Sorry everybody, I ask for your precious advice again. I am switching from shorewall 4.5.6 and kernel 2.6.18 to shorewall 5.0.6 and kernel 2.6.32-573 I used mss=1538 in the in options in zones file and CLAMPMSS=yes to handle an IPSEC connection.
Description In shorewall-zones(5), a zone may be declared to The child-zonemay be neither the firewall zone nor a vserver zone. may not appear as a parent zone, although all vserver zones are handled as sub-zones of the firewall zone. The new LOG_ZONE option in shorewall[6].conf allows for only the source or destination zone to appear in the messages by setting LOG_ZONE to 'src' or 'dst' respectively. If LOG_ZONE=both (the default), then the full chain name is included in log messages Setting LOG_ZONE=src has been shown to decrease the size of the generated ruleset by more The order in which Shorewall6 matches addresses from packets to zones is determined by the order of zone declarations. nested in one or more other zones, you may either ensure that the nested zone precedes its parents in this file, or you may follow the (sub)zone name by ":" The parent zones must have been declared in earlier records in this file. ZONE - zone-name Zone for this interface. Must match the name of a zone declared in /etc/shorewall/zones. You may not list the firewall zone in this column. If the interface serves multiple zones that will be defined in the shorewall-hosts [1] (5) file, you should place "-" in this column. This controls the main "zones" used by Shorewall. The fw is special in that it defines the firewall itself. The wan zone is the Internet-facing network ( wan0 in this tutorial).
Beginning with Shorewall 4.5.17, if you specify a zone for the 'lo' interface, then that zone must be defined as type local in shorewall6-zones(5). BROADCAST (Optional) - {-| detect | address [, address]} Only available if FORMAT 1.
By definition shorewall is not a firewall, it is a way to (more) easily configure iptables to work as a firewall. First create zones “$ nano zones” Jan 26, 2017 · While shorewall is still solid, CentOS 7 has a built-in firewall called FirewallD that does 90% of what CSF does, without having to install custom software. Under the covers it's just modifying IPtables, just like most other firewall software.
Example: #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS a ip b ip c:a,b ip Currently, Shorewall uses this information to reorder the zone list so that parent zones appear after their subzones in the list. The IMPLICIT_CONTINUE option in shorewall.conf [1](5) can also create implicit CONTINUE policies to/from the subzone.
The /etc/shorewall6/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall6/interfaces or /etc/shorewall6/hosts. The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).