# [SOLVED]Very basic Shorewall assistance needed - won't go

## stardotstar

Must be my bad but I have been trying to get the most basic shorewall running all night since getting the chance to colocate my server tomorrow.

Everything is pretty much in readyness and I have based my configs on my existing shorewall install but that was debian and I am at a loss with the error I now have.

I had some kernel configs wrong but now I am stumped.

```

helios log # /etc/init.d/shorewall start

 * Caching service dependencies ...                                                                  [ ok ]

 * Starting firewall ...

   WARNING: Zone loc is empty

iptables v1.4.0: bad rate `Yes'

Try `iptables -h' or 'iptables --help' for more information.

/sbin/shorewall: line 375: 16701 Terminated              ${VARDIR}/.start $debugging start           [ !! ]

helios log #

```

```

]

helios log # /etc/init.d/shorewall check

 * Checking configuration files ...

Checking...

Initializing...

Determining Zones...

   IPv4 Zones: net loc

   Firewall Zone: fw

Validating interfaces file...

Validating hosts file...

Pre-processing Actions...

   Pre-processing /usr/share/shorewall/action.Drop...

   Pre-processing /usr/share/shorewall/action.Reject...

Validating Policy file...

Determining Hosts in Zones...

   net Zone: eth0:0.0.0.0/0

   WARNING: Zone loc is empty

Deleting user chains...

Checking /etc/shorewall/routestopped ...

Creating Interface Chains...

Checking Common Rules

Compiling IP Forwarding...

Checking /etc/shorewall/rules...

Checking Actions...

Checking /usr/share/shorewall/action.Drop for Chain Drop...

Checking /usr/share/shorewall/action.Reject for Chain Reject...

Checking /etc/shorewall/policy...

Checking Traffic Control Rules...

Checking Rule Activation...

Shorewall configuration verified                                                                     [ ok ]

helios log #

```

What I want to start with is a set of rules that deny everything from the net to the server except ssh from my home machine.

Fortunately I have iLO on the server so if I get locked out I can local in.  Previously when it was falling over it was locking my ssh client session and every time I had to rebuild the kernel in the iLO console - but it worked well enough to prove that I will be safe enough configuring once I have the machine in the remote rack.

Hope I can get some patient guidance on this.

TIA

Will

my basics are currently this (more and more permissive to try and get it to go)

```

helios shorewall # cat interfaces

#

# Shorewall version 3.4 - Interfaces File

#

# For information about entries in this file, type "man shorewall-interfaces"

#

# For additional information, see

# http://www.shorewall.net/3.0/Documentation.htm#Interfaces

#

###############################################################################

#ZONE   INTERFACE       BROADCAST       OPTIONS

net     eth0            detect          #norfc1918

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

helios shorewall # cat rules

#

# Shorewall version 3.4 - Rules File

#

# For information on the settings in this file, type "man shorewall-rules"

#

# See http://www.shorewall.net/3.0/Documentation.htm#Rules for additional information.

#

#############################################################################################################

#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/      MARK

#                                               PORT    PORT(S)         DEST            LIMIT           GROUP

#SECTION ESTABLISHED

#SECTION RELATED

SECTION NEW

ACCEPT   loc     net    tcp

ACCEPT   net     loc    tcp

ACCEPT   net     loc    udp

ACCEPT   loc     net    udp

ACCEPT   loc     net    icmp

#ACCEPT   net             $FW                tcp    ssh     #SSH to the

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

helios shorewall # cat policy

#

# Shorewall version 3.4 - Policy File

#

# For information about entries in this file, type "man shorewall-policy"

#

# See http://www.shorewall.net/3.0/Documentation.htm#Policy for additional information.

#

###############################################################################

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

fw              net                     ACCEPT  info

fw              loc                     ACCEPT  info

loc             fw                      ACCEPT  info

loc             net                     ACCEPT

net             all                     ACCEPT  info

#LAST LINE -- DO NOT REMOVE

```

----------

## steveb

Looks like you have not defined the local zone/interface. Could you post your:/etc/shorewall/zones/etc/shorewall/interfaces

