extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updates to the XML docs

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1345 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-05-19 17:55:45 +00:00
parent 3fde9a627f
commit 0213183738
12 changed files with 569 additions and 801 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall-docs2/Documentation_Index.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-03-28</pubdate>
<pubdate>2004-05-15</pubdate>
<copyright>
<year>2001-2004</year>
@ -128,7 +128,6 @@
url="Documentation.htm#Hosts">hosts</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Policy">policy</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Rules">rules</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Common">common</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#Masq">masq</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#ProxyArp">proxyarp</ulink></para></listitem><listitem><para><ulink
url="Documentation.htm#NAT">nat</ulink></para></listitem><listitem><para><ulink

886
Shorewall-docs2/FAQ.xml
View File

File diff suppressed because it is too large Load Diff

100
Shorewall-docs2/FTP.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-04-26</pubdate>
<pubdate>2004-05-19</pubdate>
<copyright>
<year>2003</year>
@ -74,9 +74,9 @@
<programlisting>MODULE_SUFFIX=&#34;o gz ko o.gz ko.gz&#34;</programlisting>
<para>The version of <command>insmod</command> shipped with 10.0 also does
not comprehend these module files so you will also need to change
<filename>/usr/share/shorewall/firewall</filename> -- replace the line
that reads:</para>
not comprehend these module files so you will also need Shorewall 2.0.2 or
later OR you need to change <filename>/usr/share/shorewall/firewall</filename>
-- replace the line that reads:</para>
<programlisting> insmod $modulefile $*</programlisting>
@ -278,22 +278,22 @@ jbd 47860 2 [ext3]
<para>If your FTP helper modules are compressed and have the names
<emphasis>ip_nat_ftp.o.gz and ip_conntrack_ftp.o.gz</emphasis> then you
will need Shorewall 1.4.7 or later if you want Shorewall to load them for
you.</para>
you. If your helper modules have names <emphasis>ip_nat_ftp.ko.gz and
ip_conntrack_ftp.ko.gz</emphasis> then you will need Shorewall 2.0.2 or
later if you want Shorewall to load them for you.</para>
</section>
<para>Server configuration is covered in the <ulink type=""
url="Documentation.htm#Rules">/etc/shorewall/rules documentation</ulink>,</para>
<para>For a client, you must open outbound TCP port 21.</para>
<section>
<title>FTP on Non-standard Ports</title>
<para>The above discussion about commands and responses makes it clear
that the FTP connection-tracking and NAT helpers must scan the traffic on
the control connection looking for PASV and PORT commands as well as PASV
responses. If you run an FTP server on a nonstandard port or you need to
access such a server, you must therefore let the helpers know by
specifying the port in /etc/shorewall/modules entries for the helpers. For
example, if you run an FTP server that listens on port 49 or you need to
access a server on the internet that listens on that port then you would
have:</para>
specifying the port in /etc/shorewall/modules entries for the helpers.
<caution><para>You must have modularized FTP connection tracking support
in order to use FTP on a non-standard port.</para></caution></para>
<example>
<title>if you run an FTP server that listens on port 49 or you need to
@ -317,54 +317,52 @@ options ip_nat_ftp ports=21,49</programlisting>
/etc/shorewall/modules and/or /etc/modules.conf, you must either:</para><orderedlist><listitem><para>Unload
the modules and restart shorewall:</para><programlisting><command>rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</command></programlisting></listitem><listitem><para>Reboot</para></listitem></orderedlist></important></para>
</example>
</section>
<para>One problem that I see occasionally involves active mode and the FTP
server in my DMZ. I see the active data connection to <emphasis
role="bold">certain client IP addresses</emphasis> being continuously
rejected by my firewall. It is my conjecture that there is some broken
client out there that is sending a PORT command that is being either
missed or mis-interpreted by the FTP connection tracking helper yet it is
being accepted by my FTP server. My solution is to add the following rule:</para>
<section id="Rules">
<title>Rules</title>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<para>If the policy from the source zone to the destination zone is ACCEPT
and you don&#39;t need DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
then <emphasis role="bold">you need no rule</emphasis>.</para>
<entry align="center">SOURCE</entry>
<para>Otherwise, for FTP you need exactly <emphasis role="bold">one</emphasis>
rule:</para>
<entry align="center">DESTINATION</entry>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
ACCEPT or &#60;<emphasis>source</emphasis>&#62; &#60;<emphasis>destination</emphasis>&#62; tcp 21 &#60;external IP addr&#62; if
DNAT ACTION = DNAT</programlisting>
<entry align="center">PROTOCOL</entry>
<para>You need an entry in the ORIGINAL DESTINATION column only if the
ACTION is DNAT, you have multiple external IP addresses and you want a
specific IP address to be forwarded to your server.</para>
<entry align="center">PORT(S)</entry>
<para>Note that you do <emphasis role="bold">NOT </emphasis>need a rule
with 20 (ftp-data) in the PORT(S) column. If you post your rules on the
mailing list and they show 20 in the PORT(S) column, I will know that you
haven&#39;t read this article and I will either ignore your post or tell
you to RTFM.<example><title>Server running behind a Masquerading Gateway</title><para>Suppose
that you run an FTP server on 192.168.1.5 in your local zone using the
standard port (21). You need this rule: </para><programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
DNAT net loc:192.168.1.5 tcp 21</programlisting></example><example><title>Allow
your DMZ FTP access to the Internet</title><programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
ACCEPT dmz net tcp 21</programlisting></example></para>
<entry align="center">SOURCE PORT(S)</entry>
<para>Note that the FTP connection tracking in the kernel cannot handle
cases where a PORT command (or PASV reply) is broken across two packets.
When such cases occur, you will see a console message similar to this one:</para>
<entry align="center">ORIGINAL DESTINATION</entry>
</row>
</thead>
<programlisting>Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</programlisting>
<tbody>
<row>
<entry>ACCEPT:info</entry>
<para> I see this problem occasionally with the FTP server in my DMZ. My
solution is to add the following rule:</para>
<entry>dmz</entry>
<entry>net</entry>
<entry>tcp</entry>
<entry>-</entry>
<entry>20</entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#ACTION SOURCE DESTINATION PROTO PORT(S) SOURCE ORIGINAL
# PORT(S) DESTINATION
ACCEPT:info dmz net tcp - 20</programlisting>
<para>The above rule accepts and logs all active mode connections from my
DMZ to the net.</para>

