File: //usr/share/shorewall/configfiles/tunnels.annotated
#
# Shorewall -- /etc/shorewall/tunnels
#
# For information about entries in this file, type "man shorewall-tunnels"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-tunnels.html
#
###############################################################################
#
# The tunnels file is used to define rules for encapsulated (usually encrypted)
# traffic to pass between the Shorewall system and a remote gateway. Traffic
# flowing through the tunnel is handled using the normal zone/policy/rule
# mechanism. See http://www.shorewall.net/VPNBasics.html for details.
#
# The columns in the file are as follows.
#
# TYPE - {ipsec[:{noah|ah}]|ipsecnat|ipip|gre|l2tp|pptpclient|pptpserver|?COMMENT
# |{openvpn|openvpnclient|openvpnserver}[:{tcp|udp}][:port]|generic:protocol[
# :port]}
#
# Types are as follows:
#
# 6to4 or 6in4 - 6to4 or 6in4 tunnel. The 6in4 synonym was added in 4.4.24.
# ipsec - IPv4 IPSEC
# ipsecnat - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
# ipip - IPv4 encapsulated in IPv4 (Protocol 4)
# gre - Generalized Routing Encapsulation (Protocol 47)
# l2tp - Layer 2 Tunneling Protocol (UDP port 1701)
# pptpclient - PPTP Client runs on the firewall
# pptpserver - PPTP Server runs on the firewall
# openvpn - OpenVPN in point-to-point mode
# openvpnclient - OpenVPN client runs on the firewall
# openvpnserver - OpenVPN server runs on the firewall
# generic - Other tunnel type
# tinc - TINC (added in Shorewall 4.6.6)
#
# If the type is ipsec, it may be followed by :ah to indicate that the
# Authentication Headers protocol (51) is used by the tunnel (the default is
# :noah which means that protocol 51 is not used). NAT traversal is only
# supported with ESP (protocol 50) so ipsecnat tunnels don't allow the ah
# option (ipsecnat:noah may be specified but is redundant).
#
# If type is openvpn, openvpnclient or openvpnserver it may optionally be
# followed by ":" and tcp or udp to specify the protocol to be used. If not
# specified, udp is assumed.
#
# If type is openvpn, openvpnclient or openvpnserver it may optionally be
# followed by ":" and the port number used by the tunnel. if no ":" and port
# number are included, then the default port of 1194 will be used. . Where
# both the protocol and port are specified, the protocol must be given first
# (e.g., openvpn:tcp:4444).
#
# If type is generic, it must be followed by ":" and a protocol name (from /
# etc/protocols) or a protocol number. If the protocol is tcp or udp (6 or
# 17), then it may optionally be followed by ":" and a port number.
#
# Comments may be attached to Netfilter rules generated from entries in this
# file through the use of /COMMENT lines. These lines begin with ?COMMENT;
# the remainder of the line is treated as a comment which is attached to
# subsequent rules until another ?COMMENT line is found or until the end of
# the file is reached. To stop adding comments to rules, use a line
# containing only ?COMMENT.
#
# Note
#
# Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is
# preferred.
#
# ZONE - zone
#
# The zone of the physical interface through which tunnel traffic passes.
# This is normally your internet zone.
#
# GATEWAY(S) (gateway or gateways) - address-or-range [ , ... ]
#
# The IP address of the remote tunnel gateway. If the remote gateway has no
# fixed address (Road Warrior) then specify the gateway as 0.0.0.0/0. May be
# specified as a network address and if your kernel and iptables include
# iprange match support then IP address ranges are also allowed.
#
# Beginning with Shorewall 4.5.3, a list of addresses or ranges may be given.
# Exclusion (shorewall-exclusion (5) ) is not supported.
#
# GATEWAY ZONES (gateway_zone or gateway_zones) - [zone[,zone]...]
#
# Optional. If the gateway system specified in the third column is a
# standalone host then this column should contain a comma-separated list of
# the names of the zones that the host might be in. This column only applies
# to IPSEC tunnels where it enables ISAKMP traffic to flow through the tunnel
# to the remote gateway(s).
#
# Example
#
# IPv4 Example 1:
#
# IPSec tunnel.
#
# The remote gateway is 4.33.99.124 and the remote subnet is 192.168.9.0/24.
# The tunnel does not use the AH protocol
#
# #TYPE ZONE GATEWAY
# ipsec:noah net 4.33.99.124
#
# IPv4 Example 2:
#
# Road Warrior (LapTop that may connect from anywhere) where the "gw" zone is
# used to represent the remote LapTop
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# ipsec net 0.0.0.0/0 gw
#
# IPv4 Example 3:
#
# Host 4.33.99.124 is a standalone system connected via an ipsec tunnel to
# the firewall system. The host is in zone gw.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# ipsec net 4.33.99.124 gw
#
# IPv4 Example 4:
#
# Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The FreeS/Wan
# _updown script will add the host to the appropriate zone using the
# shorewall add command on connect and will remove the host from the zone at
# disconnect time.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
#
# IPv4 Example 5:
#
# You run the Linux PPTP client on your firewall and connect to server
# 192.0.2.221.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# pptpclient net 192.0.2.221
#
# IPv4 Example 6:
#
# You run a PPTP server on your firewall.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# pptpserver net 0.0.0.0/0
#
# Example 7:
#
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn uses port
# 7777.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# openvpn:7777 net 4.33.99.124
#
# IPv4 Example 8:
#
# You have a tunnel that is not one of the supported types. Your tunnel uses
# UDP port 4444. The other end of the tunnel is 4.3.99.124.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# generic:udp:4444 net 4.3.99.124
#
# IPv4 Example 9:
#
# TINC tunnel where the remote gateways are not specified. If you wish to
# specify a list of gateways, you can do so in the GATEWAY column.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# tinc net 0.0.0.0/0
#
# IPv6 Example 1:
#
# IPSec tunnel.
#
# The remote gateway is 2001:cec792b4:1::44. The tunnel does not use the AH
# protocol
#
# #TYPE ZONE GATEWAY
# ipsec:noah net 2002:cec792b4:1::44
#
# IPv6 Example 2:
#
# Road Warrior (LapTop that may connect from anywhere) where the "gw" zone is
# used to represent the remote LapTop
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# ipsec net ::/0 gw
#
# IPv6 Example 3:
#
# Host 2001:cec792b4:1::44 is a standalone system connected via an ipsec
# tunnel to the firewall system. The host is in zone gw.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# ipsec net 2001:cec792b4:1::44 gw
#
# IPv6 Example 4:
#
# OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and openvpn uses
# port 7777.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# openvpn:7777 net 2001:cec792b4:1::44
#
# IPv6 Example 8:
#
# You have a tunnel that is not one of the supported types. Your tunnel uses
# UDP port 4444. The other end of the tunnel is 2001:cec792b4:1::44.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# generic:udp:4444 net 2001:cec792b4:1::44
#
# IPv6 Example 9:
#
# TINC tunnel where the remote gateways are not specified. If you wish to
# specify a list of gateways, you can do so in the GATEWAY column.
#
# #TYPE ZONE GATEWAY GATEWAY ZONES
# tinc net ::/0
#
###############################################################################
#TYPE ZONE GATEWAY GATEWAY_ZONE