// Steve

----------

## stardotstar

Thank you!

```

helios shorewall # cat zones

#

# Shorewall version 3.4 - Zones File

#

# For information about this file, type "man shorewall-zones"

#

# For more information, see http://www.shorewall.net/3.0/Documentation.htm#Zones

#

###############################################################################

#ZONE   TYPE            OPTIONS         IN                      OUT

#                                       OPTIONS                 OPTIONS

fw      firewall

net     ipv4

loc     ipv4

#dmz     ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

helios shorewall # cat interfaces

#

# Shorewall version 3.4 - Interfaces File

#

# For information about entries in this file, type "man shorewall-interfaces"

#

# For additional information, see

# http://www.shorewall.net/3.0/Documentation.htm#Interfaces

#

###############################################################################

#ZONE   INTERFACE       BROADCAST       OPTIONS

net     eth0            detect          #norfc1918

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

\\'

----------

## steveb

 *stardotstar wrote:*   

> 
> 
> ```
> 
> helios shorewall # cat zones
> ...

 

That is the problem! You have a zone loc but looking in your interfaces file, you don't have any definition for the loc zone. So please disable the loc zone and try to restart Shorewall. Or if you have an interface for loc, then change the interfaces file and add loc with the corresponding interface.

 *stardotstar wrote:*   

> 
> 
> ```
> helios shorewall # cat interfaces
> 
> ...

 

// SteveB

----------

## stardotstar

SteveB - Thank you very much - as soon as I get the server on power I will do as you say and report back!

Will

----------

## steveb

 *stardotstar wrote:*   

> SteveB - Thank you very much - as soon as I get the server on power I will do as you say and report back!

 Okay. If I don't report asap back then it's because I am from Europe and because of the time difference to your location.

 *stardotstar wrote:*   

> Will

 // Steve

----------

## stardotstar

Now I am in over my head; cant wait for the penny to drop...

I have a server on the web at my co-location site.  It currently has one operating lan interface eth0, connected directly to the net via the local vlan gateway.

I have another interface eth1 but it is not up or connected yet.

I also have iLO on another IP.

I don't understand the implications of zones when using a single interface.  Basically I guess I really only have net and fw not loc...  So thinking I should drop the loc policies and try to get fw and net to do what I want.

Initially I want to deny everything from the net to my server but make an exception rule for ssh...

policy

net deny all

rule

net ssh accept

or something like that.

I have been rushed into getting onto site but then again I have no critical services that can be too badly abused...  Apache is not running, proftpd, mysql and so on are all stopped until I get myself sorted.

I would appreciate the support Steve.  

Fully appreciate the time zone implications.  thanks for the efforts so far.

Will

----------

## steveb

Okay. I see. The iLO is non existent for Shorewall since it is sitting on a different system. I know that the iLO is inside the server but it is not running under the control of Shorewall. So forget the iLO for a moment.

Since you only have eth0 and that interface is connected directly to the internet: you only have zone fw (the firewall it self which is anyway nothing more then eth0 but for Shorewall it is the fw zone) and you have zone net (this is everything outside. Any address from the internet).

So in your case you need in zones:

```
fw      firewall

net     ipv4
```

In your interfaces you probably have:

```
net     eth0            detect          arp_filter,tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians
```

In policy you probably have:

```
net             all             DROP

fw              net             ACCEPT

all             all             REJECT
```

And since you only want SSH to be open you have in rules (under the section new):

```
SSH/ACCEPT      net             fw

SSH/ACCEPT      fw              net
```

Is that +/- what you want?

// Steve

----------

## stardotstar

yup - +/-/== what I need  :Smile: 

tHanks steve!

Will

I'll report my success - that makes sense - the fw/net zones - I don't need/have a loc unless I use it to route too right?>

Anyway I won't do anything until they get my iLO IP available outside the facility - for some reason I can get the "It Works" from apache to the eth0 IP from anywhere; but the iLO https connects on the correct IP from the localhost (checking with Lynx) but not from outside.  And having locked myself out several times and having to resort to iLO I won't touch *anything* till it is working 100% - no exceptions.  I have a ticket open - must be a range or vlan thingo.

----------

## steveb

To get Apache to work, you need to add:

```
Web/ACCEPT      net             fw

Web/ACCEPT      fw              net
```

Maybe adding DNS is as well needed (however... we have set fw -> net to ACCEPT so no rule for "fw   net" is really needed but anyway...):

