#
#---------------------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically
# by the naat/backend. Modify the templates/etc/shorewall/interfaces instead
#---------------------------------------------------------------------------
#
# Copyright (C) 2000,2002 Mandrakesoft
# Author Florin Grad
#
# Shorewall 1.2 /etc/shorewall/params
#
# This sample can be used to implement a simple firewall on a system with
# three network interfaces. The first interface interfaces to the internet,
# the second interfaces to a local network and the third to a DMZ.
##############################################################################
#
# Specify the name of your internet interface in the following variable.
#
# If you access the internet via dial-up, the interface name with be ppp0
# If you have an ethernet interface to the internet, your interface name will
# be eth0.

{

	if ($NET_IF) {
		$OUT .= "NET_IF=$NET_IF\n";
	};
}

# Specify the broadcast address for your network interface here. If your
# internet interface is point-to-point (such as with dial-up), then set this
# to "-". If you want Shorewall to automatically detect the broadcast address,
# you can set the variable to "detect"; you will have to start your network
# interface before starting Shorewall for this to work.
{
        if ($InternetAccessType) {
                if ($InternetAccessType =~ /lan/i) {
                        $OUT .= "NET_BCAST=detect\n";
                } else {;
                        $OUT .= "NET_BCAST=-\n";
                };
        };
}

#
# Specify the interface options in this variable as a comma-separated list.
#
# Possible options are as follows:
#			dhcp	     - interface is managed by DHCP
#			noping	     - icmp echo-request (ping) packets should
#				       be ignored on this interface
#			routestopped - When the firewall is stopped, allow
#				       and route traffic to and from this
#				       interface.
#			norfc1918    - This interface should not receive
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses.
#			multi	     - This interface has multiple IP
#				       addresses and you want to be able to
#				       route between them.
#			routefilter  - turn on kernel route filtering for this
#				       interface.
#

{
	if ($NET_OPTIONS) {
		$OUT .= "NET_OPTIONS=$NET_OPTIONS\n";
	};
}

#
# Specify the name of your local interface in the following variable.
#

{
	if ($LOC_IF) {
		$OUT .= "LOC_IF=$LOC_IF\n"
	};
}

# Specify the broadcast address for your local interface here. If you want
# Shorewall to automatically detect the broadcast address, you can set the
# variable to "detect"; you will have to start your local interface before
# starting Shorewall for this to work.

{
	if ($LOC_IF) {
        	my $interface = "\u$LOC_IF";
        	my $EthKnown = eval ('$'.$interface."Known") ;
        	my $EthIP = eval ('$'.$interface."IP");
        	my $EthMask = eval ('$'.$interface."Mask");
       		my ($Network, $Broadcast) = backend::util::computeNetworkAndBroadcast ($EthIP, $EthMask);
		$OUT .= "LOC_BCAST=$Broadcast\n";
	};
}

#
# Specify the local interface options in this variable as a comma-separated list.
#
# Possible options are as follows:
#			dhcp	     - interface is managed by DHCP or
#				       is served by a DHCP server running on
#				       the firewaqll.
#			noping	     - icmp echo-request (ping) packets should
#				       be ignored on this interface
#			routestopped - When the firewall is stopped, allow
#				       and route traffic to and from this
#				       interface.
#			norfc1918    - This interface should not receive
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses.
#			multi	     - This interface has multiple IP
#				       addresses and you want to be able to
#				       route between them.
#			routefilter  - turn on kernel route filtering for this
#				       interface.
#

{
	if ($LOC_OPTIONS) {
		$OUT .= "LOC_OPTIONS=$LOC_OPTIONS\n";
	};
}

#
# Specify your local network address range as <network address>/<mask length>
# (example: 192.168.1.0/24).
#
{
	if ($LOC_IF) {
        	my $interface = "\u$LOC_IF";
        	my $EthKnown = eval ('$'.$interface."Known") ;
        	my $EthIP = eval ('$'.$interface."IP");
        	my $EthMask = eval ('$'.$interface."Mask");
	        my ($Network, $Broadcast) = backend::util::computeNetworkAndBroadcast ($EthIP, $EthMask);
		$OUT .= "LOC_IF=$Network\n";
	};
}

#
# Specify the name of your DMZ interface in the following variable.
#
{
	if ($DMZ_IF) {
		$OUT .= "DMZ_IF=$DMZ_IF\n";
	};
}

# Specify the broadcast address for your DMZ interface here. If you want
# Shorewall to automatically detect the broadcast address, you can set the
# variable to "detect"; you will have to start your DMZ interface before
# starting Shorewall for this to work.

