Â Â Â Â Â Â Â Â Â Â Â most useful when you want to generate a filter rule
# Â Â Â Â Â Â Â Â Â Â Â that corresponds to a DNAT- or REDIRECT- rule. In this
# Â Â Â Â Â Â Â Â Â Â Â usage, the list of addresses should not begin with "!".
#
#            See http://shorewall.net/PortKnocking.html for an
# Â Â Â Â Â Â Â Â Â Â Â example of using an entry in this column with a
# Â Â Â Â Â Â Â Â Â Â Â user-defined action rule.
#
# Â Â Â RATE LIMIT Â Â Â You may rate-limit the rule by placing a value in
# Â Â Â Â Â Â Â Â Â Â Â this colume:
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â <rate>/<interval>[:<burst>
#
# Â Â Â Â Â Â Â Â Â Â Â where <rate> is the number of connections per
# Â Â Â Â Â Â Â Â Â Â Â <interval> ("sec" or "min") and <burst> is the
# Â Â Â Â Â Â Â Â Â Â Â largest burst permitted. If no <burst> is given,
# Â Â Â Â Â Â Â Â Â Â Â a value of 5 is assumed. There may be no
# Â Â Â Â Â Â Â Â Â Â Â no whitespace embedded in the specification.
#
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Example: 10/sec:20
#
# Â Â Â USER/GROUP Â Â Â This column may only be non-empty if the SOURCE is
# Â Â Â Â Â Â Â Â Â Â Â the firewall itself.
#
# Â Â Â Â Â Â Â Â Â Â Â The column may contain:
#
# Â Â Â [!][<user name or number>][:<group name or number>][+<program name>]
#
# Â Â Â Â Â Â Â Â Â Â Â When this column is non-empty, the rule applies only
# Â Â Â Â Â Â Â Â Â Â Â if the program generating the output is running under
# Â Â Â Â Â Â Â Â Â Â Â the effective <user> and/or <group> specified (or is
# Â Â Â Â Â Â Â Â Â Â Â NOT running under that id if "!" is given).
#
# Â Â Â Â Â Â Â Â Â Â Â Examples:
#
#                joe   #program must be run by joe
#                :kids  #program must be run by a member of
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #the 'kids' group
#                !:kids  #program must not be run by a member
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #of the 'kids' group
#                +upnpd  #program named upnpd (This feature was
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #removed from Netfilter in kernel
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â #version 2.6.14).
#
# Â Â Â Example: Accept SMTP requests from the DMZ to the internet
#
# Â Â Â #ACTION SOURCE Â DEST PROTO Â Â Â DEST Â Â SOURCE Â ORIGINAL
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) DEST
#    ACCEPT  dmz   net    tcp  smtp
#
# Â Â Â Example: Forward all ssh and http connection requests from the
# Â Â Â Â Â Â Â Â internet to local system 192.168.1.3
#
# Â Â Â #ACTION SOURCE Â DEST Â Â Â Â Â Â PROTO Â DEST Â Â SOURCE Â ORIGINAL
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) DEST
#    DNAT   net   loc:192.168.1.3 tcp   ssh,http
#
# Â Â Â Example: Forward all http connection requests from the internet
# Â Â Â Â Â Â Â Â to local system 192.168.1.3 with a limit of 3 per second and
# Â Â Â Â Â Â Â Â a maximum burst of 10
#
# Â Â Â #ACTION SOURCE DEST Â Â Â Â Â Â PROTO Â DEST Â SOURCE Â ORIGINAL RATE
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â PORT(S) DEST Â Â LIMIT
#    DNAT   net   loc:192.168.1.3 tcp   http  -    -     3/sec:10
#
# Â Â Â Example: Redirect all locally-originating www connection requests to
# Â Â Â Â Â Â Â Â port 3128 on the firewall (Squid running on the firewall
# Â Â Â Â Â Â Â Â system) except when the destination address is 192.168.2.2
#
# Â Â Â #ACTION Â SOURCE DEST Â Â Â PROTO DEST Â Â SOURCE Â ORIGINAL
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) DEST
#    REDIRECT loc   3128    tcp  www    -    !192.168.2.2
#
# Â Â Â Example: All http requests from the internet to address
# Â Â Â Â Â Â Â Â 130.252.100.69 are to be forwarded to 192.168.1.3
#
# Â Â Â #ACTION Â SOURCE DEST Â Â Â Â Â Â PROTO Â DEST Â Â SOURCE Â ORIGINAL
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) DEST
#    DNAT    net  loc:192.168.1.3 tcp   80    -    130.252.100.69
#
# Â Â Â Example: You want to accept SSH connections to your firewall only
# Â Â Â Â Â Â Â Â from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# Â Â Â #ACTION Â SOURCE DEST Â Â Â Â Â Â PROTO Â DEST Â Â SOURCE Â ORIGINAL
# Â Â Â # Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) DEST
# Â Â Â ACCEPT Â net:130.252.100.69,130.252
#                    tcp   22
##########################
#ACTION SOURCE Â Â Â Â Â DEST Â Â Â Â Â Â PROTO Â DEST Â Â SOURCE Â Â Â Â Â ORIGINAL Â Â Â Â RATE Â Â Â Â Â Â USER/
# Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â PORT Â Â PORT(S) Â Â Â Â DEST Â Â Â Â Â Â LIMIT Â Â Â Â Â GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT Â LANA Â Â $FW Â Â TCP Â Â ssh