```
DNS/ACCEPT      fw              net
```

// SteveB

----------

## steveb

 *stardotstar wrote:*   

> ... for some reason I can get the "It Works" from apache to the eth0 IP from anywhere; but the iLO https connects on the correct IP from the localhost (checking with Lynx) but not from outside.  And having locked myself out several times and having to resort to iLO I won't touch *anything* till it is working 100% - no exceptions.  I have a ticket open - must be a range or vlan thingo.

 If you can get only from Lynx the connection while connected to the iLO (I assume you do it from the console applet) then this is anyway a local connection. With iLO you are 1 to 1 connected on the local system. If you can't get Apache's "It Works" from outside and you are 100% sure it is not Shorewall blocking you, then it is something wrong with routing or as you wrote with your VLAN setup. Have you looked at the routing configuration from your Gentoo box? Is everything the way you expect it? Do you see the connection attempt in Apaches access_log?

// SteveB

----------

## stardotstar

you misunderstand me steveb;

I cant reach iLO from remote; from remote I can reach apache "It Works" 

BUT I can connect to iLO from lynx in an ssh session on the server...

ya?

----------

## stardotstar

mtr google.com

```
                             My traceroute  [v0.73]

helios (0.0.0.0)                                       Sat Sep 27 18:15:15 2008

Resolver error: No error returned but no answers given. of fields   quit

                                       Packets               Pings

 Host                                Loss%   Snt   Last   Avg  Best  Wrst StDev

 1. corertr1-eqx.sau.net.au           0.0%    21    0.3   0.3   0.3   0.6   0.1

 2. 125.168.255.97                    0.0%    21    0.7   0.7   0.6   1.1   0.1

 3. if-6-1.core1.M3H-Sydney.as6453.n  0.0%    21    0.7   0.7   0.6   0.9   0.1

 4. if-3-0.core1.TV2-Tokyo.as6453.ne  0.0%    21  104.2 104.3 104.1 105.0   0.3

 5. if-5-0-0.core3.HK2-HongKong.as64  0.0%    20  158.0 158.1 157.9 158.6   0.2

 6. Vlan31.icore1.HK2-HongKong.as645  0.0%    20  158.0 161.0 158.0 171.0   3.9

 7. ???

 8. ???

 9. ???