{
	if ($DMZ_IF && $InternetAccessType) {
                if ($InternetAccessType =~ /lan/i) {
                        $OUT .= "DMZ_BCAST=detect\n";
                } else {;
                        $OUT .= "DMZ_BCAST=-\n";
                };
	};
}

#
# Specify the DMZ interface options in this variable as a comma-separated list.
#
# Possible options are as follows:
#			dhcp	     - interface is managed by DHCP or
#				       is served by a DHCP server running on
#				       the firewaqll.
#			noping	     - icmp echo-request (ping) packets should
#				       be ignored on this interface
#			routestopped - When the firewall is stopped, allow
#				       and route traffic to and from this
#				       interface.
#			norfc1918    - This interface should not receive
#				       any packets whose source is in one
#				       of the ranges reserved by RFC 1918
#				       (i.e., private or "non-routable"
#				       addresses.
#			multi	     - This interface has multiple IP
#				       addresses and you want to be able to
#				       route between them.
#			routefilter  - turn on kernel route filtering for this
#				       interface.
#

{
	if ($DMZ_IF && $DMZ_OPTIONS) {
		$OUT .= "DMZ_OPTIONS=$DMZ_OPTIONS\n";
	};
}

#
# Specify your DNZ network address range as <network address>/<mask length>
# (example: 192.168.2.0/24).
#

{
	if ($DMZ_IF) {
        	my $interface = "\u$DMZ_IF";
        	my $EthKnown = eval ('$'.$interface."Known") ;
        	my $EthIP = eval ('$'.$interface."IP");
        	my $EthMask = eval ('$'.$interface."Mask");
        	my ($Network, $Broadcast) = backend::util::computeNetworkAndBroadcast ($EthIP, $EthMask);
		$OUT .= "DMZ_IF=$Network\n";
	};
}

# Your firewall may need to access the internet for certain services. For example,
# your firewall probably needs have access to internet DNS servers (port 53). List
# the TCP ports/services that your firewall needs to access as a comma-separated
# list. If your firewall doesn't need to access any internet TCP services, set
# this variable to "none".
#
# Note: If you want open access to the internet from your firewall, uncomment the
# appropriate line in the "policy" file and set FW_NET_TCP_PORTS and
# FW_NET_UDP_PORTS to "none".

{

foreach $i ("FW","LOC","DMZ","NET") {
foreach $j ("FW","LOC","DMZ","NET") {

  if ($i ne $j) { #1
        if (eval ('$'.$i."_".$j."_SERVICES")) { #2

            my $list_tcp="";
            my $list_udp="";
        
	    foreach (split (/,/ , eval ('$'.$i."_".$j."_SERVICES"))) { #3
                 my ($item, $attr_list) = /(\S+)\s*\((.*)\)/;
                 if ($attr_list) { #4
                     my @vals = split (' ', $attr_list);
                     for (my $i = 0 ; $i <= scalar(@vals) -1; ++$i) { #5
                          my ($attr, $value) = split ('\s*=\s*', $vals[$i]);
                          if ($i-1 >= 0) {
			  	my ($attr_prev, $value_prev) = split ('\s*=\s*', $vals[$i-1]);
                          if ( ($attr =~ /action/ ) && ($value =~ /allow/) ) {
                            if ( ($attr_prev =~ /protocol/ ) && ($value_prev =~ /tcp/) ) {
                               if ($item =~ /^\s*all\s*$/) {
                                   $list_tcp .= ":,"; last;
                               } else {
                                   $list_tcp .= $item . ",";
                               };
                            } elsif ( ($attr_prev =~ /protocol/ ) && ($value_prev =~ /udp/) ) {
                               if ($item =~ /^\s*all\s*$/) {
                                   $list_udp .= ":,"; last;
                               } else {
                                   $list_udp .= $item . ",";
                               };
			    };
                          };
			  };
                     }; #5
                 }; #4

	    }; #3
	    
        chop($list_tcp);
        chop($list_udp);
	
	if ($list_tcp) {
        	$OUT .= $i."_".$j."_TCP_SERVICES=$list_tcp\n\n";
	} else {
        	$OUT .= $i."_".$j."_TCP_SERVICES=none\n\n";
	};
	
	if ($list_udp) {
        	$OUT .= $i."_".$j."_UDP_SERVICES=$list_udp\n\n";
	} else {
        	$OUT .= $i."_".$j."_UDP_SERVICES=none\n\n";
	};

        }; #2

  }; #1 

}
}

}


#FW_NET_TCP_PORTS=53

#
# Similarly, list the internet UDP ports/services that your firewall needs access
# to.
#

#FW_NET_UDP_PORTS=53

# This sample configuration allows you forward connections to up to two
# systems (servers) in your local network.
#
# List the TCP ports or services that you wish to forward to the first
# server in this variable as a comma-separated list. For example, if you want
# to forward www and https to the first, you would have LOC_TCP_PORTS1=www,https
# or LOC_TCP_PORTS1=80,443 and you would set SERVER1 to the IP address of the
# server. If you don't want to forward any tcp ports, set the
# variable's value to "none".
#

NET_LOC_TCP_PORTS1=none

# List the UDP ports or services that you wish to forward to the first
# server in this variable as a comma-separated list. If you don't want to
# forward any tcp ports, set the variable's value to "none".