17
Shorewall-docs2/Install.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-05-09</pubdate>
<pubdate>2004-05-18</pubdate>
<copyright>
<year>2001</year>
@ -39,6 +39,21 @@
</legalnotice>
</articleinfo>
<warning>
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
<para>If you install using the .deb, you will find that your <filename
class="directory">/etc/shorewall</filename> directory is empty. This is
intentional. The released configuration file skeletons may be found on
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para>
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to <filename class="directory">/etc/shorewall</filename> even if you do
not modify it.</para>
</warning>
<section id="Install_RPM">
<title>Install using RPM</title>

42
Shorewall-docs2/errata.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-05-10</pubdate>
<pubdate>2004-05-17</pubdate>
<copyright>
<year>2001-2004</year>
@ -87,6 +87,42 @@
<section>
<title>Problems in Version 2.0</title>
<section>
<title>Shorewall 2.0.2</title>
<itemizedlist>
<listitem>
<para>Temporary restore files with names of the form
<filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
/var/lib/shorewall.</para>
</listitem>
<listitem>
<para>&#34;shorewall restore&#34; and &#34;shorewall -f start&#34;
do not load kernel modules.</para>
</listitem>
<listitem>
<para>Specifying a null common action in /etc/shorewall/actions
(e.g., :REJECT) results in a startup error.</para>
</listitem>
<listitem>
<para>If <filename>/var/lib/shorewall</filename> does not exist,
<command>shorewall start</command> fails.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected by the <filename>firewall</filename>
and <filename>functions</filename> files in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.2">this directory</ulink>.
Both files must be installed in <filename>/usr/share/shorewall/firewall</filename>
as described above.</para>
<para>The first two problems are also corrected in Shorewall version
2.0.2a while all four problems are corrected in 2.0.2b.</para>
</section>
<section>
<title>Shorewall 2.0.1</title>
@ -201,7 +237,9 @@
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add
<para><revhistory><revision><revnumber>1.16</revnumber><date>2004-05-17</date><authorinitials>TE</authorinitials><revremark>Added
null common action bug.</revremark></revision><revision><revnumber>1.15</revnumber><date>2004-05-16</date><authorinitials>TE</authorinitials><revremark>Added
2.0.2 bugs</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-05-10</date><authorinitials>TE</authorinitials><revremark>Add
link to Netfilter CVS</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-05-04</date><authorinitials>TE</authorinitials><revremark>Add
Alex Wilms&#39;s &#34;install.sh&#34; fix.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-05-03</date><authorinitials>TE</authorinitials><revremark>Add
Stefan Engel&#39;s &#34;shorewall delete&#34; fix.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-04-28</date><authorinitials>TE</authorinitials><revremark>Add

