/etc/shorewall/interfaces
############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect logmartians,routefilter,nosmurfs lan eth1 detect dhcp,logmartians,routefilter,nosmurfs
/etc/shorewall/params
WAN_IP=x.x.x.x RFC1918="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
/etc/shorewall/zones
############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall vpn ipv4 net ipv4 lan ipv4
/etc/shorewall/policy
############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW all ACCEPT vpn lan ACCEPT lan vpn ACCEPT net all DROP info all all DROP info
/etc/shorewall/rules
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
DROP:info net:${RFC1918} all
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
ACCEPT all $FW:${WAN_IP} icmp 0 - - 30/sec
ACCEPT all $FW:${WAN_IP} icmp 3 - - 30/sec
ACCEPT all $FW:${WAN_IP} icmp 4 - - 30/sec
ACCEPT all $FW:${WAN_IP} icmp 11 - - 30/sec
ACCEPT all $FW:${WAN_IP} icmp 12 - - 30/sec
ACCEPT all $FW:${WAN_IP} icmp 30 - - 30/sec
ACCEPT all $FW:${WAN_IP} icmp 8 - - 3/sec
ACCEPT all $FW:${WAN_IP} udp 33434:33523 32769:65535 - 3/sec
##
# ACCEPT
##
ACCEPT net:${MYNETWORK} $FW:${WAN_IP} tcp 22,80,443
...
/etc/shorewall/tunnels
#TYPE ZONE GATEWAY GATEWAY ZONE ipsec net <ipsec-end-point-on-other-side>