[Shorewall-users] cable modem trouble

Lino.Catucci@nuon.com Lino.Catucci@nuon.com
Mon, 22 Apr 2002 10:14:41 +0200


This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C1E9D5.C0C8DE60"


------_=_NextPart_001_01C1E9D5.C0C8DE60
Content-Type: text/plain;
	charset="iso-8859-1"

Hello everybody,

I'm a new user of the shorewall firewall and I've a hard problem getting the
firewall working.
Can someone please can help me ?
Here is my situation:

I've a RedHat linux server with 2 NIC's. One is connected to the internet
with a cable modem with a dhcp ip adress (24.132.59.69) but I always get
this address so it's almost a static one,  and the other one is eth1
connected to my lan with ipaddress 192.168.0.5
My linux server is used as a firewall and as a webserver and mail server
(Lotus Domino) and I also want to use my server as an internet gateway
(Masquerading) for my other pc's in my lan.

In my lan I've two win2000 machine one workstation and one laptop with
ipaddresses : 192.168.0.1 and 192.168.0.4 
I've downloaded and installed the quick two-interfaces.tgz file and I've
changed the files to my needs.
But there are still problems with internet access from my 2 windows2000
machines. Also I can't receive or send any email, outgoing mail is pending
and incoming mail get bounced.
It looks like there's now internet connection allowed or there is something
misconfigurated.

I've attached my files, who I've changed.
Could some please help me with this problem?

Thank you so much!

 <<common>>  <<interfaces>>  <<masq>>  <<params>>  <<policy>>  <<rules>>  
<<zones>> 

lino.catucci@nuon.com
or
linocatucci@yahoo.com


------_=_NextPart_001_01C1E9D5.C0C8DE60
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>cable modem trouble</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2 FACE=3D"Verdana">Hello everybody,</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Verdana">I'm a new user of the shorewall =
firewall and I've a hard problem getting the firewall working.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">Can someone please can help me =
?</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">Here is my situation:</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Verdana">I've a RedHat linux server with 2 =
NIC's. One is connected to the internet with a cable modem with a dhcp =
ip adress (24.132.59.69) but I always get this address so it's almost a =
static one,&nbsp; and the other one is eth1 connected to my lan with =
ipaddress 192.168.0.5</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Verdana">My linux server is used as a =
firewall and as a webserver and mail server (Lotus Domino) and I also =
want to use my server as an internet gateway (Masquerading) for my =
other pc's in my lan.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Verdana">In my lan I've two win2000 machine =
one workstation and one laptop with ipaddresses : 192.168.0.1 and =
192.168.0.4 </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">I've downloaded and installed the =
quick two-interfaces.tgz file and I've changed the files to my =
needs.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">But there are still problems with =
internet access from my 2 windows2000 machines. Also I can't receive or =
send any email, outgoing mail is pending and incoming mail get =
bounced.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Verdana">It looks like there's now internet =
connection allowed or there is something misconfigurated.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Verdana">I've attached my files, who I've =
changed.</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">Could some please help me with this =
problem?</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Verdana">Thank you so much!</FONT>
</P>

<P><FONT FACE=3D"Arial" SIZE=3D2 COLOR=3D"#000000"> =
&lt;&lt;common&gt;&gt; </FONT><FONT FACE=3D"Arial" SIZE=3D2 =
COLOR=3D"#000000"> &lt;&lt;interfaces&gt;&gt; </FONT><FONT =
FACE=3D"Arial" SIZE=3D2 COLOR=3D"#000000"> &lt;&lt;masq&gt;&gt; =
</FONT><FONT FACE=3D"Arial" SIZE=3D2 COLOR=3D"#000000"> =
&lt;&lt;params&gt;&gt; </FONT><FONT FACE=3D"Arial" SIZE=3D2 =
COLOR=3D"#000000"> &lt;&lt;policy&gt;&gt; </FONT><FONT FACE=3D"Arial" =
SIZE=3D2 COLOR=3D"#000000"> &lt;&lt;rules&gt;&gt; </FONT><FONT =
FACE=3D"Arial" SIZE=3D2 COLOR=3D"#000000"> &lt;&lt;zones&gt;&gt; =
</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Verdana">lino.catucci@nuon.com</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">or</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Verdana">linocatucci@yahoo.com</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C1E9D5.C0C8DE60--