10. 64.233.175.207                    0.0%    20  232.9 234.7 232.0 280.1  10.7

11. 209.85.252.105                    0.0%    20  244.4 249.5 244.2 282.4  10.4

12. 209.85.248.131                    0.0%    20  236.6 245.1 234.7 272.7  12.6

13. 216.239.43.193                    0.0%    20  247.9 257.7 237.4 271.3   9.5

    66.249.95.208

14. 66.249.95.210                     0.0%    20  239.8 244.9 237.5 270.0  10.0

    72.14.232.137

15. 209.85.242.255                    0.0%    20  300.7 301.2 300.3 303.7   0.9

16. 72.14.239.21                      0.0%    20  302.7 303.0 302.4 307.9   1.2

    72.14.236.1517. 216.239.43.189    0.0%    20  310.5 310.9 310.5 312.0   0.4

```

----------

## steveb

 *stardotstar wrote:*   

> BUT I can connect to iLO from lynx in an ssh session on the server...

 Aha! Okay. I see. First of all: Lynx is not good enough for iLO. The reason for that is that iLO requires Java and Lynx can not work with Java.

But beside that: I see your problem now.

Can you ping the iLO address from the SSH session?

// SteveB

----------

## stardotstar

Yes, I can ping iLO interface from the ssh session and I just used lynx to confirm that I could see something on port 443 on that IP...  So still waiting for support to get the physical connections outside the localhost sorted and I should be ok to play.

Kind of not wanting to have the box live on the internet for too long without a fully functioning firewall.  Even though the services are stopped.

Thanks for the ongoing interest steveb.

\\'

----------

## steveb

Then it is the Java requirement which is giving you problems. You can not access iLO from within Lynx. Lynx can not display the graphical login done as a Java applet. That's your problem. What system is that where you have the iLO? Is it one of the old iLO interfaces or is it already one of the new ones where you could use SSH to connect to iLO?

// SteveB

----------

## stardotstar

I understand that Lynx won't actually allow me to use the iLO but it confirms that the iLO is responding to browser requests on https://iLOIPaddr from the localhost ...

Unfortunately I can't get any connection from the outside world - times out.

Clearly the iLO is up and running but not accessible from the OSW so its of no use to me...

The support is reporting that the vlan is correctly connected and all ports are live.  They believe that I have a wrong subnet or gateway programmed into my iLO - which I can't get to from an ssh shell as far as I know - though I haven't explored the dedicated hp toolset I have just installed.  I would have thought that if I could "see" it from the Lynx browser (even if not actually use it due to the java constraints) that would confirm that the subnet mask was ok.  I suppose that I therefore have incorrectly configured the gateway - but wouldn't that just mean that the iLO interface be unable to send out by itself - surely the outside gateway will make a connection from my remote host to the iLO IP without the need for the default gateway to be set on the iLO>>>?>

\\'

----------

## steveb

How have you configured your iLO? Manual IP address or have you set it to use DHCP? If you have manual setup, then you should (/must) set the gateway as well. Else iLO will have problem to talk back.

You have mentioned, that you have access to the iLO. If you have that access, then you can easy verify what network setup you have configured into iLO. And you can change it there.

// SteveB

----------

## stardotstar

All sorted, basically I couldn't get to the ilo via a java enabled browser since I didn't have X on my server and only way into ilo was from the local subnet - ie the ssh/console - anyway - its sorted.

So I am about to start up the firewall.

----------

## stardotstar

she still won't play:

```
helios shorewall # vi interfaces 

helios shorewall # /etc/init.d/shorewall start

 * Starting firewall ...

iptables v1.4.0: bad rate `Yes'

Try `iptables -h' or 'iptables --help' for more information.

/sbin/shorewall: line 375:  4706 Terminated              ${VARDIR}/.start $debugging start                                                                [ !! ]

helios shorewall # 

```

we are exactly where you recommended:

```
helios shorewall # cat zones interfaces policy rules

#

# Shorewall version 3.4 - Zones File

#

# For information about this file, type "man shorewall-zones"

#

# For more information, see http://www.shorewall.net/3.0/Documentation.htm#Zones

#

###############################################################################

#ZONE   TYPE      OPTIONS      IN         OUT

#               OPTIONS         OPTIONS

fw   firewall

net     ipv4

#loc     ipv4

#dmz     ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

#

# Shorewall version 3.4 - Interfaces File

#

# For information about entries in this file, type "man shorewall-interfaces"

#

# For additional information, see

# http://www.shorewall.net/3.0/Documentation.htm#Interfaces

#

###############################################################################

#ZONE   INTERFACE   BROADCAST   OPTIONS

net    eth0       detect          arp_filter,tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

#

# Shorewall version 3.4 - Policy File

#

# For information about entries in this file, type "man shorewall-policy"

#

# See http://www.shorewall.net/3.0/Documentation.htm#Policy for additional information.

#

###############################################################################

#SOURCE      DEST      POLICY      LOG      LIMIT:BURST

#                  LEVEL

net      all      DROP

fw      net      ACCEPT

all      all      REJECT

#LAST LINE -- DO NOT REMOVE

#

# Shorewall version 3.4 - Rules File

#

# For information on the settings in this file, type "man shorewall-rules"

#

# See http://www.shorewall.net/3.0/Documentation.htm#Rules for additional information.

#

#############################################################################################################

#ACTION   SOURCE      DEST      PROTO   DEST   SOURCE      ORIGINALRATE      USER/   MARK

#                  PORT   PORT(S)      DEST   LIMIT      GROUP

#SECTION ESTABLISHED

#SECTION RELATED

SECTION NEW

SSH/ACCEPT      net      fw

SSH/ACCEPT      fw      net

#ACCEPT   net             $FW                tcp    ssh     #SSH to the

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

Hmmm?>

\\'

----------

## steveb

Looks okay to me. But could you post the other config files as well? Can you execute this command and post the output:

```
for foo in /etc/shorewall/*;do echo -ne "\n=[$(basename ${foo})]===================================\n";cat ${foo};echo -ne "============================================\n";done
```

// Steve

----------

## stardotstar

Hi Steve - thanks for staying with me on this!

