> I think it might be important to point out here how Shorewall > handles/uses these files. I don't use Shorewall, so I can't really > shed light on it. But these config files are really only one side of > the mirror.
Actually these files are typically the only ones you'll need to edit... /etc/shorewall/interfaces defines the interfaces that will be available to shorewall and provides some logical names for rules mapping. /etc/shorewall/masq defines the masquerades to use and provides a quick and easy way to say things like "eth1 traffic going out on eth0 should be masqueraded". /etc/shorewall/policy defines the default policies on the interfaces. /etc/shorewall/zones defines human-readable names for the interfaces, although I haven't really seen them used for much they are critical to the functionality (you'll get weird startup failure messages if they're missing). /etc/shorewall/rules is the critical file, and it defines the rules for what traffic will be allowed. My rules file, for example, indicates that incoming mail and other services are either allowed for the router box to handle or forwarded into the DMZ. It also defines what traffic to block (i.e. outbound windblows networking ports), what hosts to block (ip addresses that hit the ssh daemon), etc. Other files that you might edit are /etc/shorewall/blacklist, an optional blacklist file to block all traffic from these hosts, and /etc/shorewall/shorewall.conf, the general shorewall configuration file. Many other files exist in the directory but I'm willing to bet that 95% of the time you won't need to modify them. -- [email protected] mailing list