------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
	name="common"
Content-Disposition: attachment;
	filename="common"

############################################################################
# Shorewall 1.2 -- /etc/shorewall/common.def
#
# This file defines the rules that are applied before a policy of 
# DROP or REJECT is applied. In addition to the rules defined in this file,
# the firewall will also define a DROP rule for each subnet broadcast
# address defined in /etc/shorewall/interfaces (including "detect").
#
# Do not modify this file -- if you wish to change these rules, copy this
# file to /etc/shorewall/common and modify that file.
#
run_iptables -A common -p icmp -j icmpdef
############################################################################
# accept ACKs and RSTs that aren't related to any session so that the 
# protocol stack can handle them
#
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139     -j DROP
run_iptables -A common -p udp --dport 445         -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4     -j DROP
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP


------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
	name="interfaces"
Content-Disposition: attachment;
	filename="interfaces"

#
# Shorewall 1.2 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# Columns are:
#
#	ZONE		Zone for this interface. Much match the short name
#			of a zone defined in /etc/shorewall/zones.
#
#			$<variable-name> is not allowed in this column.
#
#	INTERFACE	Name of interface
#
#	BROADCAST	The broadcast address for the subnetwork to which the
#			interface belongs. For P-T-P interfaces, this
#			column is left black.
#
#			If you use the special value "detect", the firewall
#			will detect the broadcast address for you. If you
#			select this option, the interface must be up before
#			the firewall is started and you must have iproute
#			installed.
#			
#			If you don't want to give a value for this column but
#			you want to enter a value in the OPTIONS column, enter
#			"-" in this column.
#
#	OPTIONS		A comma-separated list of options including the
#			following:
#
#			dhcp	     - interface is managed by DHCP
#			noping	     - icmp echo-request (ping) packets should
#				       be ignored on this interface
#			routestopped - When the firewall is stopped, allow
#				       and route traffic to and from this
#				       interface.
#			norfc1918    - This interface should not receive
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses.
#			multi	     - This interface has multiple IP
#				       addresses and you want to be able to
#				       route between them.
#			routefilter  - turn on kernel route filtering for this
#				       interface.
#
#	Example 1:	Suppose you have eth0 connected to a DSL modem and
#			eth1 connected to your local network and that your
#			local subnet is 192.168.1.0/24. The interface gets
#			it's IP address via DHCP from subnet
#			206.191.149.192/27 and you want pings from the internet
#			to be ignored. You interface a DMZ with subnet
#			192.168.2.0/24 using eth2. You want to be able to
#			access the firewall from the local network when the
#			firewall is stopped.
#
#			Your entries for this setup would look like:
#
#			net	eth0	206.191.149.223	noping,dhcp
#			local	eth1	192.168.1.255	routestopped
#			dmz	eth2	192.168.2.255
#
#	Example 2:	The same configuration without specifying broadcast
#			addresses is:
#
#			net	eth0	detect		noping,dhcp
#			local	eth1	detect		routestopped
#			dmz	eth2	detect
#
#	Example 3:	You have a simple dial-in system with no ethernet
#			connections and you want to ignore ping requests.
#
#			net	ppp0	-		noping
##############################################################################
#ZONE	INTERFACE	BROADCAST	OPTIONS
net     eth0		detect		norfc1918,routefilter,dhcp
loc     eth1  		192.168.0.5	routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
	name="masq"
Content-Disposition: attachment;
	filename="masq"

