User Tools

Site Tools


doc:recipes:shorewall-on-openwrt

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:recipes:shorewall-on-openwrt [2013/10/28 08:24]
lorema
doc:recipes:shorewall-on-openwrt [2016/05/04 03:57] (current)
tmomas Links changed from external to internal, OpenWrt spelling; section headings corrected; formatting cleanup
Line 1: Line 1:
 +====== Shorewall on OpenWrt ======
 +Both, Shorewall and the [[doc/​uci/​firewall|OpenWrt UCI firewall]], are wrappers for [[doc/​howto/​netfilter]].
  
 +This set of examples are for Shorewall version 4.x, please see [[http://​www.shorewall.org/​Shorewall-5.html]] for the changes from v4.x to v5.x.
 +
 +Since mid 2015, Shorewall-lite is no longer offered as an installable package in OpenWrt, please see [[doc/​recipes/​installing-shorewall.v5-on-openwrt]] for instructions on installing Shorewall-lite.
 +
 +===== About OpenWrt UCI Firewall =====
 +For most users, the current default OpenWrt UCI firewall manager will be their best choice. For those managing different generations of OpenWrt routers, or those who want to use the same firewall manager on all their Linux based devices, Shorewall may be a better answer.  ​
 +
 +===== About Shorewall =====
 +The Shoreline firewall is a well designed firewall manager for Linux netfilters ([[http://​www.shorewall.net/​shorewall_index.htm#​WhatIs]]). A runtime package, Shorewall-Lite,​ can be hosted on one device, e.g: an OpenWrt router, but built on another (the "​nanny"​). Shorewall-Lite is otherwise nearly identical to the full Shorewall package. Shorewall is one of the oldest ongoing Linux netfilter firewall managers around, offering a stable user interface to zone based firewalling across platforms for more than a decade.  ​
 +
 +Shorewall meshes well with OpenWrt. The other components of UCI/Luci, and tools like the firewall/IP chain report perform as intended. Shorewall or Shorewall-Lite has been available on most OpenWrt releases (WR,BF,AA, etc). This example will use the Shorewall-Lite package.  ​
 +
 +By design, Shorewall offers the user a script based fine grained startup, runtime, and shutdown sequence. This file based sequence works around the different generations and implementations of run levels and network initializations found in the real world of Linux versions and distributions. Once you have developed a set of networks, routes, zones, rules and policies, you can readily duplicate those across all your Shorewall installations on those networks. Shorewall is a single setup and firewall solution that makes extending, altering and managing a heterogeneous system of networks easier. See the bottom of this document for URLs to Shorewall.
 +
 +__If you do not need Shorewall, stick with the OpenWrt UCI firewall. You will likely not get Shorewall support from OpenWrt staff.__
 +
 +
 +===== Example Installation =====
 +
 +Firewall zones isolate networks, sub-networks,​ and individual machines from other networks and nodes. Port traffic is firewalled (blocked) across zones, subject to the policies and rules you define to manage cross zone traffic. For many situations, limiting network access to resources is handy, if not necessary. Constraining infection vectors to their zones advances basic digital hygiene.
 +
 +The firewall in this example is Procrustean,​ set to cut off all traffic as a policy. You must set rules to ACCEPT port traffic. Only the ports, networks, and if you like, machine MAC addresses explicitly allowed in the Shorewall rules configuration file will pass traffic between zones. Most firewall policies are more relaxed than this, but such policies make for a good exercise, and with management, good firewalls. Manifestly, you can relax Shorewall policy and rules to allow packets and choose to log, inspect then build DENY rules, for a lighter touch. The firewall in this example has one inbound (net) port open and forwarded to a single workstation in Lan1, all other inbound net connections are dropped. Outbound connections from the Lan zones that meet the rules are connected to the net. In this example the Lan zones are firewalled from one another. You can find additional instruction for a similar example in the [[http://​www.shorewall.net/​three-interface.htm|Shorewall documentation]].
 +
 +The use of the labels "​Lan1"​ and "​Lan2"​ in this example is inductive, and one can add more zones, e.g.: "​Lan3"​.."​LanN",​ using the first pair as models by editing the Shorewall configuration. The "​Lan"​ label used in the OpenWrt configuration files (below), and in it's permutations ("​LAN","​LAN_",​ etc), is arbitrary, and you may use your own naming system for zones, networks, and SSIDs, using the example files found here as a model.
 +
 +In this example scenario, two distinct groups of users need to share one OpenWrt router. One group is working with secure financial data and public monies in a managed work environment with a fixed group of antiviral scanned PCs and known applications,​ the second group is an undisciplined revolving public meeting group with all manners and generations of wireless devices with unknown applications,​ any of which may be a malware vector. This second group also requires certain streaming media access that is not allowed to the first group. Both groups will share a router, firewall, and internet gateway. Each group has a zone to itself, with differing rules based on those zones.
 +
 +In this example the host router must be Multi-SSID capable. As a demonstration,​ an ar71xx chip set router is setup as a single 802.11G radio and two VAP WPA2-PSK radio interfaces, two Ethernet interfaces, and a bridge from one of the radio interfaces to one of the Ethernet (LAN1+Eth0),​ called "​br-LAN1"​. The SSIDs are '​LAN1'​ and '​LAN2'​. VLAN zones could be substituted for the VAP's, but that won't be described here.
 +
 +LAN1 in this example is the 192.168.1.0/​24 net. LAN1, as a member of the firewall zone '​Lan1',​ allows no dhcp, nor any packets from LAN2 (Shorewall zone Lan2). This example firewall will DNAT forward a single zone, "​net",​ (inbound from the internet) ssh port to Lan1, and has some zone specific firewall rules and policies.  ​
 +
 +LAN2 is the 192.168.2.0/​24 net. LAN2 has a dhcp server, and no firewall prohibitions on the requisite ports (53, 67, 68). LAN2 is the '​Lan2'​ zone in Shorewall, and has it's own specific firewall rules and policies.  ​
 +
 +Two more Shorewall zones are defined in this example, the firewall itself ($FW), and the internet (net). Generally, connections can initiate from any zone, but most often, they originate from within the Lan zones (outbound packets), or from the net zone as inbound internet packets. Policies and rules control the permission for traffic to cross the firewall zones.