Here is the result of your neat script:

```
helios stardotstar # for foo in /etc/shorewall/*;do echo -ne "\n=[$(basename ${foo})]===================================\n";cat ${foo};echo -ne "============================================\n";done

=[Makefile]===================================

# Shorewall Makefile to restart if config-files are newer than last restart

VARDIR=/var/lib/shorewall

CONFDIR=/etc/shorewall

RESTOREFILE?=.restore

all: $(VARDIR)/${RESTOREFILE}

$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*

   @/sbin/shorewall -q save >/dev/null; \

   if \

       /sbin/shorewall -q restart >/dev/null 2>&1; \

   then \

       /sbin/shorewall -q save >/dev/null; \

   else \

       /sbin/shorewall -q restart 2>&1 | tail >&2; \

   fi

# EOF

============================================

=[accounting]===================================

#

# Shorewall version 3.4 - Accounting File

#

# For information about entries in this file, type "man shorewall-accounting"

#

# Please see http://www.shorewall.net/3.0/Accounting.html for examples and

# additional information about how to use this file.

#

#####################################################################################

#ACTION   CHAIN   SOURCE      DESTINATION   PROTO   DEST      SOURCE   USER/   MARK

#                     PORT(S)      PORT(S)   GROUP

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[actions]===================================

#

# Shorewall version 3.4 - Actions File

#

# /etc/shorewall/actions

#

# For information about entries in this file, type "man shorewall-actions"

#

# Please see http://www.shorewall.net/3.0/Actions.html for additional information.

#

###############################################################################

#ACTION

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

============================================

=[blacklist]===================================

#

# Shorewall version 3.4 - Blacklist File

#

# For information about entries in this file, type "man shorewall-blacklist"

#

# Please see http://www.shorewall.net/3.0/blacklisting_support.htm for additional

# information.

#

###############################################################################

#ADDRESS/SUBNET      PROTOCOL   PORT

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[continue]===================================

#

# Shorewall version 3.4 - Continue File

#

#  /etc/shorewall/continue

#

#   Add commands below that you want to be executed after shorewall has

#   cleared any existing Netfilter rules and has enabled existing

#   connections.

#

# For additional information, see

# http://www.shorewall.net/3.0/shorewall_extension_scripts.htm

#

###############################################################################

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[ecn]===================================

#

# Shorewall version 3.4 - Ecn File

#

# For information about entries in this file, type "man shorewall-ecn"

#

# For additional information, see http://www.shorewall.net/3.0/Documentation.htm#ECN

#

###############################################################################

#INTERFACE   HOST(S)

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[hosts]===================================

#

# Shorewall version 3.4 - Hosts file

#

# For information about entries in this file, type "man shorewall-hosts"

#

# For additional information, see http://www.shorewall.net/3.0/Documentation.htm#Hosts

#

###############################################################################

#ZONE   HOST(S)               OPTIONS

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

============================================

=[init]===================================

#

# Shorewall version 3.4 - Init File

#

# /etc/shorewall/init

#

#   Add commands below that you want to be executed at the beginning of

#   a "shorewall start" or "shorewall restart" command.

#

# For additional information, see

# http://www.shorewall.net/3.0/shorewall_extension_scripts.htm

#

###############################################################################

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[initdone]===================================

#

# Shorewall version 3.4 - Initdone File

#

# /etc/shorewall/initdone

#

#   Add commands below that you want to be executed during

#   "shorewall start" or "shorewall restart" commands at the point where

#   Shorewall has not yet added any perminent rules to the builtin chains.

#

# For additional information, see

# http://www.shorewall.net/3.0/shorewall_extension_scripts.htm

#

###############################################################################

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[interfaces]===================================

#

# Shorewall version 3.4 - Interfaces File

#

# For information about entries in this file, type "man shorewall-interfaces"

#

# For additional information, see

# http://www.shorewall.net/3.0/Documentation.htm#Interfaces

#

###############################################################################

#ZONE   INTERFACE   BROADCAST   OPTIONS

net    eth0       detect          arp_filter,tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[ipsec]===================================