8
Shorewall-docs2/kernel.xml
View File

@ -15,10 +15,10 @@
</author>
</authorgroup>
<pubdate>2003-07-20</pubdate>
<pubdate>2004-05-19</pubdate>
<copyright>
<year>2001-2003</year>
<year>2001-2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -89,8 +89,8 @@
<para>Note that I have built everything I need as modules. You can also
build everything into your kernel but if you want to be able to deal with
FTP running on a non-standard port then I recommend that you modularize
FTP Protocol support.</para>
FTP running on a non-standard port then you <emphasis role="bold">must</emphasis>
modularize FTP Protocol support.</para>
<para>Here&#39;s the corresponding part of my .config file:</para>

13
Shorewall-docs2/shorewall_setup_guide.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-04-03</pubdate>
<pubdate>2004-05-18</pubdate>
<copyright>
<year>2001-2004</year>
@ -97,7 +97,16 @@
<filename class="directory">/etc/shorewall</filename> -- for most setups,
you will only need to deal with a few of these as described in this guide.
Skeleton files are created during the Shorewall <ulink url="Install.htm">Installation
Process</ulink>.</para>
Process</ulink>.<warning><para><emphasis role="bold">Note to Debian Users</emphasis></para><para>If
you install using the .deb, you will find that your <filename
class="directory">/etc/shorewall</filename> directory is empty. This is
intentional. The released configuration file skeletons may be found on
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to <filename class="directory">/etc/shorewall</filename> even if you do
not modify it.</para></warning></para>
<para>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration

17
Shorewall-docs2/standalone.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-04-22</pubdate>
<pubdate>2004-05-18</pubdate>
<copyright>
<year>2002-2004</year>
@ -133,6 +133,21 @@
files to /etc/shorewall (they will replace files with the same names that
were placed in /etc/shorewall during Shorewall installation)</emphasis>.</para>
<warning>
<para><emphasis role="bold">Note to Debian Users</emphasis></para>
<para>If you install using the .deb, you will find that your <filename
class="directory">/etc/shorewall</filename> directory is empty. This is
intentional. The released configuration file skeletons may be found on
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para>
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to <filename class="directory">/etc/shorewall</filename> even if you do
not modify it.</para>
</warning>
<para>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration
instructions and default entries.</para>