 +
 +== Software Versions in this example ==
 +  * OpenWrt ATTITUDE ADJUSTMENT (12.09, r36088), using [[http://​downloads.openwrt.org/​attitude_adjustment/​12.09/​ar71xx/​generic/​]], ​
 +  * Shorewall-lite version 4.4.27.3, Shorewall version: 4.4.11.6-3
 +  Your versions will likely differ from the examples above, adjust as necessary to conform to your router and current software releases as you work through the below.
 +
 +To use Shorewall with old (20130530+) OpenWrt releases (AA, etc), one must disable the default OpenWrt UCI firewall, and substitute the Shorewall-Lite package. Shorewall-Lite needs a nanny machine to compile and load the firewall to the OpenWrt (Shorewall-Lite host) router. The nanny will manage all the configuration files and needs a net connection to load the compiled firewall to the OpenWrt host device.
 +
 +
 +==== The Nanny Setup ====
 +
 +  * In this example the nanny has the IP 192.168.1.30,​ but you can assign other values in the Lan1 zone.
 +  * Download and install Shorewall (not Shorewall-Lite) on the nanny. The nanny'​s Shorewall and host's Shorewall-Lite versions should be the same major.minor release. ​ Check the OpenWrt package dir, e.g.: [[http://​downloads.openwrt.org/​attitude_adjustment/​12.09/​ar71xx/​generic/​package/​]] for the available Shorewall-Lite major.minor release for your router'​s chip set.\\ \\ Note the "​ar71xx"​ in the above URL: substitute your router'​s chip set acronym into the URL, e.g.: ar7, brcm47xx, ramips etcetera, to  find the correct package for your router and OpenWrt release. Conform the nanny'​s Shorewall release to that version.\\ \\ For general instructions see [[http://​www.shorewall.net/​CompiledPrograms.html]].
 + 
 +  * Note to Debian Users: If you install using the .deb, you will find that your ''/​etc/​Shorewall''​ directory is empty. This is intentional. The released configuration file skeletons may be found on your system in the directory ''/​usr/​share/​doc/​Shorewall/​default-config''​. Simply copy the files you need from that directory to ''/​etc/​Shorewall''​ and modify the copies.
 +
 +  * If your ''/​etc/​Shorewall''​ directory is empty after a vanilla Shorewall install, sort that out before proceeding.
 + 
 +  * Assert the following in the nanny'​s /​etc/​Shorewall.conf\\ <​code>​
 +%%
 +      CONFIG_PATH=/​usr/​share/​Shorewall
 +      STARTUP_LOG=/​var/​log/​Shorewall-lite-init.log
 +%%
 +</​code> ​     ​
 +  * Make the directory ~/Oexample/ and copy all the /​etc/​Shorewall files (masq, rules, etc) to it.  This is your working directory for the OpenWrt host's firewall configuration,​ analogous to /​etc/​Shorewall/​. You can choose your own directory name, and substitute it for ~/​Oexample/​. Edit these files to configure the OpenWrt host's firewall.
 +
 +  * First, edit the ~/​Oexample/​routestopped file to add the IP address of the nanny machine like: eth0 192.168.1.30 ​ source,​dest.
 +
 +  * Next, construct your ~/Oexample/ Shorewall files. ​ The example below shows a file name header ( init:, interfaces, etc) followed by the contents of the file for each Shorewall file needed in this example. Edit your files to conform to the examples below:\\ <​code>​
 +%%
 +* * * * * * * * * * * * * * * * * *   B E G I N    S H O R E W A L L    C O N F I G     F I L E S    * * * * * * * * * * * * * * * * * * * * 
 +init:
 +# Use this file to set the machine state before the firewall starts, ​
 +# e.g: to assure that the internet interface is ready, ​
 +# or to set static routes and the like.  It is very handy to have a common system across the networks to assign routes.
 +#
 +# Example-uncomment the ## lines below to delay Shorewall while a tardy DSL gateway negotiates it's IP,
 +# & to assert static routes through .1.7 to .5.0, .51.0, and .51.0 
 +#
 +# example workaround DSL not starting before firewall
 +##/​sbin/​ifup ppp0
 +##sleep 5
 +# example set up static routes example (add a system of networks, use .1.7 as it's gateway)
 +##route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.1.7 ​
 +##route add -net 192.168.50.0 netmask 255.255.255.0 gw 192.168.1.7
 +##route add -net 192.168.51.0/​24 gw 192.168.1.7
 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 +
 +interfaces:
 +#ZONE   ​INTERFACE ​      ​BROADCAST ​      ​OPTIONS
 +net     eth1
 +lan1    br-LAN1
 +lan2    wlan0-1
 +
 +masq:
 +#​INTERFACE:​DEST ​        ​SOURCE ​         ADDRESS ​        ​PROTO ​  ​PORT(S) IPSEC   ​MARK ​   USER/
 +#                                                                                       GROUP
 +eth1            br-LAN1
 +eth1            wlan0-1
 +
 +policy:
 +#SOURCE DEST    POLICY ​         LOG     ​LIMIT: ​         CONNLIMIT:
 +$FW    net     ​DROP ​   info
 +lan1   ​all ​    ​REJECT ​ info
 +lan2   ​all ​    ​REJECT ​ info
 +net    all     DROP
 +all    all     DROP
 +
 +routestopped:​
 +#​INTERFACE ​     HOST(S) ​                ​OPTIONS ​        ​PROTO ​  ​DEST ​   SOURCE
 +#                                                               ​PORT(S) PORT(S)
 +br-LAN1 192.168.1.3 ​ source,dest
 +
 +rules:
