interfaces
當一個 interface 同時屬於多個 zone 時, 那列就用 "-" 代替
我們可以在 /etc/shorewall/hosts 定義 Host, Zone 的關係
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 10.0.0.255 dhcp
loc eth1 192.168.1.255 <-- 如果此 interface 有多個 IP, 那可以用 "," 分隔列出
dmz eth2 detect <-- shorewall 自行決定, P-T-P 就用 "-"
BROADCAST {-|detect|address}
For P-T-P interfaces, this column is left blank.
multiple subnets: broadcast addresses as a comma-separated list
OPTIONS
* list should have no embedded white-space
routeback
allow traffic arriving on this interface to be routed back out that same interface
bridge
# eth1 |____\ br0
# eth2 | /
# ZONE INTERFACE BROADCAST OPTIONS
loc br0 10.0.1.255 bridge
* this option also sets routeback
dhcp
- 由 dhcp 機製取 IP
-
此 iface 有 dhcp server 在行
blacklist=1 <--- tatic blacklisting. You can blacklist by source address (IP or MAC)
# 192.168.0.2 ---> port 53 # ADDRESS/SUBNET PROTOCOL PORT OPTIONS(dst|src) # 192.168.0.2 udp 53 src <-- Default 的 block src 的 # - udp 1024:1033,1434 <-- Block port
maclist=1 <--- /etc/shorewall/maclist
# DISPOSITION INTERFACE MAC IP
proxyarp=1 <--- /etc/shorewall/proxyarp
# Client ---> |eth1 --- eth0| ---> wan # ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT # 155.186.235.6 eth1 eth0 - yes # HAVEROUTE=no Shorewall will add the route for you. # PERSISTENT=no shorewall stop or shorewall clear will delete the route.
nosmurfs
# Filter packets for smurfs (packets with a broadcast address as the source).
routefilter[=0|1|2]
# Turn on kernel route filtering for this interface (anti-spoofing measure).
2: It specifies a loose form of reverse path filtering
tcpflags
# Packets arriving on this interface are checked for certain illegal combinations of TCP flags.
logmartians=0
arp_filter=0
#respond to ARP who-has requests for IP addresses on any of the firewall's interface
nets=dynamic
#Defines the zone as dynamic. Requires ipset match support in your iptables and kernel.
zones
#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall wan ipv4 lxc -
opts:
ipv4
# standard Shorewall zone type (default type)
# if you leave this column empty(or '-')
ipsec
# Communication with all zone hosts is encrypted
firewall
# Designates the firewall itself.
# You must have exactly one 'firewall' zone.
至於 IN / OUT 沒有什麼好設定