#
# Shorewall 1.2 - Masquerade file
#
# /etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading)
#
# Columns are:
#
#	INTERFACE -- Outgoing interface. This is usually your internet
#		     interface. This may be qualified by adding the character
#                    ":" followed by a destination host or subnet.
#
#
#	SUBNET -- Subnet that you wish to masquerade. You can specify this as
#		  a subnet or as an interface. If you give the name of an
#		  interface, you must have iproute installed and the interface
#		  must be up before you start the firewall.
#
#	Example 1:
#
#		  You have a simple masquerading setup where eth0 connects to
#		  a DSL or cable modem and eth1 connects to your local network
#		  with subnet 192.168.0.0/24.
#
#		  Your entry in the file can be either:
#
#			eth0	eth1
#
#		  or
#
#			eth0	192.168.0.0/24
#
#	Example 2:
#
#		  You add a router to your local network to connect subnet
#		  192.168.1.0/24 which you also want to masquerade. You then
#		  add the following entry to this file:
#
#			eth0	192.168.1.0/24
#
#       Example 3:
#
#                 You have an IPSEC tunnel through ipsec0 and you want to
#                 masquerade packets coming from 192.168.1.0/24 but only if
#                 these packets are destined for hosts in 10.1.1.0/24:
#
#                       ipsec0:10.1.1.0/24      196.168.1.0/24
#
##############################################################################
#INTERFACE	        SUBNET
eth0			eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
	name="params"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="params"

#
# Shorewall 1.2 /etc/shorewall/params
#
# This sample can be used to implement a simple firewall on a system =
with
# two network interfaces. The first interface interfaces to the =
internet and
# the second interfaces to a local network.
########################################################################=
######
#
# Specify the name of your internet interface in the following =
variable.
#
# If you access the internet via dial-up, the interface name with be =
ppp0
# If you have an ethernet interface to the internet, your interface =
name will
# be eth0.

NET_IF=3Deth0

# Specify the broadcast address for your network interface here. If =
your
# internet interface is point-to-point (such as with dial-up), then set =
this
# to "-". If you want Shorewall to automatically detect the broadcast =
address,
# you can set the variable to "detect"; you will have to start your =
network
# interface before starting Shorewall for this to work.

NET_BCAST=3Ddetect

#
# Specify the interface options in this variable as a comma-separated =
list.
#
# Possible options are as follows:
#			dhcp	     - interface is managed by DHCP
#			noping	     - icmp echo-request (ping) packets should
#				       be ignored on this interface
#			routestopped - When the firewall is stopped, allow
#				       and route traffic to and from this
#				       interface.
#			norfc1918    - This interface should not receive
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses.
#			multi	     - This interface has multiple IP
#				       addresses and you want to be able to
#				       route between them.
#			routefilter  - turn on kernel route filtering for this
#				       interface.
#

NET_OPTIONS=3Ddhcp,noping,norfc1918

#
# Specify the name of your local interface in the following variable.
#

LOCAL_IF=3Deth1

# Specify the broadcast address for your network interface here. If =
your
# internet interface is point-to-point (such as with dial-up), then set =
this
# to "-". If you want Shorewall to automatically detect the broadcast =
address,
# you can set the variable to "detect"; you will have to start your =
network
# interface before starting Shorewall for this to work.

LOCAL_BCAST=3Ddetect

#
# Specify the interface options in this variable as a comma-separated =
list.
#
# Possible options are as follows:
#			dhcp	     - interface is managed by DHCP
#			noping	     - icmp echo-request (ping) packets should
#				       be ignored on this interface
#			routestopped - When the firewall is stopped, allow
#				       and route traffic to and from this
#				       interface.
#			norfc1918    - This interface should not receive
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses.
#			multi	     - This interface has multiple IP
#				       addresses and you want to be able to
#				       route between them.
#			routefilter  - turn on kernel route filtering for this
#				       interface.
#

LOCAL_OPTIONS=3Droutestopped

#
# Specify your local network address range as <network address>/<mask =
length>
# (example: 192.168.1.0/24).
#

LOCAL_NET=3D192.168.0.0/24

# Your firewall may need to access the internet for certain services. =
For example,
# your firewall probably needs have access to internet DNS servers =
(port 53). List
# the TCP ports/services that your firewall needs to access as a =
comma-separated
# list. If your firewall doesn't need to access any internet TCP =
services, set
# this variable to "none".
#
# Note: If you want open access to the internet from your firewall, =
uncomment the
# appropriate line in the "policy" file and set FW_TCP_OUT_PORTS and
# FW_UDP_OUT_PORTS to "none".