 +#SECTION ESTABLISHED
 +#SECTION RELATED
 +SECTION NEW
 +
 +#ftp fw to net (for updates, uncomment only as needed)
 +##​ACCEPT ​       $FW     ​net ​    ​tcp ​    ​ftp ​    ​- ​      ​- ​      ​- ​      -
 +#http, https: fw to net (blocked outbound)
 +##​ACCEPT ​       $FW     ​net ​    ​tcp ​    ​http ​   -       ​- ​      ​- ​      ​- ​
 +##​ACCEPT ​       $FW     ​net ​    ​tcp ​    ​https ​  ​- ​      ​- ​      ​- ​      ​- ​
 +
 +ACCEPT ​ lan1    net                     ​tcp ​    ​82 ​       # XFER Utility (TCP/UDP)
 +DNAT    net     ​lan1:​192.168.1.3:​22 ​    ​tcp ​    ​53260 ​   # inbound ssh on oddball port (53260), bound to a single machine
 +ACCEPT ​ lan1    net     ​tcp ​    ​53260 ​  ​- ​      ​- ​      ​- ​      ​- ​ #outbound nanny ssh, also on oddball port 
 +
 +# Use first rules for lower latency-streaming
 +ACCEPT lan1    net     ​tcp ​    554 - # realaudio-outbound tcp
 +ACCEPT lan1    net     ​tcp ​    7070 - # realaudio-outbound tcp
 +ACCEPT lan1    net     ​tcp ​    7071 - # realaudio
 +ACCEPT lan1    net     ​tcp ​    8080 - # realaudio-outbound tcp
 +ACCEPT lan1    net     ​tcp ​    8081 - # realaudio
 +ACCEPT lan1    net     ​tcp ​    rtsp - # realaudio-outbound call                                  ​
 +ACCEPT lan2    net     ​tcp ​    554 - # realaudio-outbound tcp
 +ACCEPT lan2    net     ​tcp ​    7070 - # realaudio-outbound tcp
 +ACCEPT lan2    net     ​tcp ​    7071 - # realaudio
 +ACCEPT lan2    net     ​tcp ​    8080 - # realaudio-outbound tcp
 +ACCEPT lan2    net     ​tcp ​    8081 - # realaudio
 +ACCEPT lan2    net     ​tcp ​    rtsp - # realaudio-outbound call                                  ​
 +ACCEPT lan1    net     ​tcp ​    ​8000:​8003 - #​realaudio-outbound tcp
 +ACCEPT lan1    net     ​udp ​    ​8000:​8003 - # realaudio-outbound tcp
 +ACCEPT lan2    net     ​tcp ​    ​8000:​8003 - #​realaudio-outbound tcp
 +ACCEPT lan2    net     ​udp ​    ​8000:​8003 - # realaudio-outbound tcp
 +ACCEPT lan1     ​net ​    ​tcp ​    ​1755 ​   -       #​windowsmedia
 +#ACCEPT net     ​lan1 ​   tcp     ​1755 ​   -       #​windowsmedia
 +ACCEPT lan2    net     ​tcp ​    ​1755 ​   -       #​windowsmedia
 +#ACCEPT net     ​lan2 ​  ​tcp ​    ​1755 ​   -       #​windowsmedia
 +ACCEPT ​ lan1    net     ​udp ​    ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ lan1    net     ​tcp ​    ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ lan2    net     ​udp ​    ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ lan2    net     ​tcp ​    ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ lan1    $FW     ​tcp ​    ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ lan1    $FW     ​udp ​    ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ lan2    $FW     ​tcp ​    ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ lan2    $FW     ​udp ​    ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ $FW     ​net ​    ​tcp ​    ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ $FW     ​net ​    ​udp ​    ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ $FW     ​lan1 ​   tcp     ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ $FW     ​lan1 ​   udp     ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ $FW     ​lan2 ​   tcp     ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +ACCEPT ​ $FW     ​lan2 ​   udp     ​53 ​     -       ​- ​      ​- ​      ​- ​         #dns
 +#​ACCEPT ​ lan1    net     ​udp ​    ​67:​68 ​     -       ​- ​      ​- ​      ​- ​         #dhcp 
 +#​ACCEPT ​ lan2    net     ​udp ​    ​67:​68 ​     -       ​- ​      ​- ​      ​- ​         #dhcp
 +ACCEPT ​ lan1    $FW     ​udp ​    ​67:​68 ​     -       ​- ​      ​- ​      ​- ​         #dhcp
 +ACCEPT ​ lan2    $FW     ​udp ​    ​67:​68 ​     -       ​- ​      ​- ​      ​- ​         #dhcp
 +ACCEPT ​ $FW     ​net ​    ​udp ​    ​67:​68 ​     -       ​- ​      ​- ​      ​- ​         #dhcp
 +ACCEPT ​ $FW     ​lan1 ​   udp     ​67:​68 ​     -       ​- ​      ​- ​      ​- ​         #dhcp
 +ACCEPT ​ $FW     ​lan2 ​   udp     ​67:​68 ​     -       ​- ​      ​- ​      ​- ​         #dhcp
 +
 +# smb: lan1 <-> $FW
 +ACCEPT ​ lan1    $FW     ​tcp ​    ​137:​139 ​        ​- ​      ​- ​      ​- ​      ​- ​ #Enable SMB on LAN1
 +ACCEPT ​ lan1    $FW     ​tcp ​    ​443 ​    ​- ​      ​- ​      ​- ​      ​- ​ #http protocol over TLS/SSL
 +ACCEPT ​ $FW     ​lan1 ​   tcp     ​137:​139 ​        ​- ​      ​- ​      ​- ​      ​- ​ #Enable SMB on LAN1
 +ACCEPT ​ $FW     ​lan1 ​   tcp     ​443 ​    ​- ​      ​- ​      ​- ​      ​- ​ #http protocol over TLS/SSL
 +# smb: lan2 <-> $FW
 +#​ACCEPT ​ lan2    $FW     ​tcp ​    ​137:​139 ​        ​- ​      ​- ​      ​- ​      ​- ​ #Enable SMB on LAN1
 +#​ACCEPT ​ lan2    $FW     ​tcp ​    ​443 ​    ​- ​      ​- ​      ​- ​      ​- ​ #http protocol over TLS/SSL
 +#​ACCEPT ​ $FW     ​lan2 ​   tcp     ​137:​139 ​        ​- ​      ​- ​      ​- ​      ​- ​ #Enable SMB on LAN1
 +#​ACCEPT ​ $FW     ​lan2 ​   tcp     ​443 ​    ​- ​      ​- ​      ​- ​      ​- ​ #http protocol over TLS/SSL
 +
 +#web: outbound (lan to net)  http, https, ssh, ftp, time, imap
