( *#) matches a line begining with blanks and a "#".
( *$) matches a line containing only blanks.
Collect content lines from the named configuration file.
collect () { case $# in
0) echo "collect " ;;
1) egrep -v '^(( *#)|( *$))' $1 ;;
*) echo "Too many arguments." ;; esac }
Joule runs Debian Linux with Shorewall and OpenVPN.
dalton is similar to Joule.
Dnsmasq
Shorewall
# dalton:/etc/dnsmasq.conf domain-needed bogus-priv except-interface=enp2s8 # Systems subnetted via DHCP. dhcp-range=172.23.7.2,172.23.7.3 # Temporary link to Carnot for netboot and system installation. # dhcp-range=172.24.1.5,static # dhcp-host=08:00:20:0e:84:78,172.24.1.5,infinite # dhcp-option=option:root-path,/export/172.24.1.5/root/ # dhcp-boot=netbsd # enable-tftp # tftp-root=/tftpboot
# dalton:/etc/exim4/passwd.client # password file used when the local exim is authenticating to a remote # host as a client. # # see exim4_passwd_client(5) for more documentation # # Example: ### target.mail.server.example:login:password mail.easthope.ca:peter@easthope.ca:mySecretPassword
Exim4 configuration Execute dpkg-reconfigure exim4-config set smarthost, mail.easthope.ca::465 and etc. Then execute, update-exim4.conf service exim4 restart
# dalton:/etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # systemd generates mount units based on this file, see systemd.mount(5). # Please run 'systemctl daemon-reload' after making changes here. # # <file system> <mount point> <type> <options> <dump> <pass> # / was on /dev/sda1 during installation # / was on /dev/sda1 during installation UUID=6d7e62dd-a3fe-49ac-b0a2-2916d33b9eb7 / ext4 errors=remount-ro 0 1 # /home was on /dev/sda5 during installation UUID=b1ed1667-2daf-471b-b8a0-9e284cadfe78 /home ext4 defaults 0 2 # swap was on /dev/sda3 during installation UUID=78803715-10b2-4cc0-aa56-1531bf31f349 none swap sw 0 0 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 # Volume for A2. # /dev/NY /home/root/NY ext2 defaults,user,users,exec,noauto 0 0 /dev/AY /home/root/AY ext2 defaults,user,users,exec,noauto 0 0 # Kingston usb stick. /dev/KingstonUSB /home/root/USB vfat noauto,umask=000,user,users 0 0
# dalton:/etc/hosts 127.0.0.1 localhost 127.0.1.1 dalton.invalid dalton # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters # Static addresses at UBC. 142.103.107.137 dalton.invalid dalton 142.103.107.138 carnot.invalid carnot 142.103.107.139 sparc.invalid sparc
# dalton:/etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto enp2s8 allow-hotplug enp2s8 iface enp2s8 inet static address xxx.yyy.107.137 netmask 255.255.255.128 broadcast xxx.yyy.107.255 gateway xxx.yyy.107.254
# Interface to cantor connected by an Ethernet crossover. auto LocBel7411cc allow-hotplug LocBel7411cc iface LocBel7411cc inet static address 172.24.1.1 netmask 255.255.255.0
# Interface to Toshiba 4000 Web server connected by an Ethernet crossover. # Reference http://www.shorewall.net/shorewall_setup_guide.htm . allow-hotplug DmzACS0713 auto DmzACS0713 iface DmzACS0713 inet static address 172.25.1.1 netmask 255.255.255.0
# Interface to Sparcstation connected by an Ethernet crossover. allow-hotplug DmzBel00bb74 auto DmzBel00bb74 iface DmzBel00bb74 inet static address 172.25.2.1 netmask 255.255.255.0
# dalton:/etc/mgetty/mgetty.config debug 4 data-only y issue-file /etc/issue.mgetty # The modem. port ttyS0 ringback y ringback-time 15 speed 38400 init-chat "" AT&F1S0=0&B1&H1&R2&D3&C1 OK # The null-modem cable. port ttyS1 direct y speed 38400 toggle-dtr n
# dalton:/etc/default/shorewall startup=1
# dalton:/etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net enp2s8 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians #net wlan0 detect