shorewall_code/Shorewall-docs/seattlefirewall_index.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
      
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shoreline Firewall (Shorewall) 1.3</title>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
         <base target="_self">
</head>
  <body>
                                                                        
                                                                        
                                                                        
  
<table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#4b017c">
                                                                        
                          <tbody>
                                                                        
                       <tr>
                                                                        
                                <td width="100%" height="90">           
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                             
      <h1 align="center"> <font size="4"><i>           <a
 href="http://www.cityofshoreline.com">       <img vspace="4" hspace="4"
 alt="Shorwall Logo" height="70" width="85" align="left"
 src="images/washington.jpg" border="0">
                                                                        
                           </a></i></font><font color="#ffffff">Shorewall 
     1.3     -               <font size="4">"<i>iptables                 
 made  easy"</i></font></font></h1>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                              
      <div align="center"><a
 href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
 color="#ffffff">Shorewall 1.2 Site here</font></a><br>
                                                                        
                    </div>
                                                                        
                    <br>
                                                                        
                                </td>
                                                                        
                            </tr>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                  
  </tbody>                                                              
                         
</table>
                                                                        
                                                                        
                                                                        
   
<div align="center">                                                     
                                           
<center>                                                                 
                               
<table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4">
                                                                        
                            <tbody>
                                                                        
                       <tr>
                                                                        
                                  <td width="90%">                      
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                      
      <h2 align="left">What is it?</h2>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                   
      <p>The Shoreline Firewall, more commonly known as "Shorewall",  is
a       <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall        that can be used on a dedicated firewall system, a multi-function
       gateway/router/server or on a standalone GNU/Linux system.</p>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                  
      <p>This program is free software; you can redistribute it and/or modify
                                            it        under the terms of
      <a href="http://www.gnu.org/licenses/gpl.html">Version        2 of
the GNU General Public License</a> as published by the Free Software    
   Foundation.<br>
                                                                        
                               <br>
                                                                        
                          This   program     is  distributed       in  the
   hope     that     it   will     be  useful,    but         WITHOUT  ANY 
    WARRANTY;      without      even the   implied    warranty      of MERCHANTABILITY 
              or  FITNESS    FOR   A PARTICULAR      PURPOSE.        See the
   GNU General     Public  License           for  more details.<br>
                                                                        
                               <br>
                                                                        
                          You   should    have   received     a  copy   of
  the     GNU     General         Public      License             along 
with    this   program;       if  not,    write  to  the    Free Software
       Foundation,              Inc.,  675     Mass  Ave,  Cambridge,  MA
 02139,       USA</p>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                  
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                     
      <p> <a href="http://leaf.sourceforge.net" target="_top"><img
 border="0" src="images/leaflogo.gif" width="49" height="36">
                                                                        
                           </a>Jacques              Nilo   and   Eric   Wolzak
      have     a   LEAF  (router/firewall/gateway         on  a floppy, 
 CD    or compact     flash)  distribution        called              <i>Bering</i> 
       that          features      Shorewall-1.3.10  and    Kernel-2.4.18. 
       You    can  find    their    work at:                <a
 href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo<br>
                                          </a></p>
                                                                        
                                                                        
                                                                        
                                                                    
      <p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.0 Final!!! </b><br>
                                     </p>
                                                                        
                                                                        
                                                                        
                                                                    
      <h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                         
      <h2>News</h2>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
     
      <h2></h2>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                 
      <p><b>2/8/2003 - Shoreawll 1.3.14</b><b>       </b><b><img
 border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
             </b></p>
 
      <p>New features include</p>
 
      <ol>
        <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When   set to Yes, Shorewall ping handling is as it has always been (see
http://www.shorewall.net/ping.html).<br>
         <br>
     When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and 
policies   just like any other connection request. The FORWARDPING=Yes option 
in shorewall.conf   and the 'noping' and 'filterping' options in /etc/shorewall/interfaces 
will   all generate an error.<br>
         <br>
       </li>
        <li>It is now possible to direct Shorewall to create a "label" such
 as<61>  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
and  ADD_SNAT_ALIASES=Yes.  This is done by specifying the label instead
of just  the interface name:<br>
     <20><br>
     <20><> a) In the INTERFACE column of /etc/shorewall/masq<br>
     <20><> b) In the INTERFACE column of /etc/shorewall/nat<br>
     <20></li>
        <li>Support for OpenVPN Tunnels.<br>
     <br>
 </li>
        <li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
eth0.0)<br>
     <br>
   </li>
        <li>When an interface name is entered in the SUBNET column of the
/etc/shorewall/masq   file, Shorewall previously masqueraded traffic from
only the first subnet   defined on that interface. It did not masquerade
traffic from:<br>
     <20><br>
     <20><> a) The subnets associated with other addresses on the interface.<br>
     <20><> b) Subnets accessed through local routers.<br>
     <20><br>
     Beginning with Shorewall 1.3.14, if you enter an interface name in the 
 SUBNET  column, shorewall will use the firewall's routing table to construct 
 the masquerading/SNAT rules.<br>
     <20><br>
     Example 1 -- This is how it works in 1.3.14.<br>
     <20><> <br>
                             