 +ACCEPT ​ lan1    net     ​tcp ​    ​http ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​tcp ​    ​https ​  ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​tcp ​    ​443 ​    ​- ​      ​- ​      ​- ​      ​- ​ #http protocol over TLS/SSL
 +ACCEPT ​ lan1    net     ​tcp ​    ​ssh ​    ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​tcp ​    ​ftp ​    ​- ​      ​- ​      ​- ​      ​- ​    
 +ACCEPT ​ lan1    net     ​tcp ​    ​nntp ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​tcp ​    ​37 ​     -       ​- ​      ​- ​      ​- ​ #nttp timesync
 +ACCEPT ​ lan1    net     ​tcp ​    ​imap ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​tcp ​    ​http ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​tcp ​    ​https ​  ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​tcp ​    ​443 ​    ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​tcp ​    ​ssh ​    ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​tcp ​    ​ftp ​    ​- ​      ​- ​      ​- ​      ​- ​    
 +ACCEPT ​ lan2    net     ​tcp ​    ​nntp ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​tcp ​    ​37 ​     -       ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​tcp ​    ​imap ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​udp ​    ​http ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​udp ​    ​https ​  ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​udp ​    ​443 ​    ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​udp ​    ​ssh ​    ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​udp ​    ​37 ​     -       ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​udp ​    ​imap ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​udp ​    ​http ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​udp ​    ​https ​  ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​udp ​    ​443 ​    ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​udp ​    ​ssh ​    ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​udp ​    ​37 ​     -       ​- ​      ​- ​      -
 +ACCEPT ​ lan2    net     ​udp ​    ​imap ​   -       ​- ​      ​- ​      -
 +#ACCEPT lan1    net     ​tcp ​    6667 - # irc
 +#ACCEPT lan1    net     ​udp ​    6667 - # irc
 +ACCEPT lan2    net     ​tcp ​    6667 - # irc
 +ACCEPT lan2    net     ​udp ​    6667 - # irc
 +
 +ACCEPT lan1 net tcp 993           # imap4 protocol over TLS | SSL (TCP/UDP) (secure telnet)
 +ACCEPT lan1 net udp 993
 +
 +ACCEPT lan1              net     ​tcp ​    ​11371 ​         #OpenPGP HTTP key server
 +ACCEPT lan1              net     ​udp ​    ​11371 ​         #OpenPGP HTTP key server
 +ACCEPT lan1              net     ​tcp ​    ​6420 ​          #​OpenPGP HTTP key server
 +ACCEPT lan1              net     ​udp ​    ​6420 ​          #​OpenPGP HTTP key server
 +ACCEPT ​ lan1            net     ​udp ​    ​123 ​    ​- ​      ​- ​      ​- ​      ​-# ​ check time
 +ACCEPT ​ lan1            net     ​tcp ​    ​123 ​    ​- ​      ​- ​      ​- ​      ​-# ​ check time
 +ACCEPT lan2            net     ​udp ​    ​123 ​    ​- ​      ​- ​      ​- ​      - #  check time
 +ACCEPT lan2            net     ​tcp ​    ​123 ​    ​- ​      ​- ​      ​- ​      - #  check time
 +ACCEPT ​ $FW             ​net ​    ​udp ​    ​123 ​    ​- ​      ​- ​      ​- ​      ​-# ​ check time
 +ACCEPT ​ $FW             ​net ​    ​tcp ​    ​123 ​    ​- ​      ​- ​      ​- ​      ​-# ​ check time
 +
 +#mail
 +#ACCEPT $FW     ​net ​    ​tcp ​    ​pop3 ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​tcp ​    ​pop3 ​   -       ​- ​      ​- ​      -
 +ACCEPT lan2    net     ​tcp ​    ​pop3 ​   -       ​- ​      ​- ​      -
 +#​ACCEPT ​ $FW     ​net ​    ​tcp ​    ​smtp ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​tcp ​    ​smtp ​   -       ​- ​      ​- ​      -
 +ACCEPT lan2    net     ​tcp ​    ​smtp ​   -       ​- ​      ​- ​      -
 +#fw mail IP when chg rqrs port 25
 +#ACCEPT $FW     ​net ​    ​tcp ​    ​25 ​     -       ​- ​      ​- ​      -
 +#ACCEPT $FW             ​net ​            ​tcp ​    ​80 ​     -       ​- ​      ​- ​      -
 +#ACCEPT $FW             ​net ​            ​udp ​    ​80 ​             -       ​- ​      -
 +DROP    $FW             ​net ​            ​tcp ​    ​80 ​     -       ​- ​      ​- ​      ​- #​explicitly kill $FW outbound to net on port 80
 +DROP    $FW             ​net ​            ​udp ​    ​80 ​             -       ​- ​      -
 +DROP    net             ​$FW ​            ​tcp ​    ​80 ​     -       ​- ​      ​- ​      -
 +DROP    net             ​$FW ​            ​udp ​    ​80 ​             -       ​- ​      -
 +#mail
 +
 +#authent
 +DROP    net     ​$FW ​    ​tcp ​    ​113 ​    ​- ​      ​- ​      ​- ​      - #
 +#ACCEPT net     ​$FW ​    ​tcp ​    ​113 ​    ​- ​      ​- ​      ​- ​      -
 +
 +#ping: fw to lanx, lanx to net & fw, lanx to lany
 +ACCEPT ​ $FW     ​lan1 ​   icmp    8       ​- ​      ​- ​      ​- ​      -
 +ACCEPT $FW     ​lan2 ​   icmp    8       ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan1    $FW     ​icmp ​   8       ​- ​      ​- ​      ​- ​      -