#

# The /etc/shorewall/ipsec file is obsolete -- the information

# previously contained in this file is now placed in the

# /etc/shorewall/zones file.

#

# See the IPSECFILE option in shorewall.conf for further information.

#

============================================

=[maclist]===================================

#

# Shorewall version 3.4 - Maclist file

#

# For information about entries in this file, type "man shorewall-maclist"

#

# For additional information, see http://www.shorewall.net/3.0/MAC_Validation.html

#

###############################################################################

#DISPOSITION   INTERFACE      MAC         IP ADDRESSES (Optional)

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

============================================

=[masq]===================================

#

# Shorewall version 3.4 - Masq file

#

# For information about entries in this file, type "man shorewall-masq"

#

# For additional information, see http://www.shorewall.net/3.0/Documentation.htm#Masq

#

###############################################################################

#INTERFACE      SOURCE      ADDRESS      PROTO   PORT(S)   IPSEC   MARK

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

============================================

=[nat]===================================

#

# Shorewall version 3.4 - Nat File

#

# For information about entries in this file, type "man shorewall-nat"

#

# For additional information, see http://www.shorewall.net/3.0/NAT.htm

#

###############################################################################

#EXTERNAL   INTERFACE   INTERNAL   ALL      LOCAL

#                  INTERFACES

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

============================================

=[netmap]===================================

#

# Shorewall version 3.4    - Netmap File

#

# For information about entries in this file, type "man shorewall-netmap"

#

# See http://www.shorewall.net/3.0/netmap.html for an example and usage

# information.

#

###############################################################################

#TYPE   NET1         INTERFACE   NET2

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

============================================

=[params]===================================

#

# Shorewall version 3.4 - Params File

#

# /etc/shorewall/params

#

#   Assign any variables that you need here.

#

#   It is suggested that variable names begin with an upper case letter

#   to distinguish them from variables used internally within the

#   Shorewall programs

#

#   Example:

#

#      NET_IF=eth0

#      NET_BCAST=130.252.100.255

#      NET_OPTIONS=routefilter,norfc1918

#

#   Example (/etc/shorewall/interfaces record):

#

#      net   $NET_IF      $NET_BCAST   $NET_OPTIONS

#

#   The result will be the same as if the record had been written

#

#      net   eth0      130.252.100.255   routefilter,norfc1918

#

###############################################################################

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

============================================

=[policy]===================================

#

# Shorewall version 3.4 - Policy File

#

# For information about entries in this file, type "man shorewall-policy"

#

# See http://www.shorewall.net/3.0/Documentation.htm#Policy for additional information.

#

###############################################################################

#SOURCE      DEST      POLICY      LOG      LIMIT:BURST

#                  LEVEL

net      all      DROP

fw      net      ACCEPT

all      all      REJECT

#LAST LINE -- DO NOT REMOVE

============================================

=[providers]===================================

#

# Shorewall version 3.4 - Providers File

#

# For information about entries in this file, type "man shorewall-providers"

#

# For additional information, see http://www.shorewall.net/3.0/MultiISP.html

#

############################################################################################

#NAME   NUMBER   MARK   DUPLICATE   INTERFACE   GATEWAY      OPTIONS      COPY

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

============================================

=[proxyarp]===================================

#

# Shorewall version  3.4 - Proxyarp File

#

# For information about entries in this file, type "man shorewall-proxyarp"

#

# See http://www.shorewall.net/3.0/ProxyARP.htm for additional information.

#

###############################################################################

#ADDRESS   INTERFACE   EXTERNAL   HAVEROUTE   PERSISTENT

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[route_rules]===================================

#

# Shorewall version 3.4 - route_rules File

#

# For information about entries in this file, type "man shorewall-route_rules"

#

# For additional information, see http://www.shorewall.net/3.0/MultiISP.html

##############################################################################

#SOURCE         DEST         PROVIDER   PRIORITY

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[routestopped]===================================

#

# Shorewall version 3.4 - Routestopped File

#

# For information about entries in this file, type "man shorewall-routestopped"

#

# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped and

# http://www.shorewall.net/3.0/starting_and_stopping_shorewall.htm for additional

# information.

#

###############################################################################