234
Shorewall-docs2/starting_and_stopping_shorewall.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-05-03</pubdate>
<pubdate>2004-05-14</pubdate>
<copyright>
<year>2001-2004</year>
@ -29,8 +29,7 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -42,7 +41,7 @@
url="Install.htm">installation procedure</ulink> attempts to set up the
init scripts to start the firewall in run levels 2-5 and stop it in run
levels 1 and 6. If you want to configure your firewall differently from
this default, you can use your distribution's run-level editor.</para>
this default, you can use your distribution&#39;s run-level editor.</para>
<caution>
<itemizedlist>
@ -50,9 +49,8 @@
<para>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the
file <filename>/etc/shorewall/startup_disabled</filename>. Note:
Users of the .deb package must edit
<filename>/etc/default/shorewall</filename> and set
<quote>startup=1</quote>.</para>
Users of the .deb package must edit <filename>/etc/default/shorewall</filename>
and set <quote>startup=1</quote>.</para>
</listitem>
<listitem>
@ -72,15 +70,15 @@
<listitem>
<para><command>shorewall [ -q ] [ -f ] start </command>- starts the
firewall. It important to understand that when the firewall is in the
<emphasis role="bold">Started</emphasis> state there is <emphasis>no
Shorewall Program</emphasis> <emphasis>running</emphasis>. It rather
means that Netfilter has been configured to handle traffic as
described in your Shorewall configuration files. Please refer to the
<link linkend="State">Shorewall State Diagram</link> as shown at the
bottom of this page for more information. The -q option was added in
Shorewall 2.0.2 Beta 1 and reduces the amout of output produced. Also
beginning with Shorewall version 2.0.2 Beta 1, the -f option may be
specified; if this option is given and the file
<emphasis role="bold">Started</emphasis> state there is
<emphasis>no Shorewall Program</emphasis> <emphasis>running</emphasis>.
It rather means that Netfilter has been configured to handle traffic
as described in your Shorewall configuration files. Please refer to
the <link linkend="State">Shorewall State Diagram</link> as shown at
the bottom of this page for more information. The -q option was added
in Shorewall 2.0.2 Beta 1 and reduces the amout of output produced.
Also beginning with Shorewall version 2.0.2 Beta 1, the -f option may
be specified; if this option is given and the file
<filename>/var/lib/shorewall/restore</filename> is present (see
<command>shorewall save</command> below), then that script is run to
restore the state of the firewall to the state when
@ -93,10 +91,9 @@
<para><command>shorewall stop</command> - stops the firewall; the only
traffic permitted through the firewall is from systems listed in
<filename>/etc/shorewall/routestopped</filename> (Beginning with
version 1.4.7, if ADMINISABSENTMINDED=Yes in
<filename>/etc/shorewall/shorewall.conf</filename> then in addition,
all existing connections are permitted and any new connections
originating from the firewall itself are allowed).</para>
version 1.4.7, if ADMINISABSENTMINDED=Yes in <filename>/etc/shorewall/shorewall.conf</filename>
then in addition, all existing connections are permitted and any new
connections originating from the firewall itself are allowed).</para>
</listitem>
<listitem>
@ -113,8 +110,7 @@
<listitem>
<para><command>shorewall clear</command> - remove all rules and chains
installed by Shoreline Firewall. The firewall is <quote>wide
open</quote></para>
installed by Shoreline Firewall. The firewall is <quote>wide open</quote></para>
</listitem>
<listitem>
@ -125,9 +121,9 @@
<listitem>
<para><command>shorewall save</command> - Beginning with Shorewall
2.0.2 Beta1, this command creates a script
<filename>/var/lib/shorewall/restore</filename> which when run will
restore the state of the firewall to its current state.</para>
2.0.2 Beta1, this command creates a script <filename>/var/lib/shorewall/restore</filename>
which when run will restore the state of the firewall to its current
state.</para>
</listitem>
<listitem>
@ -146,14 +142,13 @@
<para>If you include the keyword debug as the first argument, then a shell
trace of the command is produced as in:</para>
<para><programlisting> <command>shorewall debug start 2&gt; /tmp/trace</command></programlisting>The
<para><programlisting> <command>shorewall debug start 2&#62; /tmp/trace</command></programlisting>The
above command would trace the <quote>start</quote> command and place the
trace information in the file /tmp/trace</para>
<para>Beginning with version 1.4.7, shorewall can give detailed help about