 +ACCEPT lan2    $FW     ​icmp ​   8       ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan1    net     ​icmp ​   8       ​- ​      ​- ​      ​- ​      -
 +ACCEPT lan2    net     ​icmp ​   8       ​- ​      ​- ​      ​- ​      -
 +
 +ACCEPT ​ $FW     ​net ​    ​tcp ​    ​ssh ​    ​- ​      ​- ​      ​- ​      ​- ​ #Enable FW to SSH out
 +ACCEPT ​ $FW     ​net ​    ​udp ​    ​ssh ​    ​- ​      ​- ​      ​- ​      ​-  ​
 +
 +# ssh: lan1 to/from fw on std ports
 +ACCEPT ​ $FW     ​lan1 ​   tcp     ​ssh ​    ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ $FW     ​lan1 ​   udp     ​ssh ​    ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan1    $FW     ​tcp ​    ​ssh ​    ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan1    $FW     ​udp ​    ​ssh ​    ​- ​      ​- ​      ​- ​      -
 +
 +# httpd/s on fw visible only to lan1
 +ACCEPT ​ lan1    $FW     ​tcp ​    ​http ​   -       ​- ​      ​- ​      -
 +ACCEPT lan1    $FW     ​udp ​    ​http ​   -       ​- ​      ​- ​      -
 +ACCEPT ​ lan1    $FW     ​tcp ​    ​https ​  ​- ​      ​- ​      ​- ​      -
 +ACCEPT ​ lan1    $FW     ​udp ​    ​https ​  ​- ​      ​- ​      ​- ​      -
 +
 +#​==============================================================
 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 +
 +
 +zones:
 +#ZONE 
 +fw        firewall
 +net      ipv4          #Internet
 +lan1    ipv4
 +lan2    ipv4
 +
 +Shorewall.conf: ​
 +Is largely default, tho you may need to set the startup var to 1.
 +* * * * * * * * * * * * * * * * * *   E O F    S H O R E W A L L    C O N F I G     F I L E S    * * * * * * * * * * * * * * * * * * * * * *
 +%%
 +</​code>​
 +
 +
 +==== The OpenWrt Host Setup ====
 +  * Setup the OpenWrt host. See the [[:​toh:​start|Table of Hardware]] for your specific hardware, and flash the OpenWrt host router. Use UCI/Luci setup (-> [[doc:​uci]]) to setup IP addressing on the router (see below):
 +
 +''​
 +Wan 192.168.11.1
 +Lan 192.168.10.1
 +LAN_1 192.168.13.1
 +LAN_2 192.168.2.1
 +br-LAN1 192.168.1.1
 +''​
 +
 +<​code>​
 +* * * * * * * * * * * * * * * * * *   B E G I N    O P E N W R T    C O N F I G     F I L E S    * * * * * * * * * * * * * * * * * * * * * *
 +#Working configs to boot up OpenWrt router w/ AA 12.09
 +%%
 +Interfaces defined by Luci:
 +br-LAN1 Link encap:​Ethernet ​ HWaddr 00:​26:​5A:​D2:​33:​77  ​
 +          inet addr:​192.168.1.1 ​ Bcast:​192.168.1.255 ​ Mask:​255.255.255.0
 +          UP BROADCAST RUNNING MULTICAST ​ MTU:​1500 ​ Metric:1
 +          RX packets:513 errors:0 dropped:0 overruns:0 frame:0
 +          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 +          collisions:​0 txqueuelen:​0 ​
 +          RX bytes:64859 (63.3 KiB)  TX bytes:0 (0.0 B)
 +
 +eth0      Link encap:​Ethernet ​ HWaddr 00:​26:​5A:​D2:​33:​77  ​
 +          inet addr:​192.168.1.1 ​ Bcast:​192.168.1.255 ​ Mask:​255.255.255.0
 +          UP BROADCAST RUNNING MULTICAST ​ MTU:​1500 ​ Metric:1
 +          RX packets:​248895 errors:0 dropped:0 overruns:0 frame:0
 +          TX packets:​232281 errors:0 dropped:0 overruns:0 carrier:0
 +          collisions:​0 txqueuelen:​1000 ​
 +          RX bytes:​36434590 (34.7 MiB)  TX bytes:​21143615 (20.1 MiB)
 +          Interrupt:​5 ​
 +
 +eth1      Link encap:​Ethernet ​ HWaddr 00:​26:​5A:​D2:​33:​76  ​
 +          inet addr:​192.168.11.1 ​ Bcast:​192.168.11.255 ​ Mask:​255.255.255.0
 +          UP BROADCAST MULTICAST ​ MTU:​1500 ​ Metric:1
 +          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 +          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 +          collisions:​0 txqueuelen:​1000 ​
 +          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
 +          Interrupt:​4 ​
 +
 +lo        Link encap:Local Loopback  ​
 +          inet addr:​127.0.0.1 ​ Mask:​255.0.0.0
 +          UP LOOPBACK RUNNING ​ MTU:​16436 ​ Metric:1
 +          RX packets:​1277856 errors:0 dropped:0 overruns:0 frame:0
 +          TX packets:​1277856 errors:0 dropped:0 overruns:0 carrier:0
 +          collisions:​0 txqueuelen:​0 ​
 +          RX bytes:​86894208 (82.8 MiB)  TX bytes:​86894208 (82.8 MiB)
 +
 +wlan0     Link encap:​Ethernet ​ HWaddr 00:​26:​5A:​D2:​33:​76  ​
 +          inet addr:​192.168.13.1 ​ Bcast:​192.168.13.255 ​ Mask:​255.255.255.0
 +          UP BROADCAST RUNNING MULTICAST ​ MTU:​1500 ​ Metric:1
 +          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 +          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
 +          collisions:​0 txqueuelen:​32 ​
 +          RX bytes:0 (0.0 B)  TX bytes:192 (192.0 B)
 +
 +wlan0-1 ​  Link encap:​Ethernet ​ HWaddr 02:​26:​5A:​D2:​33:​77  ​
 +          inet addr:​192.168.2.1 ​ Bcast:​192.168.2.255 ​ Mask:​255.255.255.0
 +          UP BROADCAST RUNNING MULTICAST ​ MTU:​1500 ​ Metric:1
 +          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 +          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
 +          collisions:​0 txqueuelen:​32 ​
 +          RX bytes:0 (0.0 B)  TX bytes:420 (420.0 B)
 +
 +
 +Firewall:​ #<​===== These are temporary and will be overwritten when Shorewall-lite loads.