FW_TCP_OUT_PORTS=3Dnone

#
# Similarly, list the internet UDP ports/services that your firewall =
needs access
# to.
#

FW_UDP_OUT_PORTS=3Dnone

# This sample configuration allows you forward connections to up to two
# systems (servers) in your local network.
#
# List the TCP ports or services that you wish to forward to the first
# server in this variable as a comma-separated list. For example, if =
you want
# to forward www and https to the first, you would have =
LOC_TCP_PORTS1=3Dwww,https
# or LOC_TCP_PORTS1=3D80,443 and you would set SERVER1 to the IP =
address of the
# server. If you don't want to forward any tcp ports, set the
# variable's value to "none".
#

LOC_TCP_PORTS1=3D80,443,21,22,25,1352

# List the UDP ports or services that you wish to forward to the first
# server in this variable as a comma-separated list. If you don't want =
to
# forward any tcp ports, set the variable's value to "none".

LOC_UDP_PORTS1=3Dnone

# List the TCP ports or services on your first server that you wish to =
be=20
# able to access from your firewall (comma-separated list). If you =
don't
# want the firewall to be able to access any tcp ports on your first=20
# server, set the variable's value to "none"

FW_LOC_TCP_PORTS1=3Dnone

# List the UDP ports or services on your first server that you wish to =
be=20
# able to access from your firewall (comma-separated list). If you =
don't
# want the firewall to be able to access any udp ports on your first=20
# server, set the variable's value to "none"

FW_LOC_UDP_PORTS1=3Dnone

#
# Enter the IP address of the server that you want the above ports =
forwarded
# to.
#

SERVER1=3Dnone

# List the TCP ports or services that you wish to forward to the second
# server in this variable as a comma-separated list. For example, if =
you want
# to forward www and https to the first, you would have =
LOC_TCP_PORTS2=3Dwww,https
# or LOC_TCP_PORTS2=3D80,443 and you would set SERVER1 to the IP =
address of the
# server. If you don't want to forward any tcp ports, set the
# variable's value to "none".
#

LOC_TCP_PORTS2=3Dnone

# List the UDP ports or services that you wish to forward to the second
# server in this variable as a comma-separated list. If you don't want =
to
# forward any tcp ports, set the variable's value to "none".

LOC_UDP_PORTS2=3Dnone

# List the TCP ports or services on your second server that you wish to =
be=20
# able to access from your firewall (comma-separated list). If you =
don't
# want the firewall to be able to access any tcp ports on your first=20
# server, set the variable's value to "none"

FW_LOC_TCP_PORTS2=3Dnone

# List the UDP ports or services on your second server that you wish to =
be=20
# able to access from your firewall (comma-separated list). If you =
don't
# want the firewall to be able to access any udp ports on your first=20
# server, set the variable's value to "none"

FW_LOC_UDP_PORTS2=3Dnone

#
# Enter the IP address of the server that you want the above ports =
forwarded
# to.
#

SERVER2=3Dnone

#
# If you wish to "open" incoming TCP ports for a server running on the
# firewall, list them in this variable as a comma-separated list. For =
example,
# if you want to enable secure shell (ssh) and FTP, from the internet =
to your
# firewall, you would have FW_TCP_PORTS=3Dssh,ftp or =
FW_TCP_PORTS=3D22,21.
#
# If you don't run any TCP servers on the firewall, use the value =
"none"

FW_TCP_IN_PORTS=3D22,80,25,443,

#
# If you wish to "open" incoming UDP ports for servers running on the
# firewall, list them in this variable as a comma-separated list.
#
# If you don't want to open any UDP ports, use the value "none"

FW_UDP_IN_PORTS=3Dnone

#
# You will probably need access to your firewall from your local =
network for
# administrative task. A good way to do this is with ssh (TCP port 22).
#
# Enter the list of TCP ports to open from the local network to the =
firewall.
# If you don't wish to open any ports, use the value "none"
#
LOC_FW_TCP_PORTS=3D22,80,443,21,25