#INTERFACE   HOST(S)         OPTIONS

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[rules]===================================

#

# Shorewall version 3.4 - Rules File

#

# For information on the settings in this file, type "man shorewall-rules"

#

# See http://www.shorewall.net/3.0/Documentation.htm#Rules for additional information.

#

#############################################################################################################

#ACTION   SOURCE      DEST      PROTO   DEST   SOURCE      ORIGINAL   RATE      USER/   MARK

#                  PORT   PORT(S)      DEST      LIMIT      GROUP

#SECTION ESTABLISHED

#SECTION RELATED

SECTION NEW

SSH/ACCEPT      net      fw

SSH/ACCEPT      fw      net

#ACCEPT   net             $FW                tcp    ssh     #SSH to the

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[shorewall.conf]===================================

###############################################################################

#  /etc/shorewall/shorewall.conf V3.4 - Change the following variables to

#  match your setup

#

#  This program is under GPL

#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]

#

#  This file should be placed in /etc/shorewall

#

#  (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)

#

#  For information about the settings in this file, type "man shorewall.conf"

#

#  Additional information is available at 

#  http://www.shorewall.net/3.0/Documentation.htm#Conf

###############################################################################

#             S T A R T U P   E N A B L E D

###############################################################################

STARTUP_ENABLED=Yes

###############################################################################

#                    V E R B O S I T Y

###############################################################################

VERBOSITY=1

###############################################################################

#                              C O M P I L E R

#      (setting this to 'perl' requires installation of Shorewall-perl)

###############################################################################

SHOREWALL_COMPILER=shell

###############################################################################

#                L O G G I N G

###############################################################################

LOGFILE=/var/log/shorewall

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGRATE=Yes

LOGBURST=

LOGALLNEW=

BLACKLIST_LOGLEVEL=

MACLIST_LOG_LEVEL=info

TCP_FLAGS_LOG_LEVEL=info

RFC1918_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

LOG_MARTIANS=No

###############################################################################

#   L O C A T I O N     O F   F I L E S   A N D   D I R E C T O R I E S

###############################################################################

IPTABLES=

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=/var/lock/subsys/shorewall

MODULESDIR=

CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

RESTOREFILE=

IPSECFILE=zones

LOCKFILE=

###############################################################################

#      D E F A U L T   A C T I O N S / M A C R O S

###############################################################################

DROP_DEFAULT="Drop"

REJECT_DEFAULT="Reject"

ACCEPT_DEFAULT="none"

QUEUE_DEFAULT="none"

###############################################################################

#                        R S H / R C P  C O M M A N D S

###############################################################################

RSH_COMMAND='ssh ${root}@${system} ${command}'

RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

###############################################################################

#         F I R E W A L L     O P T I O N S

###############################################################################

IP_FORWARDING=Off

ADD_IP_ALIASES=Yes

ADD_SNAT_ALIASES=No

RETAIN_ALIASES=No

TC_ENABLED=Internal

TC_EXPERT=No

CLEAR_TC=Yes

MARK_IN_FORWARD_CHAIN=No

CLAMPMSS=No

ROUTE_FILTER=No

DETECT_DNAT_IPADDRS=No

MUTEX_TIMEOUT=60

ADMINISABSENTMINDED=Yes

BLACKLISTNEWONLY=Yes

DELAYBLACKLISTLOAD=No

MODULE_SUFFIX=

DISABLE_IPV6=Yes

BRIDGING=No

DYNAMIC_ZONES=No

PKTTYPE=Yes

RFC1918_STRICT=No

MACLIST_TABLE=filter

MACLIST_TTL=

SAVE_IPSETS=No

MAPOLDACTIONS=No

FASTACCEPT=No

IMPLICIT_CONTINUE=Yes

HIGH_ROUTE_MARKS=No

USE_ACTIONS=Yes

OPTIMIZE=0

EXPORTPARAMS=Yes

###############################################################################

#         P A C K E T   D I S P O S I T I O N

###############################################################################

BLACKLIST_DISPOSITION=DROP

MACLIST_DISPOSITION=REJECT

TCP_FLAGS_DISPOSITION=DROP

#LAST LINE -- DO NOT REMOVE

============================================

=[start]===================================

#

# Shorewall version 3.4 - Start File

#

# /etc/shorewall/start

#

#   Add commands below that you want to be executed after shorewall has

#   been started or restarted.

#

# See http://www.shorewall.net/3.0/shorewall_extension_scripts.htm for additional

# information.

#

###############################################################################

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

============================================