 +config defaults
 +        option syn_flood '​1'​
 +        option input '​ACCEPT'​
 +        option output '​ACCEPT'​
 +        option forward '​ACCEPT'​
 +
 +config zone
 +        option name '​lan'​
 +        option network '​lan'​ '​LAN_1'​ '​LAN_2'​
 +        option input '​ACCEPT'​
 +        option output '​ACCEPT'​
 +        option forward '​ACCEPT'​
 +        ​
 +config zone
 +        option name '​wan'​
 +        option network '​wan' ​
 +        option input '​ACCEPT'​
 +        option output '​ACCEPT'​
 +        option forward '​ACCEPT' ​       ​
 +
 +config include
 +        option path '/​etc/​firewall.user'​
 +
 +Wireless:
 +config wifi-device '​radio0'​
 +        option type '​mac80211'​
 +        option macaddr '​00:​26:​5a:​d2:​43:​71'​
 +        option hwmode '​11ng'​
 +        option htmode '​HT20'​
 +        list ht_capab '​SHORT-GI-40'​
 +        list ht_capab '​TX-STBC'​
 +        list ht_capab '​RX-STBC1'​
 +        list ht_capab '​DSSS_CCK-40'​
 +        option channel '​1'​
 +        option txpower '​20'​
 +        option country '​US'​
 +
 +config wifi-iface
 +        option device '​radio0'​
 +        option encryption '​psk2'​
 +        option mode '​ap'​
 +        option key '​ThisIsSupposedToBeASecretPassphrase'​
 +        option ssid '​LAN1'​
 +        option network '​LAN_1'​
 +
 +config wifi-iface
 +        option device '​radio0'​
 +        option mode '​ap'​
 +        option ssid '​LAN2'​
 +        option network '​LAN_2'​
 +        option encryption '​psk2'​
 +        option key '​ThisOneIsAlsoSupposedToBeASecret'​
 +       
 +network:
 +config interface '​loopback'​
 +        option ifname '​lo'​
 +        option proto '​static'​
 +        option ipaddr '​127.0.0.1'​
 +        option netmask '​255.0.0.0'​
 +
 +config interface '​lan'​
 +        option ifname '​eth0'​
 +        option proto '​static'​
 +        option ipaddr '​192.168.10.1'​
 +        option netmask '​255.255.255.0'​
 +
 +config interface '​wan'​
 +        option ifname '​eth1'​
 +        option proto '​static'​
 +        option ipaddr '​192.168.11.1'​
 +        option netmask '​255.255.255.0'​
 +
 +config switch
 +        option name '​eth0'​
 +        option reset '​1'​
 +
 +config switch_vlan
 +        option device '​eth0'​
 +        option vlan '​1'​
 +        option ports '0 1 2 3 4'
 +        option vid '​1'​
 +
 +config interface '​LAN_1'​
 +        option proto '​static'​
 +        option ifname '​wlan0'​
 +        option ipaddr '​192.168.13.1'​
 +        option netmask '​255.255.255.0'​
 +
 +config interface '​LAN_2'​
 +        option proto '​static'​
 +        option ipaddr '​192.168.2.1'​
 +        option netmask '​255.255.255.0'​
 +        option _orig_ifname '​wlan0'​
 +        option _orig_bridge '​false'​
 +
 +config interface '​all_COM'​
 +        option type '​bridge'​
 +        option proto '​static'​
 +        option ifname '​eth0'​
 +        option ipaddr '​192.168.1.1'​
 +        option netmask '​255.255.255.0'​
 +        option dns '​123.231.132.213' ​      <​= ​ ASSIGN YOUR ISP's DNS HERE
 +        ​
 +System:
 +config system
 +        option hostname '​COM_ap'​
 +        option zonename '​UTC'​
 +        option timezone '​GMT0'​
 +        option conloglevel '​8'​
 +        option cronloglevel '​8'​
 +
 +config timeserver '​ntp'​
 +        list server '​0.OpenWrt.pool.ntp.org'​
 +        list server '​1.OpenWrt.pool.ntp.org'​
 +        list server '​2.OpenWrt.pool.ntp.org'​
 +        list server '​3.OpenWrt.pool.ntp.org'​
 +        option enable_server '​1'​
 +
 +config led '​led_wan'​
 +        option name '​WAN'​
 +        option sysfs '​d-link:​green:​wan'​
 +        option trigger '​netdev'​
 +        option dev '​eth1'​
 +        option mode 'link tx rx'
 +
 +config led '​led_lan1'​
 +        option name '​LAN1'​
 +        option sysfs '​d-link:​green:​lan1'​
 +        option trigger '​switch0'​
 +        option port_mask '​0x02'​
 +
 +config led '​led_lan2'​
 +        option name '​LAN2'​
 +        option sysfs '​d-link:​green:​lan2'​
 +        option trigger '​switch0'​
 +        option port_mask '​0x04'​
 +
 +config led '​led_lan3'​
 +        option name '​LAN3'​
 +        option sysfs '​d-link:​green:​lan3'​
 +        option trigger '​switch0'​
 +        option port_mask '​0x08'​
 +
 +config led '​led_lan4'​
 +        option name '​LAN4'​
 +        option sysfs '​d-link:​green:​lan4'​
 +        option trigger '​switch0'​
 +        option port_mask '​0x10' ​     ​
 +* * * * * * * * * * * * * * * * * *   E O F    O P E N W R T    C O N F I G     F I L E S    * * * * * * * * * * * * * * * * * * * * * *
 +%%
 +</​code>​
 +
 +
 +  * Install the Shorewall-lite IPK files to the OpenWrt router (e.g.: Shorewall-lite_4.4.27.3-4_ar71xx.ipk). May work best from command line as opkg update; opkg install Shorewall-lite
 +
 +  * Have both the host and OpenWrt router up, running and networked.
