Copyright © 2001-2006 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2007/07/19
Table of Contents
- My Current Network
- Ursa (Xen) Configuration
- Firewall Configuration
- Shorewall.conf
- Params File (Edited)
- Zones File
- Interfaces File
- Hosts File
- Routestopped File
- Providers File
- Blacklist File (Edited)
- RFC1918 File
- Policy File
- Masq File
- NAT File
- Tunnels
- Actions File
- action.Mirrors File
- Accounting File
- Rules File (The shell variables are set in /etc/shorewall/params)
- /etc/shorewall/tcdevices
- /etc/shorewall/tcclasses
- /etc/shorewall/tcrules
- /etc/openvpn/server.conf
- Tipper and Eastepnc6000 Configuration in the Wireless Network
- Tipper Configuration while on the Road
Caution
I use a combination of One-to-one NAT and Xen paravirtualization, neither of which are relevant to a simple configuration with a single public IP address. If you have just a single public IP address, most of what you see here won't apply to your setup so beware of copying parts of this configuration and expecting them to work for you. What you copy may or may not work in your environment.
Caution
The configuration shown here corresponds to Shorewall version 3.0.3. My configuration uses features not available in earlier Shorewall releases.
I have DSL service with 5 static IP addresses (206.124.146.176-180). My DSL “modem” (Westell 2200) is connected to eth2 and has IP address 192.168.1.1 (factory default). The modem is configured in “bridge” mode so PPPoE is not involved. I have a local network connected to eth1 which is bridged to interface tun0 via bridge br0 (subnet 192.168.1.0/24) and a wireless network (192.168.3.0/24) connected to eth0.
In this configuration:
I use one-to-one NAT for "Ursa" (my personal system that run SUSE 10.0) - Internal address 192.168.1.5 and external address 206.124.146.178.
I use one-to-one NAT for "lists" (My server system that runs SUSE 10.0 in a Xen virtual system on ursa) - Internal address 192.168.1.7 and external address 206.124.146.177.
I use one-to-one NAT for "Eastepnc6000" (My work system -- Windows XP SP1/SUSE 10.0). Internal address 192.168.1.6 and external address 206.124.146.180.
use SNAT through 206.124.146.179 for my Wife's Windows XP system “Tarry” and our SUSE 10.0 laptop “Tipper” which connects through the Wireless Access Point (wap).
The firewall runs on a Celeron 1.4Ghz under SUSE 10.0.
Ursa runs Samba for file sharing with the Windows systems and is configured as a Wins server.
The wireless network connects to the firewall's eth0 via a LinkSys WAP11. In additional to using the rather weak WEP 40-bit encryption (64-bit with the 24-bit preamble), I use MAC verification and OpenVPN in bridge mode.
The server in runs Postfix, Courier IMAP (imap and imaps), DNS (Bind 9), a Web server (Apache) and an FTP server (Pure-ftpd).
The firewall system itself runs a DHCP server that serves the local and wireless networks.
All administration and publishing is done using ssh/scp. I have a desktop environment installed on the firewall but I usually don't start it. X applications tunnel through SSH to Ursa or one of the laptops. The server also has a desktop environment installed but it is never started. For the most part, X tunneled through SSH is used for server administration and the server runs at run level 3 (multi-user console mode on SUSE).
In addition to the OpenVPN bridge, the firewall hosts an OpenVPN Tunnel server for VPN access from our second home in Omak, Washington or when we are otherwise out of town.
Note
Eastepnc6000 is shown in both the local LAN and in the Wifi zone with IP address 192.168.1.6 -- clearly, the computer can only be in one place or the other. Tipper can also be in either place and will have the IP address 192.168.1.8 regardless.
Ursa runs two domains. Domain 0 is my personal Linux desktop environment. The other domains comprise my DMZ. There is currently only one system (lists) in the DMZ.
Ursa's Shorewall configuration is described in the article about Xen and Shorewall.
About the only thing that is unique about the configuration of Domain 1 (lists) is that its (virtualized) eth0 has two addresses:
192.168.1.7/24
206.124.146.177/32
This prevents the DNS server from getting confused due to the fact that the two different views have a different IP addresses for the primary name server for the domain shorewall.net.