ACCEPT Â LANB Â Â $FW Â Â TCP Â Â ssh
ACCEPT Â PCLAN Â $FW Â Â TCP Â Â ssh
#ACCEPT Â MGMT Â Â $FW Â Â TCP Â Â ssh
ACCEPT Â LANA Â Â $FW Â Â TCP Â Â http
ACCEPT Â LANB Â Â $FW Â Â TCP Â Â http
ACCEPT Â PCLAN Â $FW Â Â TCP Â Â http
#ACCEPT Â MGMT Â Â $FW Â Â TCP Â Â http
ACCEPT Â LANA Â Â $FW Â Â TCP Â Â https
ACCEPT Â LANB Â Â $FW Â Â TCP Â Â https
ACCEPT Â PCLAN Â $FW Â Â TCP Â Â https
#ACCEPT Â MGMT Â Â $FW Â Â TCP Â Â https
ACCEPT Â $FW Â Â MGMT Â Â UDP Â Â 53
ACCEPT Â $FW Â Â MGMT Â Â TCP Â Â 53
DROP Â Â MGMT Â Â $FW Â Â TCP Â Â 113
DROP Â Â MGMT Â Â $FW Â Â UDP Â Â 113
# 514 is syslog port. Â accept both TCP (syslog-ng) and UDP (sysklogd)
ACCEPT Â LANA Â Â $FW Â Â TCP Â Â 514
ACCEPT Â LANA Â Â $FW Â Â UDP Â Â 514
ACCEPT Â LANB Â Â $FW Â Â TCP Â Â 514
ACCEPT Â LANB Â Â $FW Â Â UDP Â Â 514
ACCEPT Â PCLAN Â $FW Â Â TCP Â Â 514
ACCEPT Â PCLAN Â $FW Â Â UDP Â Â 514
# allow any icmp out.
ACCEPT Â $FW Â Â LANA Â Â ICMP
ACCEPT Â $FW Â Â LANB Â Â ICMP
ACCEPT Â $FW Â Â PCLAN Â ICMP
ACCEPT Â $FW Â Â LANA Â Â TCP Â Â ssh
ACCEPT Â $FW Â Â LANB Â Â TCP Â Â ssh
ACCEPT Â $FW Â Â PCLAN Â TCP Â Â ssh
ACCEPT Â $FW Â Â LANA Â Â TCP Â Â snmp
ACCEPT Â $FW Â Â LANB Â Â TCP Â Â snmp
ACCEPT Â $FW Â Â PCLAN Â TCP Â Â snmp
ACCEPT Â $FW Â Â LANA Â Â UDP Â Â snmp
ACCEPT Â $FW Â Â LANB Â Â UDP Â Â snmp
ACCEPT Â $FW Â Â PCLAN Â UDP Â Â snmp
ACCEPT Â $FW Â Â LANA Â Â TCP Â Â ntp
ACCEPT Â $FW Â Â LANB Â Â TCP Â Â ntp
# 10000 is webmin. Â Accept temporarily until everyone
# understands how to ssh portforward
# 113 is identd. Â Irrelevent and idiotic.
ACCEPT  PCLAN  $FW   tcp   10000
DROP Â Â LANA Â Â $FW Â Â TCP Â Â 113
DROP Â Â LANB Â Â $FW Â Â TCP Â Â 113
DROP Â Â PCLAN Â $FW Â Â TCP Â Â 113
DROP Â Â LANA Â Â $FW Â Â UDP Â Â 113
DROP Â Â LANB Â Â $FW Â Â UDP Â Â 113
DROP Â Â PCLAN Â $FW Â Â UDP Â Â 113
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--------------------------
[root@netmon shorewall]# iptables -L
Chain INPUT (policy DROP)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere
eth0_in   all  --  anywhere       anywhere
eth1_in   all  --  anywhere       anywhere
eth2_in   all  --  anywhere       anywhere
eth3_in   all  --  anywhere       anywhere
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain FORWARD (policy DROP)
target   prot opt source        destination
eth0_fwd  all  --  anywhere       anywhere
eth1_fwd  all  --  anywhere       anywhere
eth2_fwd  all  --  anywhere       anywhere
eth3_fwd  all  --  anywhere       anywhere
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain OUTPUT (policy DROP)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere
fw2LANA   all  --  anywhere       anywhere
fw2LANB   all  --  anywhere       anywhere
fw2PCLAN  all  --  anywhere       anywhere
fw2MGMT   all  --  anywhere       anywhere
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain Drop (10 references)
target   prot opt source        destination
reject   tcp  --  anywhere       anywhere       tcp dpt:auth
dropBcast  all  --  anywhere       anywhere
ACCEPT   icmp --  anywhere       anywhere       icmp fragmentation-needed
ACCEPT   icmp --  anywhere       anywhere       icmp time-exceeded
dropInvalid  all  --  anywhere       anywhere
DROP    udp  --  anywhere       anywhere       multiport dports 135,microsoft-ds
DROP    udp  --  anywhere       anywhere       udp dpts:netbios-ns:netbios-ss
DROP    udp  --  anywhere       anywhere       udp spt:netbios-ns dpts:1024:65535
DROP    tcp  --  anywhere       anywhere       multiport dports 135,netbios-ssn,microsoft-
DROP    udp  --  anywhere       anywhere       udp dpt:1900
dropNotSyn  tcp  --  anywhere       anywhere