 +
 +  * Check the OpenWrt router'​s ''/​etc/​config/​dropbear''​ file to assure the interfaces listed there are valid, use uci to show the dropbear settings:\\ <​code>​
 +uci show dropbear
 +      option PasswordAuth '​on'​
 +      option Port '​22'​
 +      option Interface '​br-LAN1'  ​
 +</​code>​ Edit /​etc/​config/​dropbear to repair as needed and then run ''​uci commit''​ when done.
 +
 +  * From the host OpenWrt router, create and copy the Shorewall capabilities file to the nanny:\\ <​code>​
 +cd /​usr/​share/​Shorewall-lite
 +./shorecap >/​tmp/​capabilities
 +scp /​tmp/​capabilities [Your Home Directory Here]@192.168.1.30:​~/​Oexample/​.
 +</​code>​
 +  * Check the work, sort out your recovery route (fail-safe mode, etc) in case you need it.
 +
 +  * Use UCI|Luci interface System/​Startup/​initscripts to set the router to not start the OpenWrt firewall on boot. You may, as an alternative suited to safe-mode recovery, edit the OpenWrt router ''/​etc/​init.d''​ dir and move the firewall script to say, ''​../​firewall.initd'',​ and if you want, you can restore it to ''/​etc/​init.d/​firewall''​.
 +
 +  * To avoid a reporting error, create the file ''/​usr/​sbin/​tac''​ as:\\ <​code>​
 +#!/bin/sh
 +if ! [ $# -gt 0 ]; then
 +  exit 
 +fi
 +if [ "​$1"​ != ""​ ]; then
 +  grep -n . $1 | sort -r -n
 +fi
 +</​code>​
 +
 +  * On the nanny\\ <​code>​
 +cd ~/Oexample then run
 +/​sbin/​Shorewall load 192.168.1.1  ​
 +</​code>​ where the 192.168.1.1 is the OpenWrt host router'​s IP address. You'll need to fix compiler errors and hand off passwords until the command succeeds, then the firewall will be copied to and launched on the the OpenWrt router. To test it from the install session, use the  Shorewall-lite status and dump commands on the OpenWrt router, and send test packets to/from each zone. When you restart the OpenWrt router, the pre-existing session connections of the last session are lost. NB: you can readily lock yourself out editing the policies in this example, but that's the point of a firewall. Fail-Safe mode will allow you to mount_root and hand edit the /etc files. ​ Revert to the OpenWrt firewall and reboot to revise and reload your Shorewall-Lite settings.
 +
 +  * When things are right, you will see something like this:\\ <​code>​
 +root@192.168.1.1'​s password: ​
 +root@192.168.1.1'​s password: ​
 +Compiling...
 +Processing ~/​Oexample/​params ...
 +Processing ~/​Oexample/​Shorewall.conf...
 +   ​WARNING:​ Unknown capability (RAWPOST_TABLE) ignored : ~/​Oexample/​capabilities (line 26)
 +   ​WARNING:​ Unknown capability (ULOG_TARGET) ignored : ~/​Oexample/​capabilities (line 50)
 +   ​WARNING:​ Unknown capability (NFLOG_TARGET) ignored : ~/​Oexample/​capabilities (line 51)
 +   ​WARNING:​ Unknown capability (CONDITION_MATCH) ignored : ~/​Oexample/​capabilities (line 61)
 +   ​WARNING:​ Unknown capability (IPTABLES_S) ignored : ~/​Oexample/​capabilities (line 62)
 +   ​WARNING:​ Unknown capability (BASIC_FILTER) ignored : ~/​Oexample/​capabilities (line 63)
 +   ​WARNING:​ Unknown capability (CT_TARGET) ignored : ~/​Oexample/​capabilities (line 64)
 +Compiling ~/​Oexample/​zones...
 +Compiling ~/​Oexample/​interfaces...
 +Determining Hosts in Zones...
 +Locating Action Files...
 +Compiling /​usr/​share/​Shorewall/​action.Drop for chain Drop...
 +Compiling /​usr/​share/​Shorewall/​action.Broadcast for chain Broadcast...
 +Compiling /​usr/​share/​Shorewall/​action.Invalid for chain Invalid...
 +Compiling /​usr/​share/​Shorewall/​action.NotSyn for chain NotSyn...
 +Compiling /​usr/​share/​Shorewall/​action.Reject for chain Reject...
 +Compiling ~/​Oexample/​policy...
 +Running ~/​Oexample/​initdone...
 +Compiling Kernel Route Filtering...
 +Compiling Martian Logging...
 +Compiling ~/​Oexample/​masq...
 +   ​WARNING:​ Using an interface as the masq SOURCE requires the interface to be up and configured when Shorewall starts/​restarts : ~/​Oexample/​masq (line 12)
 +Compiling MAC Filtration -- Phase 1...
 +Compiling ~/​Oexample/​rules...
 +Compiling MAC Filtration -- Phase 2...
 +Applying Policies...
 +Generating Rule Matrix...
 +Creating iptables-restore input...
 +Compiling ~/​Oexample/​routestopped...
 +Shorewall configuration compiled to ~/​Oexample/​firewall
 +Copying ~/​Oexample/​firewall and ~/​Oexample/​firewall.conf to 192.168.1.1:/​etc/​shorewall-lite/​state...