STARTUP_ENABLED=Yes LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= MACLIST_LOG_LEVEL=$LOG TCP_FLAGS_LOG_LEVEL=$LOG RFC1918_LOG_LEVEL=$LOG SMURF_LOG_LEVEL=$LOG LOG_MARTIANS=No IPTABLES= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/dash SUBSYSLOCK= MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE=standard IPSECFILE=zones FW= IP_FORWARDING=On ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No RETAIN_ALIASES=Yes TC_ENABLED=Internal CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=Yes CLAMPMSS=Yes ROUTE_FILTER=No DETECT_DNAT_IPADDRS=Yes MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=No RFC1918_STRICT=Yes MACLIST_TTL=60 SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No BLACKLIST_DISPOSITION=DROP MACLIST_TABLE=mangle MACLIST_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
NTPSERVERS=<list of NTP server IP addresses> POPSERVERS=<list of external POP3 servers accessed by fetchmail running on the DMZ server> LOG=info WIFI_IF=eth0 EXT_IF=eth2 INT_IF=br0 OMAK=<ip address of the gateway at our second home> MIRRORS=<list IP addresses of Shorewall mirrors>
#ZONE TYPE OPTTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 dmz:loc ipv4 vpn ipv4 Wifi ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#ZONE INTERFACE BROADCAST OPTIONS net $EXT_IF 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs loc $INT_IF detect dhcp,routeback vpn tun+ - Wifi $WIFI_IF - dhcp,maclist #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
This file is used to define the dmz zone -- the single (virtual) system with internal IP address 192.168.1.7.
#ZONE HOST(S) OPTIONS dmz $INT_IF:192.168.1.7 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
#INTERFACE HOST(S) OPTIONS $INT_IF - source,dest $WIFI_IF - source,dest #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
This entry isn't necessary but it allows me to smoke test parsing of the providers file.
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY Blarg 1 1 main $EXT_IF 206.124.146.254 track,balance=1 $INT_IF,$WIFI_IF,tun0 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
I blacklist a number of ports globally to cut down on the amount of noise in my firewall log. Note that the syntax shown below was introduced in Shorewall 3.0.3 ("-" in the ADDRESS/SUBNET column); earlier versions must use "0.0.0.0/0".
#ADDRESS/SUBNET PROTOCOL PORT - udp 1024:1033 - tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Because my DSL modem has an RFC 1918 address (192.168.1.1) and is connected to eth0, I need to make an exception for that address in my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to /etc/shorewall/rfc1918 and changed it as follows:
#SUBNET TARGET 192.168.1.1 RETURN 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918 10.0.0.0/8 logdrop # RFC 1918 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT $FW $FW ACCEPT loc net ACCEPT $FW vpn ACCEPT vpn net ACCEPT vpn loc ACCEPT fw Wifi ACCEPT loc vpn ACCEPT $FW loc ACCEPT #Firewall to Local loc $FW REJECT $LOG net all DROP $LOG 10/sec:40 all all REJECT $LOG #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Although most of our internal systems use one-to-one NAT, my wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do our wireless network systems and visitors with laptops.
The first entry allows access to the DSL modem and uses features introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the rule to be placed before rules generated by the /etc/shorewall/nat file below.
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 $EXT_IF 192.168.0.0/22 206.124.146.179 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES 206.124.146.177 $EXT_IF 192.168.1.7 No No 206.124.146.178 $EXT_IF 192.168.1.5 No No 206.124.146.180 $EXT_IF 192.168.1.6 No No #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#TYPE ZONE GATEWAY GATEWAY ZONE PORT openvpnserver:1194 net 0.0.0.0/0 openvpnserver:1194 Wifi 192.168.3.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
The Limit action is described in a separate article.
#ACTION Mirrors #Accept traffic from the Shorewall Mirror sites Limit #Limit connection rate from each individual Host #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
$MIRRORS is set in
/etc/shorewall/paramsabove.#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT ACCEPT $MIRRORS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ # PORT(S) PORT(S) GROUP hp:COUNT accounting $EXT_IF $INT_IF:192.168.1.6 UDP hp:COUNT accounting $INT_IF:192.168.1.6 $EXT_IF UDP DONE hp mail:COUNT - $EXT_IF $INT_IF:192.168.1.7 tcp 25 mail:COUNT - $INT_IF:192.168.1.7 $EXT_IF tcp 25 DONE mail web - $EXT_IF $INT_IF:192.168.1.7 tcp 80 web - $EXT_IF $INT_IF:192.168.1.7 tcp 443 web - $INT_IF:192.168.1.7 $EXT_IF tcp 80 web - $INT_IF:192.168.1.7 $EXT_IF tcp 443 COUNT web $EXT_IF $INT_IF:192.168.1.7 COUNT web $INT_IF:192.168.1.7 $EXT_IF #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
SECTION NEW
###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
###############################################################################################################################################################################
REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031
#
# Stop NETBIOS crap
#
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
#
# Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
#
DROP loc:!192.168.0.0/22 net
DROP Wifi net:15.0.0.0/8
DROP Wifi net:16.0.0.0/8
###############################################################################################################################################################################
# Local Network to Firewall
#
DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box
Limit:$LOG:SSHA,3,60\
loc fw tcp 22
ACCEPT loc fw tcp time,631,8080
ACCEPT loc fw udp 161,ntp,631
ACCEPT loc:192.168.1.5 fw udp 111
DROP loc fw tcp 3185 #SUSE Meta pppd
Ping/ACCEPT loc fw
