mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-21 23:23:13 +01:00
Finish passing through all the documentation with a spell checker.
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
aac55dbac4
commit
025e97c8bb
@ -494,7 +494,7 @@ show_command() {
|
||||
;;
|
||||
classifiers|filters)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$PRODUCT $version Clasifiers at $HOSTNAME - $(date)"
|
||||
echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)"
|
||||
echo
|
||||
show_classifiers
|
||||
;;
|
||||
|
12
docs/FAQ.xml
12
docs/FAQ.xml
@ -66,8 +66,8 @@
|
||||
the Shorewall Debian Maintainer:</para>
|
||||
|
||||
<para><quote>For more information about Shorewall usage on Debian
|
||||
system please look at /usr/share/doc/shorewall/README.Debian provided
|
||||
by [the] shorewall Debian package.</quote></para>
|
||||
system please look at /usr/share/doc/shorewall-common/README.Debian
|
||||
provided by [the] shorewall-common Debian package.</quote></para>
|
||||
</important>
|
||||
|
||||
<para>If you install using the .deb, you will find that your <filename
|
||||
@ -89,7 +89,7 @@
|
||||
class="directory">/usr/share/doc/shorewall/examples/</filename>.
|
||||
Beginning with Shorewall 4.0, the samples are in the shorewall-common
|
||||
package and are installed in <filename
|
||||
class="directory">/usr/share/doc/shorewall-common/examples</filename>/.</para>
|
||||
class="directory">/usr/share/doc/shorewall-common/examples/</filename>.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -1255,7 +1255,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
||||
standardized and will vary by distribution and distribution version.
|
||||
But anytime you see no logging, it's time to look outside the
|
||||
Shorewall configuration for the cause. As an example, recent
|
||||
<trademark>SuSE</trademark> releases use syslog-ng by default and
|
||||
<trademark>SUSE</trademark> releases use syslog-ng by default and
|
||||
write Shorewall messages to
|
||||
<filename>/var/log/firewall</filename>.</para>
|
||||
|
||||
@ -1861,7 +1861,7 @@ iptables: Invalid argument
|
||||
|
||||
<listitem>
|
||||
<para>if you don't need policy match support (you are not using the
|
||||
IPSEC implementation built into the 2.6 kernel) then you can rename
|
||||
IPSEC implementation builtinto the 2.6 kernel) then you can rename
|
||||
<filename>/lib/iptables/libipt_policy.so</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
@ -2004,7 +2004,7 @@ iptables: Invalid argument
|
||||
<title>Traffic Shaping</title>
|
||||
|
||||
<section id="faq67">
|
||||
<title>(FAQ 67) I just configured Shorewall's built in traffic shaping
|
||||
<title>(FAQ 67) I just configured Shorewall's builtin traffic shaping
|
||||
and now Shorewall fails to Start.</title>
|
||||
|
||||
<para>The error I receive is as follows:<programlisting>RTNETLINK answers: No such file or directory
|
||||
|
@ -268,9 +268,9 @@
|
||||
to configure Shorewall, please heed the advice of Lorenzo Martignoni,
|
||||
the Shorewall Debian Maintainer:</para>
|
||||
|
||||
<para><quote>For more information about Shorewall usage on Debian system
|
||||
please look at /usr/share/doc/shorewall/README.Debian provided by [the]
|
||||
shorewall Debian package.</quote></para>
|
||||
<para><quote>For more information about Shorewall usage on Debian
|
||||
system please look at /usr/share/doc/shorewall-common/README.Debian
|
||||
provided by [the] shorewall-common Debian package.</quote></para>
|
||||
</important>
|
||||
|
||||
<para>The easiest way to install Shorewall on Debian, is to use
|
||||
|
@ -44,12 +44,12 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink url="http://www.netfilter.org">Netfilter</ulink> - the
|
||||
packet filter facility built into the 2.4 and later Linux
|
||||
packet filter facility builtinto the 2.4 and later Linux
|
||||
kernels.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>ipchains - the packet filter facility built into the 2.2 Linux
|
||||
<para>ipchains - the packet filter facility builtinto the 2.2 Linux
|
||||
kernels. Also the name of the utility program used to configure and
|
||||
control that facility. Netfilter can be used in ipchains
|
||||
compatibility mode.</para>
|
||||
|
@ -137,7 +137,7 @@ ACCEPT net loc:10.1.1.2 tcp 80 - 13
|
||||
routers with a long ARP cache timeout. If you move a system from parallel
|
||||
to your firewall to behind your firewall with one-to-one NAT, it will
|
||||
probably be HOURS before that system can communicate with the
|
||||
internet.</para>
|
||||
Internet.</para>
|
||||
|
||||
<para>If you sniff traffic on the firewall's external interface, you can
|
||||
see incoming traffic for the internal system(s) but the traffic is never
|
||||
|
@ -57,7 +57,7 @@
|
||||
|
||||
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private
|
||||
Network) daemon which can be used to securely link two or more private
|
||||
networks using an encrypted tunnel over the internet. OpenVPN is an Open
|
||||