DROP    udp  --  anywhere       anywhere       udp spt:domain
Chain LANA2fw (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:http
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:https
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:shell
ACCEPT   udp  --  anywhere       anywhere       udp dpt:syslog
DROP    tcp  --  anywhere       anywhere       tcp dpt:auth
DROP    udp  --  anywhere       anywhere       udp dpt:auth
all2fw   all  --  anywhere       anywhere
Chain LANB2fw (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:http
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:https
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:shell
ACCEPT   udp  --  anywhere       anywhere       udp dpt:syslog
DROP    tcp  --  anywhere       anywhere       tcp dpt:auth
DROP    udp  --  anywhere       anywhere       udp dpt:auth
all2fw   all  --  anywhere       anywhere
Chain MGMT2all (0 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain MGMT2fw (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
DROP    tcp  --  anywhere       anywhere       tcp dpt:auth
DROP    udp  --  anywhere       anywhere       udp dpt:auth
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain PCLAN2fw (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:http
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:https
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:shell
ACCEPT   udp  --  anywhere       anywhere       udp dpt:syslog
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:10000
DROP    tcp  --  anywhere       anywhere       tcp dpt:auth
DROP    udp  --  anywhere       anywhere       udp dpt:auth
all2fw   all  --  anywhere       anywhere
Chain Reject (0 references)
target   prot opt source        destination
reject   tcp  --  anywhere       anywhere       tcp dpt:auth
dropBcast  all  --  anywhere       anywhere
ACCEPT   icmp --  anywhere       anywhere       icmp fragmentation-needed
ACCEPT   icmp --  anywhere       anywhere       icmp time-exceeded
dropInvalid  all  --  anywhere       anywhere
reject   udp  --  anywhere       anywhere       multiport dports 135,microsoft-ds
reject   udp  --  anywhere       anywhere       udp dpts:netbios-ns:netbios-ss
reject   udp  --  anywhere       anywhere       udp spt:netbios-ns dpts:1024:65535
reject   tcp  --  anywhere       anywhere       multiport dports 135,netbios-ssn,microsoft-
DROP    udp  --  anywhere       anywhere       udp dpt:1900
dropNotSyn  tcp  --  anywhere       anywhere
DROP    udp  --  anywhere       anywhere       udp spt:domain
Chain all2MGMT (0 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain all2all (12 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain all2fw (3 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain dropBcast (2 references)
target   prot opt source        destination
DROP    all  --  anywhere       anywhere       PKTTYPE = broadcast
DROP    all  --  anywhere       anywhere       PKTTYPE = multicast
Chain dropInvalid (2 references)
target   prot opt source        destination
DROP    all  --  anywhere       anywhere       state INVALID
Chain dropNotSyn (2 references)
target   prot opt source        destination
DROP    tcp  --  anywhere       anywhere       tcp flags:!SYN,RST,ACK/SYN
Chain dynamic (8 references)
target   prot opt source        destination
Chain eth0_fwd (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
Chain eth0_in (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
LANA2fw   all  --  anywhere       anywhere
Chain eth1_fwd (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
Chain eth1_in (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
