interfaces

當一個 interface 同時屬於多個 zone 時, 那列就用 "-"  代替

我們可以在 /etc/shorewall/hosts 定義 Host, Zone 的關係

#ZONE   INTERFACE   BROADCAST           OPTIONS
net     eth0        10.0.0.255          dhcp
loc     eth1        192.168.1.255       <-- 如果此 interface 有多個 IP, 那可以用 "," 分隔列出
dmz     eth2        detect              <-- shorewall 自行決定, P-T-P 就用 "-"

BROADCAST {-|detect|address}

For P-T-P interfaces, this column is left blank.

multiple subnets: broadcast addresses as a comma-separated list

OPTIONS

* list should have no embedded white-space

routeback

allow traffic arriving on this interface to be routed back out that same interface

bridge

# eth1 |____\  br0
# eth2 |        /

# ZONE   INTERFACE  BROADCAST        OPTIONS
   loc        br0             10.0.1.255          bridge

* this option also sets routeback

dhcp

• 由 dhcp 機製取 IP
• 此 iface 有 dhcp server 在行
   

blacklist=1  <--- tatic blacklisting. You can blacklist by source address (IP or MAC)

# 192.168.0.2 ---> port 53
# ADDRESS/SUBNET  PROTOCOL  PORT                  OPTIONS(dst|src)
# 192.168.0.2     udp       53                    src    <-- Default 的 block src 的
# -               udp       1024:1033,1434               <-- Block port

maclist=1 <--- /etc/shorewall/maclist

# DISPOSITION   INTERFACE   MAC   IP

proxyarp=1 <--- /etc/shorewall/proxyarp

# Client ---> |eth1 --- eth0| ---> wan
# ADDRESS        INTERFACE   EXTERNAL    HAVEROUTE  PERSISTENT
# 155.186.235.6  eth1        eth0        -          yes
# HAVEROUTE=no     Shorewall will add the route for you.
# PERSISTENT=no    shorewall stop or shorewall clear will delete the route.

nosmurfs

# Filter packets for smurfs (packets with a broadcast address as the source).

routefilter[=0|1|2]

# Turn on kernel route filtering for this interface (anti-spoofing measure).

2: It specifies a loose form of reverse path filtering

tcpflags

# Packets arriving on this interface are checked for certain illegal combinations of TCP flags.

logmartians=0

arp_filter=0

#respond to ARP who-has requests for IP addresses on any of the firewall's interface

nets=dynamic

#Defines the zone as dynamic. Requires ipset match support in your iptables and kernel.
 

zones

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
wan     ipv4
lxc     -

opts:

ipv4
# standard Shorewall zone type (default type)
# if you leave this column empty(or '-')

ipsec
# Communication with all zone hosts is encrypted

firewall
# Designates the firewall itself.
# You must have exactly one 'firewall' zone.

至於  IN / OUT 沒有什麼好設定