networks using an encrypted tunnel over the Internet. OpenVPN is an Open
|
||||
Source project and is <ulink
|
||||
url="http://openvpn.sourceforge.net/license.html">licensed under the
|
||||
GPL</ulink>. OpenVPN can be downloaded from <ulink
|
||||
@ -642,7 +642,7 @@ verb 3</programlisting>
|
||||
<listitem>
|
||||
<para>OpenVPN GUI must be run as the Administrator. In the
|
||||
Explorer, right click on the OpenVPN GUI binary and select
|
||||
Properties->Compatibilty and select "Run this program as an
|
||||
Properties->Compatibility and select "Run this program as an
|
||||
administrator".</para>
|
||||
</listitem>
|
||||
|
||||
|
@ -255,7 +255,7 @@ esac</programlisting>
|
||||
|
||||
<para>Here' a basic setup that treats your remote users as if they
|
||||
were part of your <emphasis role="bold">loc</emphasis> zone. Note that
|
||||
if your primary internet connection uses ppp0, then be sure that
|
||||
if your primary Internet connection uses ppp0, then be sure that
|
||||
<emphasis role="bold">loc</emphasis> follows <emphasis
|
||||
role="bold">net</emphasis> in /etc/shorewall/zones.</para>
|
||||
|
||||
@ -275,7 +275,7 @@ loc ppp+</programlisting>
|
||||
|
||||
<para>If you want to place your remote users in their own zone so that
|
||||
you can control connections between these users and the local network,
|
||||
follow this example. Note that if your primary internet connection
|
||||
follow this example. Note that if your primary Internet connection
|
||||
uses ppp0 then be sure that <emphasis role="bold">vpn</emphasis>
|
||||
follows <emphasis role="bold">net</emphasis> in /etc/shorewall/zones
|
||||
as shown below.</para>
|
||||
@ -312,7 +312,7 @@ vpn ppp+</programlisting>
|
||||
fileref="images/MultiPPTP.png" /></para>
|
||||
|
||||
<para>Here's how you configure this in Shorewall. Note that if your
|
||||
primary internet connection uses ppp0 then be sure that the <emphasis
|
||||
primary Internet connection uses ppp0 then be sure that the <emphasis
|
||||
role="bold">vpn{1-3}</emphasis> zones follows <emphasis
|
||||
role="bold">net</emphasis> in /etc/shorewall/zones as shown
|
||||
below.</para>
|
||||
@ -600,10 +600,10 @@ restart_pptp > /dev/null 2>&1 &</programlisting>
|
||||
Modem</title>
|
||||
|
||||
<para>Some ADSL systems in Europe (most notably in Austria and the
|
||||
Netherlands) feature a PPTP server built into an ADSL
|
||||
<quote>Modem</quote>. In this setup, an ethernet interface is dedicated to
|
||||
Netherlands) feature a PPTP server builtinto an ADSL
|
||||
<quote>Modem</quote>. In this setup, an Ethernet interface is dedicated to
|
||||
supporting the PPTP tunnel between the firewall and the
|
||||
<quote>Modem</quote> while the actual internet access is through PPTP
|
||||
<quote>Modem</quote> while the actual Internet access is through PPTP
|
||||
(interface ppp0). If you have this type of setup, you need to modify the
|
||||
sample configuration that you downloaded as described in this section.
|
||||
<emphasis role="bold">These changes are in addition to those described in
|
||||
|
@ -88,7 +88,7 @@
|
||||
where <emphasis>zone</emphasis> is the zone where the request
|
||||
originated. For packets that are part of an already established
|
||||
connection, the destination rewriting takes place without any
|
||||
involvement of a netfilter rule.</para>
|
||||
involvement of a Netfilter rule.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -399,7 +399,7 @@ Blarg 1 0x100 main eth3 206.124.146.254 track,ba
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
1:110 192.168.0.0/22 eth3 #Our internel nets get priority
|
||||
1:110 192.168.0.0/22 eth3 #Our internal nets get priority
|
||||
#over the server
|
||||
1:130 206.124.146.177 eth3 tcp - 873
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -133,7 +133,7 @@
|
||||
network associated with this address. This is the approach <ulink
|
||||
url="XenMyWay.html">that I take with my DMZ</ulink>.</para>
|
||||
|
||||
<para>To permit internet hosts to connect to the local systems, you use
|
||||
<para>To permit Internet hosts to connect to the local systems, you use
|
||||
ACCEPT rules. For example, if you run a web server on 130.252.100.19 which
|
||||
you have configured to be in the <emphasis role="bold">loc</emphasis> zone
|
||||
then you would need this entry in /etc/shorewall/rules:</para>
|
||||
@ -192,7 +192,7 @@ iface eth1 inet static
|
||||
routers with a long ARP cache timeout. If you move a system from parallel
|
||||
to your firewall to behind your firewall with Proxy ARP, it will probably
|
||||
be <emphasis role="bold">HOURS</emphasis> before that system can
|
||||
communicate with the internet.</para>
|
||||
communicate with the Internet.</para>
|
||||
|
||||
<para>If you sniff traffic on the firewall's external interface, you can
|
||||
see incoming traffic for the internal system(s) but the traffic is never
|
||||
|
@ -93,11 +93,11 @@
|
||||
|
||||
<listitem>
|
||||
<para>When the level of functionality of the current development
|
||||