each of its commands: <programlisting> <command>shorewall help [ command | host | address ]</command></programlisting>The
<quote>shorewall</quote> program may also be used to monitor the
firewall.</para>
<quote>shorewall</quote> program may also be used to monitor the firewall.</para>
<itemizedlist>
<listitem>
@ -162,24 +157,21 @@
</listitem>
<listitem>
<para><command>shorewall show &lt;chain1&gt; [ &lt;chain2&gt; ...
]</command> - produce a verbose report about the listed chains
(<command>iptables -L chain -n -v</command>) Note: You may only list
one chain in the show command when running Shorewall version 1.4.6 and
earlier. Version 1.4.7 and later allow you to list multiple chains in
one command.</para>
<para><command>shorewall show &#60;chain1&#62; [ &#60;chain2&#62; ...
]</command> - produce a verbose report about the listed chains (<command>iptables
-L chain -n -v</command>) Note: You may only list one chain in the
show command when running Shorewall version 1.4.6 and earlier. Version
1.4.7 and later allow you to list multiple chains in one command.</para>
</listitem>
<listitem>
<para><command>shorewall show nat</command> - produce a verbose report
about the nat table (<command>iptables -t nat -L -n
-v</command>)</para>
about the nat table (<command>iptables -t nat -L -n -v</command>)</para>
</listitem>
<listitem>
<para><command>shorewall show tos</command> - produce a verbose report
about the mangle table (<command>iptables -t mangle -L -n
-v</command>)</para>
about the mangle table (<command>iptables -t mangle -L -n -v</command>)</para>
</listitem>
<listitem>
@ -198,18 +190,17 @@
</listitem>
<listitem>
<para><command>shorewall monitor [ &lt;delay&gt; ]</command> -
<para><command>shorewall monitor [ &#60;delay&#62; ]</command> -
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded. The
<emphasis>&lt;delay&gt;</emphasis> indicates the number of seconds
<emphasis>&#60;delay&#62;</emphasis> indicates the number of seconds
between updates with the default being 10 seconds.</para>
</listitem>
<listitem>
<para><command>shorewall hits</command> - Produces several reports
about the Shorewall packet log messages in the current log file named
in the LOGFILE variable in
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
in the LOGFILE variable in <filename>/etc/shorewall/shorewall.conf</filename>.</para>
</listitem>
<listitem>
@ -219,27 +210,21 @@
<listitem>
<para><command>shorewall check</command> - Performs a cursory
validation of the zones, interfaces, hosts, rules and policy
files.<caution>
<para>The <quote><command>check</command></quote> command is
totally unsuppored and does not parse and validate the generated
iptables commands. Even though the <quote>check</quote> command
completes successfully, the configuration may fail to start.
Problem reports that complain about errors that the
<quote>check</quote> command does not detect will not be
accepted.</para>
<para>See the recommended way to make configuration changes
described below.</para>
</caution></para>
validation of the zones, interfaces, hosts, rules and policy files.<caution><para>The
<quote><command>check</command></quote> command is totally unsuppored
and does not parse and validate the generated iptables commands. Even
though the <quote>check</quote> command completes successfully, the
configuration may fail to start. Problem reports that complain about
errors that the <quote>check</quote> command does not detect will not
be accepted.</para><para>See the recommended way to make configuration
changes described below.</para></caution></para>
</listitem>
<listitem>
<para><command>shorewall try
&lt;<errortype>configuration-directory</errortype>&gt; [
&lt;timeout&gt; ]</command> - Restart shorewall using the specified
configuration and if an error occurs or if the
<emphasis>&lt;timeout&gt;</emphasis> option is given and the new
<para><command>shorewall try &#60;<errortype>configuration-directory</errortype>&#62;
[ &#60;timeout&#62; ]</command> - Restart shorewall using the
specified configuration and if an error occurs or if the
<emphasis>&#60;timeout&#62;</emphasis> option is given and the new
configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</para>
</listitem>
@ -256,17 +241,16 @@
<itemizedlist>
<listitem>
<para><command>shorewall ipcalc [ &lt;address&gt; &lt;mask&gt; |
&lt;address&gt;/&lt;vlsm&gt; ] </command>- displays the network
<para><command>shorewall ipcalc [ &#60;address&#62; &#60;mask&#62; |
&#60;address&#62;/&#60;vlsm&#62; ] </command>- displays the network
address, broadcast address, network in CIDR notation and netmask