optional,dhcp,tcpflags,routefilter,nosmurfs,logmartian #dmz Dmz+ detect tcpflags,nosmurfs,routeback loc enx+ detect tcpflags,nosmurfs,routeback loc ppp+ detect tcpflags,nosmurfs,routeback loc br0 detect routeback,bridge loc tap0 detect tcpflags,nosmurfs,routeback # This is for the openvpn tunnel. vpn tun0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# dalton:/etc/shorewall/snat #ACTION SOURCE DEST PROTO PORT # Rules generated from masq file /etc/shorewall/masq by Shorewall 5.2.3.2 - Mon # MASQUERADE 172.23.0.0/16 enp2s8 #MASQUERADE 10.0.2.1/24 br0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# dalton:/etc/shorewall/policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST net all DROP info $FW all ACCEPT loc all ACCEPT #dmz all ACCEPT #vpn all ACCEPT # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
# dalton:/etc/shorewall/proxyarp #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 142.103.107.138 DmzACS0713 enp2s8 no yes 142.103.107.139 DmzBel00bb74 enp2s8 no yes
# dalton:/etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP SSH/ACCEPT net $FW # Drop Ping from the "bad" net zone and prevent your log from being flooded. Ping/DROP net $FW Ping(ACCEPT) loc $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp ACCEPT net dmz tcp 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# dalton:/etc/shorewall/shorewall.conf, revision from stock IP_FORWARDING=On
# dalton:/etc/shorewall/tunnels #TYPE ZONE GATEWAY GATEWAY # ZONE # Joule has a dynamic address. No need to cite a dynamic dns. openvpn net 0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# dalton:/etc/shorewall/zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 # This zone is for the servers including Carnot. dmz ipv4 # The tunnel. vpn ipv4 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# dalton:$HOME/.swaksrc h-Date: %DATE% h-From: peter@easthope.ca server ccx.websitewelcome.com:587 #server localhost:25 tls auth PLAIN au peter@easthope.ca ap ... timeout 6 data /home/peter/MY/Mail.Out.Text
# dalton:/etc/vsftpd.conf, exceptions from stock file. listen=YES anonymous_enable=NO local_enable=YES write_enable=YES use_localtime=YES connect_from_port_20=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem force_dot_files=YES
# dalton:/etc/udev/rules.d/70-persistent-net.rules # Contemporary Linux names a network device according to hardware identity. # For example, enp2s8 refers to ; # and enx0050b60be9be refers to a USB device with MAC address 00.50.b6.0b.e9.be. # The old problem from devices renamed after reboot is solved # without udev rules.
# dalton:/etc/udev/rules.d/10-local.rules
# Persistent names for local devices.
# Use a command such as this to find parameters of device.
# udevadm info -a -p $(udevadm info -q path -n /dev/snd/by-id/usb-0d8c_C-Media_USB_Audio_Device-00)
# "udevadm trigger" will activate new rules.
#
# The Sony mylo. This is treated as a floppy which is not partitioned.
# The size of the device and of the parent are the same.(?)
KERNEL=="sd?1", ATTR{size}=="1752512", SYMLINK+="mylo", \
OWNER="peter", GROUP="floppy"
# The Kingston USB. This is partitioned. Consequently the sizes
# of device and parent differ.
KERNEL=="sd?1", ATTR{size}=="499712", SYMLINK+="KingstonUSB", \
OWNER="peter", GROUP="users"
# The green Nexttech SDHC card.
# KERNEL=="sd?1", ATTR{size}=="7215104", SYMLINK+="GRNSDHC41", \
# K OWNER="peter", GROUP="users"
# Another black Kingston SDHC card, 32 GB.
KERNEL=="sd?3", SUBSYSTEM=="block", ATTR{size}=="60028928", \
SYMLINK+="AY", OWNER="root", GROUP="root", MODE="700"
# The USB audio adapter connected to the speakers.
SUBSYSTEM=="sound", ATTRS{idProduct}=="0008", SYMLINK+="USBspeakers"