release is judged adaquate, the <firstterm>Beta period</firstterm> for
|
||||
release is judged adequate, the <firstterm>Beta period</firstterm> for
|
||||
a new Stable release will begin. Beta releases have identifications of
|
||||
the form <emphasis>x.y.0-BetaN</emphasis> where
|
||||
<emphasis>x.y</emphasis> is the number of the next Stable Release and
|
||||
<emphasis>N</emphasis>=1,2,3... . Betas are expected to occur rougly
|
||||
<emphasis>N</emphasis>=1,2,3... . Betas are expected to occur roughly
|
||||
once per year. Beta releases may contain new functionality not present
|
||||
in the previous beta release (e.g., 2.2.0-Beta4 may contain
|
||||
functionality not present in 2.2.0-Beta3). When I'm confident that the
|
||||
@ -106,7 +106,7 @@
|
||||
identifications of the form <emphasis>x.y.0-RCn</emphasis> where
|
||||
<emphasis>x.y</emphasis> is the number of the next Stable Release and
|
||||
<emphasis>n</emphasis>=1,2,3... . Release candidates contain no new
|
||||
functionailty -- they only contain bug fixes. When the stability of
|
||||
functionality -- they only contain bug fixes. When the stability of
|
||||
the current release candidate is judged to be sufficient then that
|
||||
release candidate will be released as the new stable release (e.g.,
|
||||
2.2.0). At that time, the new stable release and the prior stable
|
||||
@ -165,7 +165,7 @@
|
||||
<emphasis>X</emphasis>=1,b,c,... . Consequently, if a user required a
|
||||
bug fix but was not running the last minor release of the associated
|
||||
major release then it might be necessary to accept major new
|
||||
functionailty along with the bug fix.</para>
|
||||
functionality along with the bug fix.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
@ -157,7 +157,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Use NONE policies whereever appropriate. This helps especially
|
||||
<para>Use NONE policies wherever appropriate. This helps especially
|
||||
in the rules activation phase of both script compilation and
|
||||
execution.</para>
|
||||
</listitem>
|
||||
|
@ -157,7 +157,7 @@
|
||||
<para>With the shell-based compiler, extension scripts were copied
|
||||
into the compiled script and executed at run-time. In many cases,
|
||||
this approach doesn't work with Shorewall Perl because (almost) the
|
||||
entire ruleset is built by the compiler. As a result, Shorewall-perl
|
||||
entire rule set is built by the compiler. As a result, Shorewall-perl
|
||||
runs some extension scripts at compile-time rather than at run-time.
|
||||
Because the compiler is written in Perl, your extension scripts from
|
||||
earlier versions will no longer work.</para>
|
||||
@ -370,7 +370,7 @@ insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
|
||||
a plus sign (+) as with the shell-based compiler.</para>
|
||||
|
||||
<para>Shorewall is now out of the ipset load/reload business. With
|
||||
scripts generated by the Perl-based Compiler, the Netfilter ruleset
|
||||
scripts generated by the Perl-based Compiler, the Netfilter rule set
|
||||
is never cleared. That means that there is no opportunity for
|
||||
Shorewall to load/reload your ipsets since that cannot be done while
|
||||
there are any current rules using ipsets.</para>
|
||||
@ -381,7 +381,7 @@ insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
|
||||
<listitem>
|
||||
<para>Your ipsets must be loaded before Shorewall starts. You
|
||||
are free to try to do that with the following code in
|
||||
<filename>/etc/shorewall/start (it works for me; your milage may
|
||||
<filename>/etc/shorewall/start (it works for me; your mileage may
|
||||
vary)</filename>:</para>
|
||||
|
||||
<programlisting>if [ "$COMMAND" = start ]; then
|
||||
@ -437,7 +437,7 @@ fi</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
|
||||
<para>DELAYBLACKLISTLOAD=Yes is not supported. The entire rule set is
|
||||
atomically loaded with one execution of
|
||||
<command>iptables-restore</command>.</para>
|
||||
</listitem>
|
||||
@ -677,7 +677,7 @@ ACCEPT loc:eth0:192.168.1.3,eth0:192.168.1.5 $fw tcp 22</programlisting>
|
||||
and by the compiled program will be timestamped.<simplelist>
|
||||
<member><emphasis role="bold">--debug</emphasis></member>
|
||||
</simplelist>If given, when a warning or error message is issued, it
|
||||
is supplimented with a stack trace. Requires the Carp Perl
|
||||
is supplemented with a stack trace. Requires the Carp Perl
|
||||
module.<simplelist>
|
||||
<member><emphasis
|
||||
role="bold">--refresh=</emphasis><<emphasis>chainlist</emphasis>></member>
|
||||
@ -1055,7 +1055,7 @@ my $chainref7 = $filter_table{$name};</programlisting>Shorewall::Chains is
|
||||
|
||||
<para>A companion function, <emphasis
|
||||
role="bold">ensure_manual_chain()</emphasis>, can be called when a
|
||||
manual chain of the desired name may have alread been created. If a
|
||||
manual chain of the desired name may have already been created. If a
|
||||
manual chain table entry with the passed name already exists, a
|
||||