#
# Enter the list of UDP ports to open from the local network to the =
firewall.
# If you don't wish to open any ports, use the value "none"
#
LOC_FW_UDP_PORTS=3Dnone

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
	name="policy"
Content-Disposition: attachment;
	filename="policy"

#
# Shorewall 1.2 -- Policy File
#
# /etc/shorewall/policy
#
#	This file determines what to do with a new connection request if we
#	don't get a match from the /etc/seafall/rules file. For each
#	client/server pair, the file is processed in order until a match is
#	found ("all" will match any client or server).
#
#	$<variable-name> is only permitted in the fourth colunm (LOG LEVEL).
#
# Columns are:
#
#	SOURCE		Location of client. Must be the name of a zone defined
#			in /etc/shorewall/zones, "fw" or "all".
#
#	DESTINATION	Location of server. Must be the name of a zone defined
#			in /etc/shorewall/zones, "fw" or "all"
#
#	POLICY		Policy if no match from the rules file is found. Must
#			be "ACCEPT", "DENY", "REJECT"
#
#	LOG LEVEL	If supplied, each connection handled under the default
#			POLICY is logged at that level. If not supplied, no
#			log message is generated. See syslog.conf(5) for a
#			description of log levels.
#
#	As shipped, the default policies are:
#
#	a) All connections from the local network to the internet are allowed
#	b) All connections from the network are ignored but logged at syslog
#	   level KERNEL.INFO.
#	d) All other connection requests are rejected and logged at level
#	   KERNEL.INFO.
###############################################################################
#SOURCE		DESTINATION	POLICY		LOG LEVEL
loc		net		ACCEPT
#
# If you want open access to the internet from your firewall, uncomment the
# following line
#fw		net		ACCEPT
net		all		DROP		info
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE	

------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
	name="rules"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="rules"