# The USB audio adapter connected to the headset.
SUBSYSTEM=="sound", ATTRS{idProduct}=="000c", SYMLINK+="USBheadset"
# Install package inetutils-telnetd. # dalton:/etc/inetd.conf has this line. telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd -E /bin/bash
# imager:~/.config/openbox/rc.xml # ... # Default window location. <application class="*"> <position> <x>1600</x> <y>0</y> </position> </application> <application class="Dillo"> <position> <x>800</x> <y>0</y> </position> </application> <application class="Firefox-esr"> <position> <x>0</x> <y>0</y> </position> </application> <application name="xterm"> <position> <x>1110</x> <y>30</y> </position> </application> </applications> </openbox_config>
# imager:~/.config/openbox/autostart # Added by Peter, 2022-03-21. # Start aos. DisplaySize parameter is in /usr/bin/aos. (sleep 3s && /home/root/myaos ) & # Start firefox. (sleep 6s && firefox -height 900 -width 796 ) & # Start a terminal. (sleep 6s && xterm ) &
# imager:/etc/dnsmasq.conf domain-needed bogus-priv except-interface=eno1 # Systems subnetted via DHCP. dhcp-range=172.23.7.2,172.23.7.3
# imager:/etc/exim4/passwd.client # password file used when the local exim is authenticating to a remote # host as a client. # # see exim4_passwd_client(5) for more documentation # # Example: ### target.mail.server.example:login:password mail.easthope.ca:peter@easthope.ca:mySecretPassword
Exim4 configuration Execute dpkg-reconfigure exim4-config set smarthost, mail.easthope.ca::465 and etc. Then execute, update-exim4.conf service exim4 restart
# imager:/etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # systemd generates mount units based on this file, see systemd.mount(5). # Please run 'systemctl daemon-reload' after making changes here. # ## / was on /dev/sda1 during installation UUID=6d7e62dd-a3fe-49ac-b0a2-2916d33b9eb7 / ext4 errors=remount-ro 0 1 # /home was on /dev/sda5 during installation UUID=b1ed1667-2daf-471b-b8a0-9e284cadfe78 /home ext4 defaults 0 2 # swap was on /dev/sda3 during installation UUID=78803715-10b2-4cc0-aa56-1531bf31f349 none swap sw 0 0 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 # Volume for A2. /dev/NY /home/root/NY ext2 defaults,user,users,exec,noauto 0 0 # Kingston usb stick. /dev/KingstonUSB /home/root/USB vfat noauto,umask=000,user,users 0 0
# imager:/etc/hosts 127.0.0.1 localhost 127.0.1.1 imager.invalid imager ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.23.5.1 imager.invalid imager 172.23.5.2 heaviside.invalid heaviside
#imager:/etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eno1 auto eno1 iface eno1 inet dhcp # post-up /sbin/ip link set $IFACE mtu 1500 # Private subnets at home. # The interface to heaviside auto enx0050b60be9be allow-hotplug enx0050b60be9be iface enx0050b60be9be inet static address 172.23.5.1 netmask 255.255.255.0 # Interface to QEMU ETH Oberon guest. allow-hotplug br0 auto br0 iface br0 inet static address 172.23.8.1 netmask 255.255.255.0 # An interface for PPP. # allow-hotplug ?? #iface Loc?? inet static # address 172.23.6.1 # netmask 255.255.255.0 # An interface for local DHCP. Addresses allocated in /etc/dnsmasq.conf. #allow-hotplug ?? #iface Loc?? inet static # address 172.23.7.1 # netmask 255.255.255.0
# imager:/etc/default/shorewall startup=1 OPTIONS="" STARTOPTIONS="" RESTARTOPTIONS="" RELOADOPTIONS="" STOPOPTIONS="" INITLOG=/dev/null SAFESTOP=0
# imager:/etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eno1 detect optional,dhcp,tcpflags,routefilter,nosmurfs,logmartians loc enx+ detect tcpflags,nosmurfs,routeback loc ppp+ detect tcpflags,nosmurfs,routeback loc br0 detect tcpflags,nosmurfs,routeback #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# imager:/etc/shorewall/snat #ACTION SOURCE DEST PROTO PORT # All local subnets are masqueraded. MASQUERADE 172.23.0.0/16 eno1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
# imager:/etc/shorewall/policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST net all DROP info $FW all ACCEPT loc all ACCEPT #vpn all ACCEPT # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
# imager:/etc/shorewall/rules # PROTO refers to the transport and session layer of the # OSI model rather than # to the application layer. So most of these PROTOs are tcp. # PROTO is not explicit where a macro is used. # Stock macros are defined in /usr/share/shorewall/*. #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # Accept SSH connections from the local network and from the net for administration SSH/ACCEPT net $FW # Drop Ping from the "bad" net zone and prevent your log from being flooded. Ping/DROP net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# imager:/etc/shorewall/shorewall.conf, revision from stock IP_FORWARDING=On
# imager:/etc/shorewall/zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 #vpn ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
# imager:/etc/vsftpd.conf. listen=YES listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO force_dot_files=YES
# imager:/etc/stunnel/stunnel.conf [pop3] client = yes accept = localhost:110 connect = mail.easthope.ca:995 [smtp] client = yes accept = localhost:106 connect = mail.easthope.ca:465 [nntp] client = yes accept = localhost:119 connect = news.eternal-september.org:563
# imager:/etc/udev/rules.d/70-persistent-net.rules # The old problem from Ethernet devices renamed after reboot # is solved without additional udev rules.