reference to the chain table entry is returned. Otherwise, the function
|
||||
calls <emphasis role="bold">new_manual_chain()</emphasis> and returns
|
||||
|
@ -45,7 +45,7 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Act as a <quote>Personal Firewall</quote> that allows internet
|
||||
<para>Act as a <quote>Personal Firewall</quote> that allows Internet
|
||||
access control by application. If that's what you are looking for, try
|
||||
<ulink
|
||||
url="http://tuxguardian.sourceforge.net/">TuxGuardian</ulink>.</para>
|
||||
|
@ -104,7 +104,7 @@ httpd_accel_uses_host_header on</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>See your distribution's Squid documenation and <ulink
|
||||
<para>See your distribution's Squid documentation and <ulink
|
||||
url="http://www.squid-cache.org/">http://www.squid-cache.org/</ulink>
|
||||
for details.</para>
|
||||
|
||||
@ -188,7 +188,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
|
||||
transparent proxy running in your local zone at 192.168.1.3 and
|
||||
listening on port 3128. Your local interface is eth1. There may also be
|
||||
a web server running on 192.168.1.3. It is assumed that web access is
|
||||
already enabled from the local zone to the internet.</para>
|
||||
already enabled from the local zone to the Internet.</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
|
@ -170,7 +170,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
|
||||
|
||||
<para>Suppose that I had set up eth0:0 as above and I wanted to port
|
||||
forward from that virtual interface to a web server running in my local
|
||||
zone at 192.168.1.3. That is accomplised by a single rule in the
|
||||
zone at 192.168.1.3. That is accomplished by a single rule in the
|
||||
<filename>/etc/shorewall/rules</filename> file:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||
|
@ -68,7 +68,7 @@
|
||||
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
|
||||
</tip>
|
||||
|
||||
<para>Shorewall verions 2.2.0 and later also include support for the ipp2p
|
||||
<para>Shorewall versions 2.2.0 and later also include support for the ipp2p
|
||||
match facility which can be use to control P2P traffic. See the <ulink
|
||||
url="IPP2P.html">Shorewall IPP2P documentation</ulink> for details.</para>
|
||||
</article>
|
||||
|
@ -216,7 +216,7 @@
|
||||
Later</title>
|
||||
|
||||
<para>Beginning with Shorewall 2.3.2, support is included for multiple
|
||||
internet connections. If you wish to use this feature, we recommend
|
||||
Internet connections. If you wish to use this feature, we recommend
|
||||
strongly that you upgrade to version 2.4.2 or later.</para>
|
||||
|
||||
<para>Shorewall multi-ISP support is now covered in a <ulink
|
||||
|
@ -46,7 +46,7 @@
|
||||
Interconnect (OSI) reference model, a router operates at layer 3.
|
||||
Shorewall may also be deployed on a GNU Linux System that acts as a
|
||||
<firstterm>bridge</firstterm>. Bridges are layer-2 devices in the OSI
|
||||
model (think of a bridge as an ethernet switch).</para>
|
||||
model (think of a bridge as an Ethernet switch).</para>
|
||||
|
||||
<para>Some differences between routers and bridges are:</para>
|
||||
|
||||
@ -54,7 +54,7 @@
|
||||
<listitem>
|
||||
<para>Routers determine packet destination based on the destination IP
|
||||
address while bridges route traffic based on the destination MAC
|
||||
address in the ethernet frame.</para>
|
||||
address in the Ethernet frame.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -93,9 +93,9 @@
|
||||
bridge-specific changes are restricted to the
|
||||
<filename>/etc/shorewall/interfaces</filename> file.</para>
|
||||
|
||||
<para>This example illustrates the bridging of two ethernet devices but
|
||||
<para>This example illustrates the bridging of two Ethernet devices but
|
||||
the types of the devices really isn't important. What is shown here would
|
||||
apply equally to bridging an ethernet device to an <ulink
|
||||
apply equally to bridging an Ethernet device to an <ulink
|
||||
url="OPENVPN.html">OpenVPN</ulink> tap device (e.g.,
|
||||
<filename>tap0</filename>) or to a wireless device
|
||||
(<filename>ath0</filename> or <filename>wlan0</filename>).</para>
|
||||
|
@ -89,7 +89,7 @@
|
||||
# special IPv6 addresses
|
||||
::1 localhost ipv6-localhost ipv6-loopback
|
||||
|
||||
fe00::0 ipv6-localneta
|
||||
fe00::0 ipv6-localnet
|
||||
|
||||
ff00::0 ipv6-mcastprefix
|
||||
ff02::1 ipv6-allnodes
|
||||
|
@ -135,7 +135,7 @@
|
||||
</tgroup>
|
||||
</table>
|
||||
|
||||
<para>The above may or may not work — your milage may vary. NAT Traversal
|
||||
<para>The above may or may not work — your mileage may vary. NAT Traversal
|
||||
is definitely a better solution. To use NAT traversal:<table id="Table2">
|
||||
<title>/etc/shorewall/rules with NAT Traversal</title>
|
||||
|
||||
|
@ -436,7 +436,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
|
||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
|
||||
exception that I've added a fourth interface for our wireless network.