###############################################################################################################################################################################
# Local Network to Wireless
#
Ping/ACCEPT loc Wifi
###############################################################################################################################################################################
# Insecure Wireless to DMZ
#
ACCEPT Wifi dmz udp domain
ACCEPT Wifi dmz tcp domain
###############################################################################################################################################################################
# Insecure Wireless to Internet
#
ACCEPT Wifi net udp 500
ACCEPT Wifi net udp 4500
ACCEPT Wifi:192.168.3.9 net all
Ping/ACCEPT Wifi net
###############################################################################################################################################################################
# Insecure Wireless to Firewall
#
SSH/ACCEPT Wifi fw
###############################################################################################################################################################################
# Road Warriors to Firewall
#
ACCEPT vpn fw tcp ssh,time,631,8080
ACCEPT vpn fw udp 161,ntp,631
Ping/ACCEPT vpn fw
###############################################################################################################################################################################
# Road Warriors to DMZ
#
ACCEPT vpn dmz udp domain
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
Ping/ACCEPT vpn dmz
###############################################################################################################################################################################
# Local network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
ACCEPT loc dmz tcp smtp
ACCEPT loc dmz udp 33434:33454
###############################################################################################################################################################################
# Internet to ALL -- drop NewNotSyn packets
#
dropNotSyn net fw tcp
dropNotSyn net loc tcp
dropNotSyn net dmz tcp
###############################################################################################################################################################################
# Internet to DMZ
#
ACCEPT net dmz udp domain
LOG:$LOG net:64.126.128.0/18 dmz tcp smtp
ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https -
ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178
ACCEPT net dmz udp 33434:33454
Mirrors net dmz tcp rsync
Limit:$LOG:SSHA,3,60\
net dmz tcp 22
Ping/ACCEPT net dmz
###############################################################################################################################################################################
#
# Net to Local
#
##########################################################################################
# Test Server
#
ACCEPT net loc:192.168.1.9 tcp 80
ACCEPT net loc:192.168.1.9 tcp 443
ACCEPT net loc:192.168.1.9 tcp 21
Ping/ACCEPT net loc:192.168.1.9
#
# When I'm "on the road", the following two rules allow me VPN access back home using PPTP.
#
DNAT net loc:192.168.1.4 tcp 1729
DNAT net loc:192.168.1.4 gre
#
# Roadwarrior access to Ursa
#
ACCEPT net:$OMAK loc tcp 22
Limit:$LOG:SSHA,3,60\
net loc tcp 22
#
# ICQ
#
ACCEPT net loc:192.168.1.5 tcp 113,4000:4100
#
# Bittorrent
#
ACCEPT net loc:192.168.1.5 tcp 6881:6889,6969
ACCEPT net loc:192.168.1.5 udp 6881:6889,6969
#
# Real Audio
#
ACCEPT net loc:192.168.1.5 udp 6970:7170
#
# Overnet
#
#ACCEPT net loc:192.168.1.5 tcp 4662
#ACCEPT net loc:192.168.1.5 udp 12112
#
# OpenVPN
#
ACCEPT net loc:192.168.1.5 udp 1194
#
# Skype
#
ACCEPT net loc:192.168.1.6 tcp 1194
#
# Silently Handle common probes
#
REJECT net loc tcp www,ftp,https
DROP net loc icmp 8
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net udp domain,ntp
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
ACCEPT dmz net:$POPSERVERS tcp pop3
Ping/ACCEPT dmz net
#
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
# but logs the connection so I can keep an eye on this potential security hole.
#
ACCEPT:$LOG dmz net tcp 1024: 20
###############################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp 161,ssh
ACCEPT dmz fw udp 161
REJECT dmz fw tcp auth
Ping/ACCEPT dmz fw
###############################################################################################################################################################################
# Internet to Firewall
#
REJECT net fw tcp www,ftp,https
DROP net fw icmp 8
ACCEPT net fw udp 33434:33454
ACCEPT net:$OMAK fw udp ntp
ACCEPT net fw tcp auth
ACCEPT net:$OMAK fw tcp 22
Limit:$LOG:SSHA,3,60\
net fw tcp 22
###############################################################################################################################################################################
# Firewall to Internet
#
ACCEPT fw net:$NTPSERVERS udp ntp ntp
#ACCEPT fw net:$POPSERVERS tcp pop3
ACCEPT fw net udp domain
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
ACCEPT fw net udp 33435:33535
ACCEPT fw net icmp
REJECT:$LOG fw net udp 1025:1031
DROP fw net udp ntp
Ping/ACCEPT fw net
###############################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,993,465
ACCEPT fw dmz udp domain
REJECT fw dmz udp 137:139
Ping/ACCEPT fw dmz
###############################################################################################################################################################################
# Firewall to Insecure Wireless
#
Ping/ACCEPT fw Wifi
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#INTERFACE IN-BANDWITH OUT-BANDWIDTH $EXT_IF 1.5mbit 384kbit #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
My traffic shaping configuration is basically the "WonderShaper" example from tc4shorewall with a little tweaking.