          <pre><EFBFBD><EFBFBD> [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE<43><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SUBNET<45><54><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ADDRESS<br>   eth0<68><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> eth2<68><32><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                             
          <pre><EFBFBD>  [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24<32> scope link<br>   192.168.10.0/24<32> proto kernel<65> scope link<6E> src 192.168.10.254<br></pre>
                             
          <pre><EFBFBD>  [root@gateway test]# shorewall start<br>   ...<br>   Masqueraded Subnets and Hosts:<br>       To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br>       To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br>   Processing /etc/shorewall/tos...</pre>
     <20><br>
     When upgrading to Shorewall 1.3.14, if you have multiple local subnets 
 connected  to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
  entry, your /etc/shorewall/masq file will need changing. In most cases,
you  will simply be able to remove redundant entries. In some cases though,
you  might want to change from using the interface name to listing specific
subnetworks  if the change described above will cause masquerading to occur
on subnetworks  that you don't wish to masquerade.<br>
     <20><br>
     Example 2 -- Suppose that your current config is as follows:<br>
     <20><> <br>
                             
          <pre><EFBFBD><EFBFBD> [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE<43><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SUBNET<45><54><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ADDRESS<br>   eth0<68><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> eth2<68><32><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 206.124.146.176<br>   eth0<68><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 192.168.10.0/24<32><34><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                             
          <pre><EFBFBD><EFBFBD> [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24<32> scope link<br>   192.168.10.0/24<32> proto kernel<65> scope link<6E> src 192.168.10.254<br>   [root@gateway test]#</pre>
     <20><br>
     <20><> In this case, the second entry in /etc/shorewall/masq is no longer
 required.<br>
     <20><br>
     Example 3 -- What if your current configuration is like this?<br>
     <20><br>
                             
          <pre><EFBFBD><EFBFBD> [root@gateway test]# cat /etc/shorewall/masq<br>   #INTERFACE<43><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SUBNET<45><54><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ADDRESS<br>   eth0<68><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> eth2<68><32><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
                             
          <pre><EFBFBD><EFBFBD> [root@gateway test]# ip route show dev eth2<br>   192.168.1.0/24<32> scope link<br>   192.168.10.0/24<32> proto kernel<65> scope link<6E> src 192.168.10.254<br>   [root@gateway test]#</pre>
     <20><br>
     <20><> In this case, you would want to change the entry in<69> /etc/shorewall/masq 
  to:<br>
                             
          <pre><EFBFBD><EFBFBD> #INTERFACE<43><45><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SUBNET<45><54><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ADDRESS<br>   eth0<68><30><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 192.168.1.0/24<32><34><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 206.124.146.176<br>   #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
        </li>
      </ol>
 <br>
 
      <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
      </b><b><img border="0" src="images/new10.gif" width="28"
 height="12" alt="(New)">
             </b></p>
   Webmin version 1.060 now has Shorewall support included as standard. See
       <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>   </b>
             
      <p><b></b></p>
                                                               
      <p><b></b></p>
       
      <ul>
                                                                        
                                                                        
                                                                        
                                                            
      </ul>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                   
      <p><b></b><a href="News.htm">More News</a></p>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                     
      <h2><a name="Donations"></a>Donations</h2>
                                                                        
                                                                     </td>
                                                                        
                                  <td width="88" bgcolor="#4b017c"
 valign="top" align="center">              <a
 href="http://sourceforge.net">M</a></td>
                                                                        
                              </tr>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                   
  </tbody>                                                              
                         
</table>
                                                                        
                        </center>
                                                                        
                      </div>
                                                                        
                                                                        
                                                                   
<table border="0" cellpadding="5" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#4b017c">
                                                                        
                     <tbody>
                                                                        
                       <tr>
                                                                        
                           <td width="100%" style="margin-top: 1px;">   
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                   
      <p align="center"><a href="http://www.starlight.org">        <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10">
                                                                        
    <20>                        </a></p>
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                                        
                                                    
      <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if       you try it and find it useful, please consider making a donation
                                            to       <a
 href="http://www.starlight.org"><font color="#ffffff">Starlight        
Children's Foundation.</font></a> Thanks!</font></p>
                                                                        
                           </td>
                                                                        
                       </tr>
                                                                        
                                                                        
                                                                        
                                                                        
                                                             
  </tbody>                                                              
                         
</table>
                                                                        
                                                                        
                                                            
<p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font> 
                                                                         
                                    <br>
</p>
</body>
</html>