|
||||
The firewall runs a routed <ulink url="OPENVPN.html">OpenVPN
|
||||
server</ulink> to provide roadwarrior access for our three laptops and a
|
||||
server</ulink> to provide road warrior access for our three laptops and a
|
||||
bridged OpenVPN server for the wireless network in our home. Here is the
|
||||
firewall's view of the network:</para>
|
||||
|
||||
@ -912,7 +912,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
|
||||
|
||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority
|
||||
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||
#over the server
|
||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.
|
||||
@ -921,7 +921,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
|
||||
|
||||
<para>The <filename class="devicefile">tap0</filename> device used by
|
||||
the bridged OpenVPN server is created and bridged to <filename
|
||||
class="devicefile">eth1</filename> using a SuSE-specific SysV init
|
||||
class="devicefile">eth1</filename> using a SUSE-specific SysV init
|
||||
script:</para>
|
||||
|
||||
<blockquote>
|
||||
|
@ -66,7 +66,7 @@
|
||||
class="devicefile">eth0</filename><footnote>
|
||||
<para>This assumes the default Xen configuration created by
|
||||
<command>xend </command>and assumes that the host system has a single
|
||||
ethernet interface named <filename
|
||||
Ethernet interface named <filename
|
||||
class="devicefile">eth0</filename>.</para>
|
||||
</footnote>in each domain. In Dom0, Xen also creates a bridge (<filename
|
||||
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
|
||||
@ -156,7 +156,7 @@
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Most of the Linux systems run <trademark>SuSE </trademark>10.1; my
|
||||
<para>Most of the Linux systems run <trademark>SUSE </trademark>10.1; my
|
||||
personal Linux desktop system and our Linux Laptop run
|
||||
<trademark>Ubuntu</trademark> "Dapper Drake".</para>
|
||||
|
||||
@ -259,7 +259,7 @@
|
||||
<filename class="devicefile">eth2</filename> (PCI 00:0a.0) are
|
||||
delegated to the firewall DomU where they become <filename
|
||||
class="devicefile">eth3</filename> and <filename
|
||||
class="devicefile">eth4</filename> respectively. The SuSE 10.1 Xen
|
||||
class="devicefile">eth4</filename> respectively. The SUSE 10.1 Xen
|
||||
kernel compiles pciback as a module so the instructions for PCI
|
||||
delegation in the Xen Users Manual can't be followed directly (see
|
||||
<ulink
|
||||
@ -292,7 +292,7 @@ extra = "3"
|
||||
|
||||
# network interface:
|
||||
vif = [ 'mac=aa:cc:00:00:00:02, bridge=xenbr0', 'mac=aa:cc:00:00:00:03, bridge=xenbr1' ]
|
||||
# Interfaces deletgated from Dom0
|
||||
# Interfaces delegated from Dom0
|
||||
pci=[ '00:09.0' , '00:0a.0' ]
|
||||
|
||||
# storage devices:
|
||||
@ -357,7 +357,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
||||
|
||||
<para><command>ethtool -K eth0 tx off</command></para>
|
||||
|
||||
<para>Under SuSE 10.1, I placed the following in
|
||||
<para>Under SUSE 10.1, I placed the following in
|
||||
<filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file
|
||||
is executable):</para>
|
||||
|
||||
@ -380,13 +380,13 @@ fi</programlisting>
|
||||
</caution>
|
||||
|
||||
<caution>
|
||||
<para>Update. Under SuSE 10.2, communication from a domU works okay
|
||||
<para>Update. Under SUSE 10.2, communication from a domU works okay
|
||||
without running ethtool <emphasis role="bold">but traffic shaping in
|
||||
dom0 doesn't work!</emphasis> So it's a good idea to run it just to be
|
||||
safe.</para>
|
||||
</caution>
|
||||
|
||||
<para>SuSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The
|
||||
<para>SUSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The
|
||||
network interfaces that connect to the net and wifi zones are delegated
|
||||
to the firewall DomU.</para>
|
||||
|
||||
@ -474,7 +474,7 @@ SECTION NEW
|
||||
described in the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
|
||||
Guide</ulink> with the exception that I've added a fourth interface for
|
||||
our wireless network. The firewall runs a routed <ulink
|
||||
url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access
|
||||
url="OPENVPN.html">OpenVPN server</ulink> to provide road warrior access
|
||||
for our two laptops and a bridged OpenVPN server for the wireless
|
||||
network in our home. Here is the firewall's view of the network:</para>
|
||||
|
||||
@ -834,7 +834,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
|
||||
|
||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority
|
||||
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||
#over the server
|
||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||
#Shorewall Mirrors.