NET_LOC_UDP_PORTS1=none

#
# Enter the IP address of the server that you want the above ports forwarded
# to.
#

LOC_SERVER1=none

# List the TCP ports or services that you wish to forward to the second
# server in this variable as a comma-separated list. For example, if you want
# to forward www and https to the first, you would have LOC_TCP_PORTS2=www,https
# or LOC_TCP_PORTS2=80,443 and you would set SERVER1 to the IP address of the
# server. If you don't want to forward any tcp ports, set the
# variable's value to "none".
#

NET_LOC_TCP_PORTS2=none

# List the UDP ports or services that you wish to forward to the second
# server in this variable as a comma-separated list. If you don't want to
# forward any tcp ports, set the variable's value to "none".

NET_LOC_UDP_PORTS2=none

#
# Enter the IP address of the server that you want the above ports forwarded
# to.
#

LOC_SERVER2=none

# This sample configuration allows you forward connections to up to two
# systems (servers) in your DMZ.
#
# List the TCP ports or services that you wish to forward to the first
# server in this variable as a comma-separated list. For example, if you want
# to forward www and https to the first, you would have LOC_TCP_PORTS1=www,https
# or LOC_TCP_PORTS1=80,443 and you would set SERVER1 to the IP address of the
# server. If you don't want to forward any tcp ports, set the
# variable's value to "none".

NET_DMZ_TCP_PORTS1=none

# List the UDP ports or services that you wish to forward to the first
# server in this variable as a comma-separated list. If you don't want to
# forward any tcp ports, set the variable's value to "none".

NET_DMZ_UDP_PORTS1=none

# List the TCP ports or services on DMZ Server 1 that you wish to make available
# to clients in your local network.
#

LOC_DMZ_TCP_PORTS1=none

# List the UDP ports or services on DMZ Server 1 that you wish to make available
# to clients in your local network.
#

LOC_DMZ_UDP_PORTS1=none

# List the TCP ports or services on DMZ Server 1 that you wish to make available
# to clients on the firewall.
#

FW_DMZ_TCP_PORTS1=none

# List the UDP ports or services on DMZ Server 1 that you wish to make available
# to clients on the firewall.
#

FW_DMZ_UDP_PORTS1=none

#
# Enter the IP address of DMZ server 1.
#

DMZ_SERVER1=none

# List the TCP ports or services that you wish to forward to the second
# server in this variable as a comma-separated list. For example, if you want
# to forward www and https to the first, you would have LOC_TCP_PORTS2=www,https
# or LOC_TCP_PORTS2=80,443 and you would set SERVER1 to the IP address of the
# server. If you don't want to forward any tcp ports, set the
# variable's value to "none".
#

NET_DMZ_TCP_PORTS2=none

# List the UDP ports or services that you wish to forward to the second
# server in this variable as a comma-separated list. If you don't want to
# forward any tcp ports, set the variable's value to "none".

NET_DMZ_UDP_PORTS2=none

# List the TCP ports or services on DMZ Server 2 that you wish to make available
# to clients in your local network.
#

LOC_DMZ_TCP_PORTS2=none

# List the UDP ports or services on DMZ Server 2 that you wish to make available
# to clients in your local network.
#

LOC_DMZ_UDP_PORTS2=none

# List the TCP ports or services on DMZ Server 2 that you wish to make available
# to clients on the firewall.
#

FW_DMZ_TCP_PORTS2=none

# List the UDP ports or services on DMZ Server 2 that you wish to make available
# to clients on the firewall.
#

FW_DMZ_UDP_PORTS2=none

#
# Enter the IP address of DMZ server 2.
#

DMZ_SERVER2=none

#
# These two variables allow you to specify the network services accessible from
# your DMZ
#

DMZ_NET_TCP_PORTS=none

DMZ_NET_UDP_PORTS=53

#
# If you wish to "open" incoming TCP ports for a server running on the
# firewall, list them in this variable as a comma-separated list. For example,
# if you want to enable secure shell (ssh) and FTP, from the internet to your
# firewall, you would have FW_TCP_PORTS=ssh,ftp or FW_TCP_PORTS=22,21.
#
# If you don't run any TCP servers on the firewall, use the value "none"

NET_FW_TCP_PORTS=none

#
# If you wish to "open" incoming UDP ports for servers running on the
# firewall, list them in this variable as a comma-separated list.
#
# If you don't want to open any UDP ports, use the value "none"

NET_FW_UDP_PORTS=none

#
# You will probably need access to your firewall from your local network for
# administrative task. A good way to do this is with ssh (TCP port 22).
#
# Enter the list of TCP ports to open from the local network to the firewall.
# If you don't wish to open any ports, use the value "none"
#
LOC_FW_TCP_PORTS=22

#
# Enter the list of UDP ports to open from the local network to the firewall.
# If you don't wish to open any ports, use the value "none"
#
LOC_FW_UDP_PORTS=none

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