corresponding to the input[s].</para>
</listitem>
<listitem>
<para><command>shorewall iprange
&lt;address1&gt;-&lt;address2&gt;</command> - Decomposes the specified
range of IP addresses into the equivalent list of network/host
addresses</para>
<para><command>shorewall iprange &#60;address1&#62;-&#60;address2&#62;</command>
- Decomposes the specified range of IP addresses into the equivalent
list of network/host addresses</para>
</listitem>
</itemizedlist>
@ -275,19 +259,19 @@
<itemizedlist>
<listitem>
<para><command>shorewall drop &lt;ip address list&gt;</command> -
<para><command>shorewall drop &#60;ip address list&#62;</command> -
causes packets from the listed IP addresses to be silently dropped by
the firewall.</para>
</listitem>
<listitem>
<para><command>shorewall reject &lt;ip address list&gt;</command> -
<para><command>shorewall reject &#60;ip address list&#62;</command> -
causes packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem>
<para><command>shorewall allow &lt;ip address list&gt;</command> -
<para><command>shorewall allow &#60;ip address list&#62;</command> -
re-enables receipt of packets from hosts previously blacklisted by a
drop or reject command.</para>
</listitem>
@ -296,7 +280,7 @@
<para><command>shorewall save</command> - save the dynamic
blacklisting configuration so that it will be automatically restored
the next time that the firewall is restarted. Beginning with Shorewall
version 2.0.2 Beta1, this command also creats the
version 2.0.2 Beta1, this command also creates the
<filename>/var/lib/shorewall/restore</filename> script as described
above.</para>
</listitem>
@ -312,15 +296,15 @@
<itemizedlist>
<listitem>
<para><command>shorewall add &lt;interface&gt;[:&lt;host&gt;]
&lt;zone&gt;</command> - Adds the specified interface (and host if
<para><command>shorewall add &#60;interface&#62;[:&#60;host&#62;]
&#60;zone&#62;</command> - Adds the specified interface (and host if
included) to the specified zone.</para>
</listitem>
<listitem>
<para><command>shorewall delete &lt;interface&gt;[:&lt;host&gt;]
&lt;zone&gt;</command> - Deletes the specified interface (and host if
included) from the specified zone.</para>
<para><command>shorewall delete &#60;interface&#62;[:&#60;host&#62;]
&#60;zone&#62;</command> - Deletes the specified interface (and host
if included) from the specified zone.</para>
<para>Examples:<programlisting> <command>shorewall add ipsec0:192.0.2.24 vpn1</command> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1
<command>shorewall delete ipsec0:192.0.2.24 vpn1</command> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1</programlisting></para>
@ -331,11 +315,11 @@
<section>
<title>Error Handling</title>
<para>When <command>shorewall start</command>, <command>shorewall
restart</command> or <command>shorewall refresh</command> encounter an
error, the behavior depends on which version of Shorewall you are running
and whether there is a <filename>/var/lib/shorewall/restore</filename>
script available (see <command>shorewall save</command> above).</para>
<para>When <command>shorewall start</command>, <command>shorewall restart</command>
or <command>shorewall refresh</command> encounter an error, the behavior
depends on which version of Shorewall you are running and whether there is
a <filename>/var/lib/shorewall/restore</filename> script available (see
<command>shorewall save</command> above).</para>
<itemizedlist>
<listitem>
@ -347,8 +331,8 @@
<listitem>
<para>If you have executed a <command>shorewall save</command> command
without a subsequent <command>shorewall forget</command>, then the
firewall is restored to the state when <command>shorewall
save</command> was executed.</para>
firewall is restored to the state when <command>shorewall save</command>
was executed.</para>
</listitem>
</itemizedlist>
</section>
@ -356,23 +340,21 @@
<section>
<title>Alternate Configurations</title>
<para>The <command>shorewall start</command>, <command>shorewall
restart</command>, <command>shorewall check</command>, and
<command>shorewall try </command>commands allow you to specify which
Shorewall configuration to use:</para>
<para>The <command>shorewall start</command>, <command>shorewall restart</command>,
<command>shorewall check</command>, and <command>shorewall try </command>commands
allow you to specify which Shorewall configuration to use:</para>
<programlisting> <command>shorewall [ -c &lt;configuration-directory&gt; ] {start|restart|check}</command>
<command>shorewall try &lt;configuration-directory&gt;</command></programlisting>