|
||||
@ -842,7 +842,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
|
||||
</blockquote>
|
||||
|
||||
<para>The tap0 device used by the bridged OpenVPN server is bridged to
|
||||
eth0 using a SuSE-specific SysV init script:</para>
|
||||
eth0 using a SUSE-specific SysV init script:</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#!/bin/sh
|
||||
|
@ -49,7 +49,7 @@
|
||||
Interconnect (OSI) reference model, a router operates at layer 3,
|
||||
Shorewall may also be deployed on a GNU Linux System that acts as a
|
||||
<firstterm>bridge</firstterm>. Bridges are layer 2 devices in the OSI
|
||||
model (think of a bridge as an ethernet switch).</para>
|
||||
model (think of a bridge as an Ethernet switch).</para>
|
||||
|
||||
<para>Some differences between routers and bridges are:</para>
|
||||
|
||||
@ -57,7 +57,7 @@
|
||||
<listitem>
|
||||
<para>Routers determine packet destination based on the destination IP
|
||||
address, while bridges route traffic based on the destination MAC
|
||||
address in the ethernet frame.</para>
|
||||
address in the Ethernet frame.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -142,7 +142,7 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The Shorewall system (the Bridge/Firewall) has only a single IP
|
||||
address even though it has two ethernet interfaces! The IP address is
|
||||
address even though it has two Ethernet interfaces! The IP address is
|
||||
configured on the bridge itself, rather than on either of the network
|
||||
cards.</para>
|
||||
</listitem>
|
||||
@ -454,7 +454,7 @@ ifconfig most 192.168.1.31 netmask 255.255.255.0 up
|
||||
#you don't use rc.inet1
|
||||
#########################
|
||||
|
||||
3) I made rc.brige executable and added the following line to /etc/rc.d/rc.local
|
||||
3) I made rc.bridge executable and added the following line to /etc/rc.d/rc.local
|
||||
|
||||
/etc/rc.d/rc.bridge </programlisting>
|
||||
</blockquote>
|
||||
@ -563,7 +563,7 @@ rc-update add bridge boot
|
||||
<filename>shorewall.conf</filename>.</para>
|
||||
|
||||
<para>In the scenario pictured above, there would probably be two BP zones
|
||||
defined -- one for the internet and one for the local LAN so in
|
||||
defined -- one for the Internet and one for the local LAN so in
|
||||
<filename>/etc/shorewall/zones</filename>:</para>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS
|
||||
|
@ -203,7 +203,7 @@
|
||||
|
||||
<listitem>
|
||||
<para><filename>/etc/shorewall/vardir</filename> - (Added in
|
||||
Shoreall 4.0.0-RC2) - Determines the directory where Shorewall
|
||||
Shorewall 4.0.0-RC2) - Determines the directory where Shorewall
|
||||
maintains its state.</para>
|
||||
</listitem>
|
||||
|
||||
@ -590,7 +590,7 @@ use Shorewall::Config qw/shorewall/;</programlisting>
|
||||
the name to one or more IP addresses and inserts those addresses into the
|
||||
rule. So changes in the DNS->IP address relationship that occur after
|
||||
the firewall has started have absolutely no effect on the firewall's
|
||||
ruleset.</para>
|
||||
rule set.</para>
|
||||
|
||||
<para>If your firewall rules include DNS names then:</para>
|
||||
|
||||
|
@ -95,12 +95,12 @@
|
||||
<section id="Shell-Perl">
|
||||
<title>Shorewall-shell and Shorewall-perl</title>
|
||||
|
||||
<para>Shorewall-shell and Shoreall-perl have no configuration files and
|
||||
<para>Shorewall-shell and Shorewall-perl have no configuration files and
|
||||
all of their released files are installed in a single directory. To
|
||||
fallback to a prior release of one of these products using the tarballs,
|
||||
simple re-install the older version.</para>
|
||||
|
||||
<para>To uninstal these products when they have been installed using the
|
||||
<para>To uninstall these products when they have been installed using the
|
||||
tarballs:</para>
|
||||
|
||||
<itemizedlist>
|
||||
|
@ -37,7 +37,7 @@
|
||||
<section id="Ipsets">
|
||||
<title>What are Ipsets?</title>
|
||||
|
||||
<para>Ipsets are an extention to Netfilter/iptables that are currently
|
||||
<para>Ipsets are an extension to Netfilter/iptables that are currently
|
||||
available in Patch-O-Matic-ng (<ulink
|
||||
url="http://www.netfilter.org">http://www.netfilter.org</ulink>). Using
|
||||
ipsets requires that you patch your kernel and iptables and that you build
|
||||
@ -50,7 +50,7 @@
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Blacklists. Ipsets provide an effecient way to represent large
|
||||
<para>Blacklists. Ipsets provide an efficient way to represent large
|
||||
sets of addresses and you can maintain the lists without the need to
|
||||
restart or even refresh your Shorewall configuration.</para>
|
||||
</listitem>
|
||||
@ -90,7 +90,7 @@
|
||||
|
||||
<listitem>
|
||||