# Udev rules to create persistent names for storage devices.
# The document in wiki.archlinux.org is helpful.
# Use a command such as this to find parameters of device.
# udevadm info -a -p $(udevadm info -q path -n /dev/sdb1)
# "udevadm trigger" will activate new rules.
# 2nd part of the primary hdd.
KERNEL=="sd?2", ATTR{size}=="16883712", SYMLINK+="Oberon", \
OWNER="root", GROUP="root"
# The Kingston 512 MB CF card in the USB adapter.
KERNEL=="sd?", ATTR{size}=="1018080", SYMLINK+="KingstonCF", \
OWNER="peter", GROUP="peter"
# The Kingston 512 MB CF card, first part.
KERNEL=="sd?1", ATTR{size}=="205632", SYMLINK+="KingstonCF1", \
OWNER="peter", GROUP="peter"
# The SanDisk 512 MB CF card.
KERNEL=="sd?", ATTR{size}=="1000944", SYMLINK+="SanDiskCF", \
OWNER="peter", GROUP="users"
# Formatted with one VFAT.
KERNEL=="sd?1", ATTR{size}=="997376", SYMLINK+="SanDiskCF1", \
OWNER="peter", GROUP="users"
# Formatted with two VFATs.
KERNEL=="sd?1", ATTR{size}=="205569", SYMLINK+="SanDiskCF1", \
OWNER="peter", GROUP="users"
KERNEL=="sd?2", ATTR{size}=="795312", SYMLINK+="SanDiskCF2", \
OWNER="peter", GROUP="users"
# CF adapter containing an 8 GB Kingston SD card.
#KERNEL=="sd?", SUBSYSTEM=="block", SUBSYSTEMS=="scsi", \
#ATTRS{model}=="?", SYMLINK+="CFadapter8GB", \
# OWNER="peter", GROUP="users"
# SanDisk 4 GB CF card.
KERNEL=="sd?", SUBSYSTEM=="block", SUBSYSTEMS=="scsi", \
ATTRS{model}=="SanDisk SDCFH2-0", SYMLINK+="SanD4GB", \
OWNER="peter", GROUP="peter"
# The Sony mylo. This is treated as a floppy which is not partitioned.
# The size of the device and of the parent are the same.(?)
KERNEL=="sd?1", ATTR{size}=="1752512", SYMLINK+="mylo", \
OWNER="peter", GROUP="floppy"
# The green Nexttech SDHC card.
KERNEL=="sd?1", ATTR{size}=="7835648", SYMLINK+="MY", \
OWNER="root", GROUP="root"
# The black Kingston SDHC card, 4 GB, marked on the back
# AC00EN17A52, 3500007-002:ADOLF, 061112.
#KERNEL=="sd?1", ATTR{size}=="7208960", SYMLINK+="BLACKSDHC41", \
# OWNER="peter", GROUP="users"
# The black Kingston SDHC card, 8 GB, marked on the back
# 330-100000-176, 3500007-002:ADOLF, 042814.
#KERNEL=="sd?1", ATTR{size}=="15114240", SYMLINK+="BLACKSDHC81", \
# OWNER="peter", GROUP="users"
# The black Kingston SDHC card, 8 GB, marked 31560-021.ADOLF
#KERNEL=="sd?1", ATTR{size}=="15261696", SYMLINK+="MOTION", \
# OWNER="peter", GROUP="users"
# The black Kingston SDHC card, 8 GB, industrial grade.
KERNEL=="sd?1", SUBSYSTEM=="block", ATTR{size}=="15695872", \
SYMLINK+="NY", OWNER="root", GROUP="root"
# The Kingston USB.
KERNEL=="sd?1", SUBSYSTEM=="block", ATTR{size}=="499712", \
SYMLINK+="KingstonUSB", OWNER="root", GROUP="root"
# Partition in Hitachi drive in Inspiron 1150.
KERNEL=="sd?4", ATTR{size}=="202752", SYMLINK+="HitachiP4", \
OWNER="peter", GROUP="users"