=[started]===================================

#

# Shorewall version 3.4 - Started File

#

# /etc/shorewall/started

#

#   Add commands below that you want to be executed after shorewall has

#   been completely started or restarted. The difference between this

#   extension script and /etc/shorewall/start is that this one is invoked

#   after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and

#   after the 'shorewall' chain has been created (thus signaling that the

#   firewall is completely up.

#

#   This script should not change the firewall configuration directly but

#   may do so indirectly by running /sbin/shorewall with the 'nolock'

#   option.

#

# See http://www.shorewall.net/3.0/shorewall_extension_scripts.htm for additional

# information.

#

###############################################################################

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

============================================

=[stop]===================================

#

# Shorewall version 3.4 - Stop File

#

# /etc/shorewall/stop

#

#   Add commands below that you want to be executed at the beginning of a

#   "shorewall stop" command.

#

# See http://www.shorewall.net/3.0/shorewall_extension_scripts.htm for additional

# information.

#

###############################################################################

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

============================================

=[stopped]===================================

#

# Shorewall version 3.4 - Stopped File

#

# /etc/shorewall/stopped

#

#   Add commands below that you want to be executed at the completion of a

#   "shorewall stop" command.

#

# See http://www.shorewall.net/3.0/shorewall_extension_scripts.htm for additional

# information.

#

###############################################################################

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

============================================

=[tcclasses]===================================

#

# Shorewall version 3.4 - Tcclasses File

#

# For information about entries in this file, type "man shorewall-tcclasses"

#

# See http://www.shorewall.net/3.0/traffic_shaping.htm for additional information.

#

###############################################################################

#INTERFACE   MARK   RATE   CEIL   PRIORITY   OPTIONS

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[tcdevices]===================================

#

# Shorewall version 3.4 - Tcdevices File

#

# For information about entries in this file, type "man shorewall-tcdevices"

#

# See http://www.shorewall.net/3.0/traffic_shaping.htm for additional information.

#

###############################################################################

#INTERFACE   IN-BANDWITH   OUT-BANDWIDTH

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[tcrules]===================================

#

# Shorewall version 3.4 - Tcrules File

#

# For information about entries in this file, type "man shorewall-tcrules"

#

# See http://www.shorewall.net/3.0/traffic_shaping.htm for additional information.

# For usage in selecting among multiple ISPs, see

# http://www.shorewall.net/3.0/MultiISP.html

#

# See http://www.shorewall.net/3.0/PacketMarking.html for a detailed description of

# the Netfilter/Shorewall packet marking mechanism.

###############################################################################

#MARK   SOURCE      DEST      PROTO   DEST   SOURCE   USER   TEST   LENGTH   TOS

#                  PORT(S)   PORT(S)

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[tos]===================================

#

# Shorewall version 3.4 - Tos File

#

# For information about entries in this file, type "man shorewall-tos"

#

###############################################################################

#SOURCE      DEST      PROTOCOL   SOURCE   DEST   TOS   MARK

#                  PORTS   PORTS

#LAST LINE -- Add your entries above -- DO NOT REMOVE

============================================

=[tunnels]===================================

#

# Shorewall version 3.4 - Tunnels File

#

# For information about entries in this file, type "man shorewall-tunnels"

#

# See http://www.shorewall.net/3.0/Documentation.htm#Tunnels for additional

# information.

#

###############################################################################

#TYPE         ZONE   GATEWAY      GATEWAY

#                  ZONE

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============================================

=[zones]===================================

#

# Shorewall version 3.4 - Zones File

#

# For information about this file, type "man shorewall-zones"

#

# For more information, see http://www.shorewall.net/3.0/Documentation.htm#Zones

#

###############################################################################

#ZONE   TYPE      OPTIONS      IN         OUT

#               OPTIONS         OPTIONS

fw   firewall

net     ipv4

#loc     ipv4

#dmz     ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

============================================

```

----------

## stardotstar

OK I have unmasked (~x86) shorewall-common and shorewall-shell and reconfigured everything and it is working fine - so it looks like the unmasked portage version is incompatible with the current IPTables??

Anyway - on with the show.

\\'

thanks for all the guidance Steve.

----------