<para>a series of "src" and "dst" options separated by commas and
|
||||
inclosed in square brackets ([]). These will be passed directly to
|
||||
enclosed in square brackets ([]). These will be passed directly to
|
||||
iptables in the generated --set clause. See the ipset documentation
|
||||
for details.</para>
|
||||
|
||||
|
@ -363,9 +363,9 @@ CONFIG_IP_NF_ARP_MANGLE=m
|
||||
(Ubuntu inexplicably includes connmark match support but not CONNTRACK
|
||||
target support).<graphic align="center"
|
||||
fileref="images/kernel-2.6.20-2.png" />The next graphic shows the IP
|
||||
Netfilter Configuration -- these are the standard Ubuntu settions.<graphic
|
||||
Netfilter Configuration -- these are the standard Ubuntu settings.<graphic
|
||||
align="center" fileref="images/kernel-2.6.20-3.png" />Here is the
|
||||
corresponding CONFIG file exerpt.<programlisting>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
|
||||
corresponding CONFIG file excerpt.<programlisting>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
|
||||
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
|
||||
CONFIG_NETFILTER_XT_TARGET_DSCP=m
|
||||
CONFIG_NETFILTER_XT_TARGET_MARK=m
|
||||
|
@ -26,7 +26,7 @@
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or mify this
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
@ -232,7 +232,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry>Filrewall 2</entry>
|
||||
<entry>Firewall 2</entry>
|
||||
|
||||
<entry>192.168.1.27 in lower cloud</entry>
|
||||
|
||||
|
@ -48,7 +48,7 @@
|
||||
<section id="Ping">
|
||||
<title>'Ping' Management</title>
|
||||
|
||||
<para>In Shorewall , ICMP echo-request's are treated just like any other
|
||||
<para>In Shorewall , ICMP echo-requests are treated just like any other
|
||||
connection request.</para>
|
||||
|
||||
<para>In order to accept ping requests from zone z1 to zone z2 where the
|
||||
@ -85,7 +85,7 @@ Ping/DROP z1 z2</programlisting>
|
||||
<example id="Example2">
|
||||
<title>Silently drop pings from the Internet</title>
|
||||
|
||||
<para>To drop ping from the internet, you would need this rule in
|
||||
<para>To drop ping from the Internet, you would need this rule in
|
||||
<filename>/etc/shorewall/rules</filename>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
|
@ -227,7 +227,7 @@ ICQ/ACCEPT <emphasis><source></emphasis> net</programlisting>
|
||||
<title>IMAP</title>
|
||||
|
||||
<caution>
|
||||
<para>When accessing your mail from the internet,use <emphasis
|
||||
<para>When accessing your mail from the Internet, use <emphasis
|
||||
role="bold">only</emphasis> <emphasis role="bold">IMAP over
|
||||
SSL.</emphasis></para>
|
||||
</caution>
|
||||
@ -281,7 +281,7 @@ LDAPS/ACCEPT <emphasis><emphasis><source></emphasis> <emphasis> &
|
||||
role="bold">severe security risk</emphasis>.</para>
|
||||
|
||||
<para><emphasis role="bold">DO NOT USE THIS </emphasis>if you don't know
|
||||
how to deal with the consecuences, you have been warned.</para>
|
||||
how to deal with the consequences, you have been warned.</para>
|
||||
</caution>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
@ -542,7 +542,7 @@ Whois/ACCEPT <emphasis><source></emphasis> <emphasis><destination&
|
||||
<section id="X">
|
||||
<title>X/XDMCP</title>
|
||||
|
||||
<para>Assume that the Choser and/or X Server are running at
|
||||
<para>Assume that the Chooser and/or X Server are running at
|
||||
<<emphasis>chooser</emphasis>> and the Display Manager/X
|
||||
applications are running at <<emphasis>apps</emphasis>>.</para>
|
||||
|
||||
|
@ -163,7 +163,7 @@
|
||||
classified by the national government as secret, our security doesn't
|
||||
stop by putting a fence around our company. Information security is a
|
||||
hot issue. We also make use of checkpoint firewalls, but not all of the
|
||||
internet servers are guarded by checkpoint, some of them are
|
||||
Internet servers are guarded by checkpoint, some of them are
|
||||
running....Shorewall.</emphasis></para>
|
||||
</blockquote>
|
||||
|
||||
@ -172,7 +172,7 @@
|
||||
|
||||
<para><emphasis>thanx for all your efforts you put into shorewall - this
|
||||
product stands out against a lot of commercial stuff i´ve been working
|
||||
with in terms of flexibillity, quality & support</emphasis></para>
|
||||
with in terms of flexibility, quality & support</emphasis></para>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
@ -184,7 +184,7 @@
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<attribution>RP, Guatamala</attribution>
|
||||
<attribution>RP, Guatemala</attribution>
|
||||
|
||||
<para><emphasis>My respects... I've just found and installed Shorewall
|
||||
1.3.3-1 and it is a wonderful piece of software. I've just sent out an
|
||||
@ -193,7 +193,7 @@