 +root@192.168.1.1'​s password: ​
 +firewall ​                                                                                  ​100% ​  ​69KB ​ 69.3KB/​s ​  ​00:​00 ​   ​
 +firewall.conf ​                                                                             100%  981     ​1.0KB/​s ​  ​00:​00 ​   ​
 +Copy complete
 +root@192.168.1.1'​s password: ​
 +System 192.168.1.1 loaded
 +</​code>​
 +
 +  * Shorewall-Lite is now running. Use UCI|Luci interface System/​Startup/​initscripts to enable '​Shorewall'​.
 +
 +  * To change any of the rules, zones, or other Shorewall settings on the OpenWrt router, revise the files in ~/Oexample and run the above "​Shorewall load" command again. If the capabilities of the OpenWrt router change, then rerun /​usr/​share/​Shorewall-lite/​shorecap and re scp it to the host, and re-run Shorewall load.
 +
 +Shorewall Documentation:​
 +  *  [[http://​www.shorewall.net/​|http://​www.shorewall.net/​]]
 +  *  [[http://​www.shorewall.net/​GettingStarted.html | http://​www.shorewall.net/​GettingStarted.html]]
 +  *  [[http://​www.shorewall.net/​Documentation_Index.html | http://​www.shorewall.net/​Documentation_Index.html]]
 +  *  [[http://​www.shorewall.net/​configuration_file_basics.html | http://​www.shorewall.net/​configuration_file_basics.html]]
 +  *  [[http://​www.shorewall.net/​Notices.html | http://​www.shorewall.net/​Notices.html]]
 +  *  [[http://​www.shorewall.net/​starting_and_stopping_shorewall.htm | http://​www.shorewall.net/​starting_and_stopping_shorewall.htm ​  esp: "​Shorewall State Diagram"​ for more.]]
 +
 +{{tag>​wip}} ​
 +
 +==== Complete example with QoS ====
 +
 +=== Introduction ===
 +
 +In this section you will find a complete example of a working firewall configuration in openwrt using shorewall-lite.
 +
 +== Setup ==
 +
 +In this example the host is a debian wheezy box with shorewall 4.5.5.3-3 (debian version). The target is a TP-Link WDR3600 with BARRIER BREAKER (Bleeding Edge, r38408).
 +
 +Goals:
 +  * manage the router'​s QoS configuration with shorewall.
 +
 +In this setup, we assume a working OpenWrt configuration,​ so we will focus on the firewall configuration only.
 +
 +== Required packages ==
 +
 +The following additional packages were used in the setup:
 +  * conntrack-tools
 +  * kmod-ipt-nathelper-extra
 +  * shorewall-lite
 +  * kmod-sched
 +  * iptables-mod-extra
 +
 +=== Shorewall setup on the host ===
 +This setup works for me. Please adapt to your needs.
 +
 +When satisfied, disable the built-in firewall and enable shorewall-lite.
 +
 +== zones ==
 +<​code>​
 +fw firewall
 +lan ipv4
 +wan ipv4
 +</​code>​
 +
 +== interfaces ==
 +<​code>​
 +wan eth0.2 detect dhcp
 +lan br-lan X.X.X.X routeback,​bridge,​dhcp
 +</​code>​
 +
 +== policy ==
 +<​code>​
 +$FW all ACCEPT
 +lan wan ACCEPT
 +# THE FOLLOWING POLICY MUST BE LAST
 +all             ​all ​            ​DROP info
 +</​code>​
 +
 +== masq ==
 +<​code>​
 +eth0.2 X.X.X.X/​Y detect
 +</​code>​
 +
 +== routestopped ==
 +<​code>​
 +br-lan - - tcp 22
 +</​code>​
 +
 +== rules ==
 +<​code>​
 +SSH(ACCEPT) all $FW
 +HTTP(ACCEPT) all $FW
 +NTP(ACCEPT) all $FW
 +ACCEPT all $FW udp domain,​mdns
 +ACCEPT all $FW tcp domain,​mdns
 +ACCEPT lan wan udp sip
 +ACCEPT lan wan tcp sip
 +ACCEPT all $FW icmp echo-request
 +ACCEPT all $FW icmp echo-reply
 +ACCEPT lan wan icmp
 +</​code>​
 +
 +== tcpri ==
 +<​code>​
 +COMMENT email traffic
 +3 tcp 143,​220,​993,​110,​995
 +COMMENT http traffic
 +2 tcp 80
 +COMMENT https traffic
 +2 tcp 443
 +COMMENT ssh traffic
 +2 tcp 22
 +COMMENT openvpn traffic
 +2 tcp 1194
 +COMMENT fast ping
 +1 icmp echo-reply
 +1 icmp echo-request
 +COMMENT dns traffic
 +1 udp 53,​5353
 +COMMENT ntp traffic
 +1 udp 123
 +COMMENT SIP traffic ​
 +1 udp 5060 - - sip
 +1 tcp 5060 - - sip
 +</​code>​
 +
 +== tcinterfaces ==
 +<​code>​
 +eth0.2 external 80mbit:​90mbit 80mbit:​90mbit:​10ms
 +</​code>​
 +
 +== tcrules ==
 +<​code>​
 +COMMENT SIP traffic
 +1:CT   ​ 0.0.0.0/​0 0.0.0.0/​0 udp 5060 - - - - - - sip
 +1:CT   ​ 0.0.0.0/​0 0.0.0.0/​0 tcp 5060 - - - - - - sip
 +
 +COMMENT check and restore connection marks to packages
 +RESTORE:​T ​ 0.0.0.0/​0 0.0.0.0/​0 ​      ​all ​    ​- ​    ​- ​       -      0
 +CONTINUE:T 0.0.0.0/​0 0.0.0.0/​0 ​      ​all ​    ​- ​    ​- ​       -      !0:C
 +
 +COMMENT save connection marks
 +SAVE:​T ​    ​ 0.0.0.0/​0 0.0.0.0/​0 all ​    ​- ​    ​- ​       -      !0
 +</​code>​