#
# Shorewall version 1.2 - Rules File
#
# /etc/shorewall/rules=20
#
#	Rules in this file govern connection establishment. Requests and
#	responses are automatically allowed using connection tracking.
#
# Columns are:
#
#
#	RESULT		ACCEPT, DROP or REJECT
#
#				ACCEPT -- allow the connection request
#				DROP   -- ignore the request
#				REJECT -- disallow the request and return an
#					  icmp-unreachable packet.
#
#			The line may NOT start with $<variable-name>
#
#			May optionally be followed by ":" and a syslog log
#			level (e.g, REJECT:info). This causes the packet to be
#			logged at the specified level.
#
#	CLIENT(S)	Hosts permitted to be clients. May be a zone defined
#			in /etc/shorewall/zones or "fw" to indicate the
#			firewall itself.
#
#			Clients may be further restricted to a particular
#			subnet or host by appending ":" and the subnet or host.
#
#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
#						Internet
#
#			Alternatively, clients may be specified by interface
#			by appending ":" followed by the interface name. For
#			example, loc:eth1 specifies a client that
#			communicates with the firewall system through eth1.
#
#	SERVER		Location of Server. May be a zone defined in
#			/etc/shorewall/zones or "fw" to indicate the firewall
#			itself.
#
#			The server may be further restricted to a particular
#			subnet, host or interface by appending ":" and the
#			subnet, host or interface. See above.
#
#			The port that the server is listening on may be
#			included and separated from the server's IP address by
#			":". If omitted, the firewall will not modifiy the
#			destination port.
#
#			Example: loc:192.168.1.3:8080 specifies a local
#			server at IP address 192.168.1.3 and listening on port
#			8080. The port number MUST be specified as an integer
#			and not as a name from /etc/services.
#
#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
#			"all" or "related". If "related", the remainder of the
#			entry must be omitted and connection requests that are
#			related to existing requests will be accepted.
#
#	PORT(S)		Destination Port. A comma-separated list of Port names
#			(from /etc/services), port numbers or port ranges;
#			if the protocol is "icmp", this column is interpreted as
#			the destination icmp-type. If this column contains the
#			value "none", the rule is ignored.
#
#			This column is ignored if PROTOCOL =3D all but must be
#			entered if any of the following fields are supplied.
#			In that case, it is suggested that this field contain
#			 "-"
#
#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
#			any source port is acceptable.
#
#			If you don't want to restrict client ports but need to
#			specify an ADDRESS in the next column, then place "-"
#			in this column.
#
#	ADDRESS		(0ptional) If included and different from the IP
#			address given in the SERVER column, this is an address
#			on some interface on the firewall and connections to
#			that address will be forwarded to the IP and port
#			specified in the SERVER column.
#
#			If the special value "all" is used, then requests from
#			the client zone given in the CLIENT(s) column with the
#			destination port given in PORT(s) will be forwarded to
#			the IP address given in SERVER.
#
#			The address (or "all") may optionally be followed by
#			a colon (":") an an IP address. This causes Shorewall
#			to use the specified IP address as the source address
#			in forwarded packets. See the Shorewall documentation
#			for restrictions concerning this feature. If no source
#			IP address is given, the original source address is not
#			altered.
#
#	Example: Forward all ssh and www connection requests from the =
internet to
#		 local system 192.168.1.3
#
#	#RESULT CLIENTS	SERVER(S)	  PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
#	ACCEPT	net	loc:192.168.1.3 tcp	ssh,www	-	       all
#
#	Example: Redirect all locally-originating www connection requests to
#		 port 8080 on the firewall (Squid running on the firewall
#		 system)
#
#	#RESULT CLIENTS	SERVER(S) PROTO	PORTS(S) CLIENT PORT(S)	ADDRESS
#	ACCEPT	loc	fw::8080  tcp	www	 -		all
########################################################################=
######
#RESULT		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
#
# Accept outgoing connections from the firewall
#
ACCEPT		fw	  net		tcp	$FW_TCP_OUT_PORTS
ACCEPT		fw	  net		udp	$FW_UDP_OUT_PORTS
#
# Accept incoming connections from the internet to the firewall
#
ACCEPT		net	  fw		tcp	$FW_TCP_IN_PORTS
ACCEPT		net       fw		udp	$FW_UDP_IN_PORTS
#
# To avoid connection delays, reject AUTH if the user hasn't ACCEPTED =
it above
#
REJECT		net	  fw		tcp	113
#
# Accept connections from the local network to the firewall
#
ACCEPT		loc	  fw		tcp	$LOC_FW_TCP_PORTS
ACCEPT		loc	  fw		udp	$LOC_FW_UDP_PORTS
#
# Ports forwarded to server 1
#
ACCEPT		net	  loc:$SERVER1	tcp	$LOC_TCP_PORTS1	-	all
ACCEPT		net	  loc:$SERVER1	udp	$LOC_UDP_PORTS1 -	all
#
# Firewall to server 1
#
ACCEPT		fw	  loc:$SERVER1	tcp	$FW_LOC_TCP_PORTS1
ACCEPT		fw	  loc:$SERVER1	udp	$FW_LOC_UDP_PORTS1
#
# Ports forwarded to server 2
#
ACCEPT		net	  loc:$SERVER2	tcp	$LOC_TCP_PORTS2 -	all
ACCEPT		net	  loc:$SERVER2	udp	$LOC_UDP_PORTS2 -	all
#
# Firewall to server 2
#
ACCEPT		fw	  loc:$SERVER2	tcp	$FW_LOC_TCP_PORTS2
ACCEPT		fw	  loc:$SERVER2	udp	$FW_LOC_UDP_PORTS2
#
# People whine if ping doesn't work
#
ACCEPT		fw	  loc		icmp	8
ACCEPT		loc	  fw		icmp	8

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

------_=_NextPart_000_01C1E9D5.C0C8DE60
Content-Type: application/octet-stream;
	name="zones"
Content-Disposition: attachment;
	filename="zones"

#
# Shorewall 1.2 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
#	ZONE		Short name of the zone
#	DISPLAY		Display name of the zone
#	COMMENTS	Comments about the zone
#
# $<variable-name> is not permitted in this file.
#
#ZONE	DISPLAY		COMMENTS
net	Net		Internet
loc	Local		Local networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

------_=_NextPart_000_01C1E9D5.C0C8DE60--