LANB2fw   all  --  anywhere       anywhere
Chain eth2_fwd (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
Chain eth2_in (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
PCLAN2fw  all  --  anywhere       anywhere
Chain eth3_fwd (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
all2all   all  --  anywhere       anywhere
Chain eth3_in (1 references)
target   prot opt source        destination
dynamic   all  --  anywhere       anywhere       state INVALID,NEW
MGMT2fw   all  --  anywhere       anywhere
Chain fw2LANA (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   icmp --  anywhere       anywhere
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:snmp
ACCEPT   udp  --  anywhere       anywhere       udp dpt:snmp
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ntp
fw2all   all  --  anywhere       anywhere
Chain fw2LANB (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   icmp --  anywhere       anywhere
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:snmp
ACCEPT   udp  --  anywhere       anywhere       udp dpt:snmp
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ntp
fw2all   all  --  anywhere       anywhere
Chain fw2MGMT (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   udp  --  anywhere       anywhere       udp dpt:domain
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:domain
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain fw2PCLAN (1 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
ACCEPT   icmp --  anywhere       anywhere
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:ssh
ACCEPT   tcp  --  anywhere       anywhere       tcp dpt:snmp
ACCEPT   udp  --  anywhere       anywhere       udp dpt:snmp
fw2all   all  --  anywhere       anywhere
Chain fw2all (3 references)
target   prot opt source        destination
ACCEPT   all  --  anywhere       anywhere       state RELATED,ESTABLISHED
Drop    all  --  anywhere       anywhere
DROP    all  --  anywhere       anywhere
Chain reject (6 references)
target   prot opt source        destination
DROP    all  --  anywhere       anywhere       PKTTYPE = broadcast
DROP    all  --  anywhere       anywhere       PKTTYPE = multicast
DROP    all  --  255.255.255.255    anywhere
DROP    all  --  224.0.0.0/4      anywhere
REJECT   tcp  --  anywhere       anywhere       reject-with tcp-reset
REJECT   udp  --  anywhere       anywhere       reject-with icmp-port-unreachable
REJECT   icmp --  anywhere       anywhere       reject-with icmp-host-unreachable
REJECT   all  --  anywhere       anywhere       reject-with icmp-host-prohibited
Chain shorewall (0 references)
target   prot opt source        destination
Chain smurfs (0 references)
target   prot opt source        destination
LOG     all  --  255.255.255.255    anywhere       LOG level info prefix `Shorewall:smurfs:DROP:'
DROP    all  --  255.255.255.255    anywhere
LOG     all  --  224.0.0.0/4      anywhere       LOG level info prefix `Shorewall:smurfs:DROP:'
DROP    all  --  224.0.0.0/4      anywhere
[root@netmon shorewall]# Â
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
one more comment. After disabling ARP on your silent host to save connectivity between it and it's management station you need to add static MAC of management station also (so you need to run "arp -s x.x.x.x ..." on your stealth host before turning off arp on the ethernet interface).
ASKER
Ideally, would want to be undetectable from the outside, but still usable from the inside out. Â
You're right, I didn't see any way to do that as long as there's any possibility of incoming traffic because of layer two issues. Â But I'm no expert; that's why I ask.