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS $EXT_IF 10 full ful 1 tcp-ack,tos-minimize-delay $EXT_IF 20 9*full/10 9*full/10 2 default $EXT_IF 30 6*full/10 6*full/10 3 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
I give full bandwidth to my local systems -- the server gets throttled and rsync gets throttled even more.
Note
The class id for tc4shorewall-generated classes is <device number>:<100 + mark value> where the first device in
/etc/shorewall/tcdevicesis device number 1, the second is device number 2 and so on. The rules below are using the Netfilter CLASSIFY target to classify the traffic directly without having to first mark then classify based on the marks.#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 1:110 192.168.0.0/22 $EXT_IF 1:130 206.124.146.177 $EXT_IF tcp - 873 #Rsync to the Mirrors #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEHere is the output of shorewall show tc while the Shorewall mirrors were receiving updates via rsync and the link was otherwise idle. Note the rate limiting imposed by the 1:30 Class.
Shorewall-3.0.0-RC2 Traffic Control at gateway - Sat Oct 22 09:11:26 PDT 2005 ... Device eth2: qdisc htb 1: r2q 10 default 120 direct_packets_stat 2 ver 3.17 Sent 205450106 bytes 644093 pkts (dropped 0, overlimits 104779) backlog 20p qdisc ingress ffff: ---------------- Sent 160811382 bytes 498294 pkts (dropped 37, overlimits 0) qdisc sfq 110: parent 1:110 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0) qdisc sfq 120: parent 1:120 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0) qdisc sfq 130: parent 1:130 limit 128p quantum 1514b flows 128/1024 perturb 10sec Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0) backlog 20p class htb 1:110 parent 1:1 leaf 110: prio 1 quantum 4915 rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 0 Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0) rate 424bit lended: 417516 borrowed: 0 giants: 0 tokens: 36864 ctokens: 36864 class htb 1:1 root rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 7 Sent 205422474 bytes 644073 pkts (dropped 0, overlimits 0) rate 231568bit 19pps lended: 0 borrowed: 0 giants: 0 tokens: -26280 ctokens: -26280 class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 2944 rate 230000bit ceil 230000bit burst 1714b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0 Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0) rate 230848bit 19pps backlog 18p lended: 48784 borrowed: 0 giants: 0 tokens: -106401 ctokens: -106401 class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 4416 rate 345000bit ceil 345000bit burst 1771b/8 mpu 0b overhead 0b cburst 1771b/8 mpu 0b overhead 0b level 0 Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0) rate 1000bit lended: 177773 borrowed: 0 giants: 0 tokens: 41126 ctokens: 41126 ...
Only the tunnel-mode OpenVPN configuration is described here -- the bridge is described in the OpenVPN documentation.
dev tun local 206.124.146.176 server 192.168.2.0 255.255.255.0 dh dh1024.pem ca /etc/certs/cacert.pem crl-verify /etc/certs/crl.pem cert /etc/certs/gateway.pem key /etc/certs/gateway_key.pem port 1194 comp-lzo user nobody group nogroup keepalive 15 45 ping-timer-rem persist-tun persist-key client-config-dir /etc/openvpn/clients ccd-exclusive client-to-client verb 3
Please find this information in the OpenVPN bridge mode documentation.
This laptop is either configured on our wireless network (192.168.3.8) or as a standalone system on the road.
Tipper's view of the world is shown in the following diagram:
 |
#ZONE DISPLAY COMMENTS home Home Shorewall Network net Net Internet #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT $FW home ACCEPT home $FW ACCEPT net home NONE home net NONE net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags home tun0 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net $FW icmp 8 ACCEPT net $FW tcp 22 ACCEPT net $FW tcp 4000:4100 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
dev tun remote gateway.shorewall.net up /etc/openvpn/home.up tls-client pull ca /etc/certs/cacert.pem cert /etc/certs/tipper.pem key /etc/certs/tipper_key.pem port 1194 user nobody group nogroup comp-lzo ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key verb 3