/etc/shorewall/interfaces
############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect logmartians,routefilter,nosmurfs lan eth1 detect dhcp,logmartians,routefilter,nosmurfs
/etc/shorewall/params
WAN_IP=x.x.x.x RFC1918="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
/etc/shorewall/zones
############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall vpn ipv4 net ipv4 lan ipv4
/etc/shorewall/policy
############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW all ACCEPT vpn lan ACCEPT lan vpn ACCEPT net all DROP info all all DROP info
/etc/shorewall/rules
############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP DROP:info net:${RFC1918} all # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. ACCEPT all $FW:${WAN_IP} icmp 0 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 3 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 4 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 11 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 12 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 30 - - 30/sec ACCEPT all $FW:${WAN_IP} icmp 8 - - 3/sec ACCEPT all $FW:${WAN_IP} udp 33434:33523 32769:65535 - 3/sec ## # ACCEPT ## ACCEPT net:${MYNETWORK} $FW:${WAN_IP} tcp 22,80,443 ...
/etc/shorewall/tunnels
#TYPE ZONE GATEWAY GATEWAY ZONE ipsec net <ipsec-end-point-on-other-side>