<programlisting> <command>shorewall [ -c &#60;configuration-directory&#62; ] {start|restart|check}</command>
<command>shorewall try &#60;configuration-directory&#62; [ &#60;timeout&#62; ]</command></programlisting>
<para>If a <emphasis>&lt;configuration-directory</emphasis>&gt; is
<para>If a <emphasis>&#60;configuration-directory</emphasis>&#62; is
specified, each time that Shorewall is going to use a file in <filename
class="directory">/etc/shorewall</filename> it will first look in
the<emphasis> &lt;configuration-directory&gt;</emphasis> . If the file is
present in the <emphasis>&lt;configuration-directory&gt;,</emphasis> that
file will be used; otherwise, the file in <filename
class="directory">/etc/shorewall</filename> will be used. When changing
the configuration of a production firewall, I recommend the
following:</para>
class="directory">/etc/shorewall</filename> it will first look in the<emphasis>
&#60;configuration-directory&#62;</emphasis> . If the file is present in
the <emphasis>&#60;configuration-directory&#62;,</emphasis> that file will
be used; otherwise, the file in <filename class="directory">/etc/shorewall</filename>
will be used. When changing the configuration of a production firewall, I
recommend the following:</para>
<itemizedlist>
<listitem>
@ -384,8 +366,8 @@
</listitem>
<listitem>
<para>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</para>
<para>&#60;copy any files that you need to change from /etc/shorewall
to . and change them here&#62;</para>
</listitem>
<listitem>
@ -393,7 +375,7 @@
</listitem>
<listitem>
<para>&lt;correct any errors found by check and check again&gt;</para>
<para>&#60;correct any errors found by check and check again&#62;</para>
</listitem>
<listitem>
@ -401,10 +383,10 @@
</listitem>
</itemizedlist>
<para>If the configuration starts but doesn't work, just <quote>shorewall
restart</quote> to restore the old configuration. If the new configuration
fails to start, the <quote>try</quote> command will automatically start
the old one for you.</para>
<para>If the configuration starts but doesn&#39;t work, just
<quote>shorewall restart</quote> to restore the old configuration. If the
new configuration fails to start, the <quote>try</quote> command will
automatically start the old one for you.</para>
<para>When the new configuration works then just:</para>
@ -432,8 +414,7 @@
<para>You will note that the commands that result in state transitions use
the word <quote>firewall</quote> rather than <quote>shorewall</quote>.
That is because the actual transitions are done by
<command>/usr/share/shorewall/firewall</command>;
That is because the actual transitions are done by <command>/usr/share/shorewall/firewall</command>;
<command>/sbin/shorewall</command> runs <quote>firewall</quote> according
to the following table:</para>
@ -478,8 +459,7 @@
<entry>firewall restart</entry>
<entry>Logically equivalent to <quote>firewall stop;firewall
start</quote></entry>
<entry>Logically equivalent to <quote>firewall stop;firewall start</quote></entry>
</row>
<row>
@ -527,7 +507,7 @@
<row>
<entry>shorewall try</entry>
<entry>firewall -c &lt;new configuration&gt; restart If
<entry>firewall -c &#60;new configuration&#62; restart If
unsuccessful then firewall start (standard configuration) If
timeout then firewall restart (standard configuration)</entry>
@ -541,36 +521,12 @@
<appendix>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.3-1.8</revnumber>
<date>2004-01-04</date>
<authorinitials>TE</authorinitials>
<revremark>Docbook standards</revremark>
</revision>
<revision>
<revnumber>1.2</revnumber>
<date>2003-12-31</date>
<authorinitials>TE</authorinitials>
<revremark>Added clarification about "Started State"</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
<date>2003-12-29</date>
<authorinitials>TE</authorinitials>
<revremark>Initial Docbook conversion</revremark>
</revision>
</revhistory></para>
<para><revhistory><revision><revnumber>1.10</revnumber><date>2004-05-14</date><authorinitials>TE</authorinitials><revremark>Update
&#34;try&#34; syntax in the alternate configuration section to include [
&#60;timeout&#62; ]</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-05-03</date><authorinitials>TE</authorinitials><revremark>Shorewall
2.0.2</revremark></revision><revision><revnumber>1.3-1.8</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Docbook
standards</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Added
clarification about &#34;Started State&#34;</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Initial
Docbook conversion</revremark></revision></revhistory></para>
</appendix>
</article>