# A 250 MiB Zip disk.
#KERNEL=="sd?1", ATTR{size}=="489440", SYMLINK+="ZIP250", \
# OWNER="peter", GROUP="users"
# A 100 MiB Zip disk.
#KERNEL=="sd?1", ATTR{size}=="196576", SYMLINK+="ZIP100", \
# OWNER="peter", GROUP="users"
# Install package inetutils-telnetd. # imager:/etc/inetd.conf has this line. telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd -a none -E /bin/bash
# imager:~/.xsessionrc xrandr --output HDMI-3 --primary --mode 1600x900 --pos 0x0 xrandr --output VGA-1 --mode 1280x1024 --pos 1600x0
# joule:~/.config/openbox/rc.xml # ... # Default window location. <application class="*"> <position> <x>1600</x> <y>0</y> </position> </application> <application class="Dillo"> <position> <x>800</x> <y>0</y> </position> </application> <application class="Firefox-esr"> <position> <x>0</x> <y>0</y> </position> </application> <application name="xterm"> <position> <x>1110</x> <y>30</y> </position> </application> </applications> </openbox_config>
# joule:~/.config/openbox/autostart # Added by Peter, 2022-03-21. # Start aos. DisplaySize parameter is in /usr/bin/aos. (sleep 3s && /home/root/myaos ) & # Start firefox. (sleep 6s && firefox -height 900 -width 796 ) & # Start a terminal. (sleep 6s && xterm ) &
# joule:/etc/dnsmasq.conf domain-needed bogus-priv except-interface=eno1 # Systems subnetted via DHCP. dhcp-range=172.23.7.2,172.23.7.3
# joule:/etc/exim4/passwd.client # password file used when the local exim is authenticating to a remote # host as a client. # # see exim4_passwd_client(5) for more documentation # # Example: ### target.mail.server.example:login:password mail.easthope.ca:peter@easthope.ca:mySecretPassword
Exim4 configuration Execute dpkg-reconfigure exim4-config set smarthost, mail.easthope.ca::465 and etc. Then execute, update-exim4.conf service exim4 restart
# joule:/etc/hosts 127.0.0.1 localhost 127.0.1.1 joule.invalid joule ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.23.5.1 joule.invalid joule 172.23.5.2 heaviside.invalid heaviside
#joule:/etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eno1 allow-hotplug eno1 iface eno1 inet dhcp # post-up /sbin/ip link set $IFACE mtu 1500 # Private subnets at home. # The interface to heaviside auto enx0050b60be9be allow-hotplug enx0050b60be9be iface enx0050b60be9be inet static address 172.23.5.1 netmask 255.255.255.0 # Interface to QEMU ETH Oberon guest. auto br0 allow-hotplug br0 iface br0 inet static address 172.23.8.1 netmask 255.255.255.0 # An interface for PPP. # allow-hotplug ?? #iface Loc?? inet static # address 172.23.6.1 # netmask 255.255.255.0 # An interface for local DHCP. Addresses allocated in /etc/dnsmasq.conf. #allow-hotplug ?? #iface Loc?? inet static # address 172.23.7.1 # netmask 255.255.255.0
# joule:/etc/default/shorewall startup=1 OPTIONS="" STARTOPTIONS="" RESTARTOPTIONS="" RELOADOPTIONS="" STOPOPTIONS="" INITLOG=/dev/null SAFESTOP=0
# joule:/etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net eno1 detect optional,dhcp,tcpflags,routefilter,nosmurfs,logmartians loc enx+ detect tcpflags,nosmurfs,routeback loc ppp+ detect tcpflags,nosmurfs,routeback loc br0 detect tcpflags,nosmurfs,routeback #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# joule:/etc/shorewall/snat #ACTION SOURCE DEST PROTO PORT # All local subnets are masqueraded. MASQUERADE 172.23.0.0/16 eno1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
# joule:/etc/shorewall/policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST net all DROP info $FW all ACCEPT loc all ACCEPT #vpn all ACCEPT # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
# joule:/etc/shorewall/rules # PROTO refers to the transport and session layer of the # OSI model rather than # to the application layer. So most of these PROTOs are tcp. # PROTO is not explicit where a macro is used. # Stock macros are defined in /usr/share/shorewall/*. #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # Accept SSH connections from the local network and from the net for administration SSH/ACCEPT net $FW # Drop Ping from the "bad" net zone and prevent your log from being flooded. Ping/DROP net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# joule:/etc/shorewall/shorewall.conf, revision from stock IP_FORWARDING=On
# joule:/etc/shorewall/snat #ACTION SOURCE DEST PROTO PORT # Rules generated from masq file /etc/shorewall/masq by Shorewall 5.2.3.2 - Mon # MASQUERADE 172.23.0.0/16 eno1