10
Shorewall-docs2/support.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-03-15</pubdate>
<pubdate>2004-05-16</pubdate>
<copyright>
<year>2001-2004</year>
@ -214,8 +214,9 @@
<listitem>
<para>If an error occurs when you try to <quote><command>shorewall
start</command></quote>, include a trace (See the Troubleshooting
section for instructions).</para>
start</command></quote>, include a trace (See the <ulink
url="troubleshoot.htm">Troubleshooting section</ulink> for
instructions).</para>
</listitem>
<listitem>
@ -290,7 +291,8 @@
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.4</revnumber><date>2003-03-15</date><authorinitials>TE</authorinitials><revremark>Remove
<para><revhistory><revision><revnumber>1.5</revnumber><date>2003-05-16</date><authorinitials>TE</authorinitials><revremark>Add
link to the troubleshooting section</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-03-15</date><authorinitials>TE</authorinitials><revremark>Remove
Newbies Mailing List.</revremark></revision><revision><revnumber>1.3</revnumber><date>2003-02-19</date><authorinitials>TE</authorinitials><revremark>Admonish
against including &#34;iptables -L&#34; output.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-01-01</date><authorinitials>TE</authorinitials><revremark>Removed
.GIF and moved note about unsupported releases. Move Revision History to

25
Shorewall-docs2/three-interface.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-04-22</pubdate>
<pubdate>2004-05-18</pubdate>
<copyright>
<year>2002-2004</year>
@ -157,12 +157,23 @@
<para>The configuration files for Shorewall are contained in the directory
<filename>/etc/shorewall</filename> -- for simple setups, you will only
need to deal with a few of these as described in this guide. After you
have installed Shorewall, download the three-interface sample, un-tar it (<command>tar
<option>-zxvf</option> <filename>three-interfaces.tgz</filename></command>)
and and copy the files to <filename>/etc/shorewall</filename> (the files
will replace files with the same names that were placed in
<filename>/etc/shorewall</filename> when Shorewall was installed).</para>
need to deal with a few of these as described in this guide.<warning><para><emphasis
role="bold">Note to Debian Users</emphasis></para><para>If you install
using the .deb, you will find that your <filename class="directory">/etc/shorewall</filename>
directory is empty. This is intentional. The released configuration file
skeletons may be found on your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to /etc/shorewall even if you do not modify it.</para></warning></para>
<para>After you have installed Shorewall, download the three-interface
sample, un-tar it (<command>tar <option>-zxvf</option>
<filename>three-interfaces.tgz</filename></command>) and and copy the
files to <filename>/etc/shorewall</filename> (the files will replace files
with the same names that were placed in <filename>/etc/shorewall</filename>
when Shorewall was installed).</para>
<para>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration

15
Shorewall-docs2/two-interface.xml
View File

@ -12,7 +12,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2003-04-22</pubdate>
<pubdate>2003-05-18</pubdate>
<copyright>
<year>2002</year>
@ -146,7 +146,18 @@
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple
setups, you will only need to deal with a few of these as described in
this guide. <tip><para>After you have <ulink url="Install.htm">installed
this guide.<warning><para><emphasis role="bold">Note to Debian Users</emphasis></para><para>If
you install using the .deb, you will find that your <filename
class="directory">/etc/shorewall</filename> directory is empty. This is
intentional. The released configuration file skeletons may be found on
your system in the directory <filename class="directory">/usr/share/doc/shorewall/default-config</filename>.
Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the copies.</para><para>Note
that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
to <filename class="directory">/etc/shorewall</filename> even if you do
not modify it.</para></warning></para>
<para><tip><para>After you have <ulink url="Install.htm">installed
Shorewall</ulink>, download the <ulink
url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
sample</ulink>, un-tar it (<command>tar <option>-zxvf</option>