|
||||
<para><emphasis>While I had previously taken the time (maybe 40 hours)
|
||||
to really understand ipchains, then spent at least an hour per server
|
||||
customizing and carefully scrutinizing firewall rules, I've got
|
||||
shorewall running on my home firewall, with rulesets and policies that I
|
||||
shorewall running on my home firewall, with rule sets and policies that I
|
||||
know make sense, in under 20 minutes.</emphasis></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
@ -169,7 +169,7 @@ esac</programlisting><caution>
|
||||
ADMINISABSENTMINDED=Yes.</para>
|
||||
|
||||
<para>The firewall state when this script is invoked is
|
||||
indeterminent. So if you have ADMINISABSENTMINDED=No in <ulink
|
||||
indeterminate. So if you have ADMINISABSENTMINDED=No in <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
|
||||
output on an interface is not allowed by <ulink
|
||||
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
|
||||
@ -495,7 +495,7 @@ esac</programlisting><caution>
|
||||
<para>The 'continue' script has been eliminated because it no longer
|
||||
make any sense under Shorewall-perl. That script was designed to allow
|
||||
you to add special temporary rules during [re]start. Shorewall-perl
|
||||
doesn't need such rules since the ruleset is instantianted atomically by
|
||||
doesn't need such rules since the rule set is instantiated atomically by
|
||||
table.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
@ -50,7 +50,7 @@
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>The packet is part of an established connecection. While the
|
||||
<para>The packet is part of an established connection. While the
|
||||
packet can be logged using LOG rules in the ESTABLISHED section of
|
||||
<ulink
|
||||
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
|
||||
@ -100,7 +100,7 @@
|
||||
<title>Where the Traffic is Logged and How to Change the
|
||||
Destination</title>
|
||||
|
||||
<para>By default, Shorewall directs NetFilter to log using syslog (8).
|
||||
<para>By default, Shorewall directs Netfilter to log using syslog (8).
|
||||
Syslog classifies log messages by a <emphasis>facility</emphasis> and a
|
||||
<emphasis>priority</emphasis> (using the notation
|
||||
<emphasis>facility.priority</emphasis>).</para>
|
||||
@ -111,7 +111,7 @@
|
||||
|
||||
<para>Throughout the Shorewall documentation, I will use the term
|
||||
<emphasis>level</emphasis> rather than <emphasis>priority </emphasis>since
|
||||
<emphasis>level</emphasis> is the term used by NetFilter. The syslog
|
||||
<emphasis>level</emphasis> is the term used by Netfilter. The syslog
|
||||
documentation uses the term <emphasis>priority</emphasis>.</para>
|
||||
|
||||
<section id="Levels">
|
||||
@ -150,7 +150,7 @@
|
||||
</simplelist>
|
||||
|
||||
<para>For most Shorewall logging, a level of 6 (info) is appropriate.
|
||||
Shorewall log messages are generated by NetFilter and are logged using
|
||||
Shorewall log messages are generated by Netfilter and are logged using
|
||||
the <emphasis>kern</emphasis> facility and the level that you specify.
|
||||
If you are unsure of the level to choose, 6 (info) is a safe bet. You
|
||||
may specify levels by name or by number.</para>
|
||||
@ -180,14 +180,14 @@
|
||||
|
||||
<listitem>
|
||||
<para>All kernel.info messages will go to that destination and not
|
||||
just those from NetFilter.</para>
|
||||
just those from Netfilter.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>Beginning with Shorewall version 1.3.12, if your kernel has ULOG
|
||||
target support (and most vendor-supplied kernels do), you may also
|
||||
specify a log level of ULOG (must be all caps). When ULOG is used,
|
||||
Shorewall will direct netfilter to log the related messages via the ULOG
|
||||
Shorewall will direct Netfilter to log the related messages via the ULOG
|
||||
target which will send them to a process called <quote>ulogd</quote>.
|
||||
The ulogd program is included in most distributions and is also
|
||||
available from <ulink
|
||||
@ -276,7 +276,7 @@ ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlis
|
||||
<para><ulink
|
||||
url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</ulink>
|
||||
is a post describing configuring syslog-ng to work with Shorewall. Recent
|
||||
<trademark>SuSE</trademark> releases come preconfigured with syslog-ng
|
||||
<trademark>SUSE</trademark> releases come preconfigured with syslog-ng
|
||||
with Netfilter messages (including Shorewall's) are written to
|
||||
<filename>/var/log/firewall</filename>.</para>
|
||||
</section>
|
||||
|
@ -45,7 +45,7 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>A <emphasis role="bold">Linux</emphasis> kernel that supports
|
||||
netfilter (No, it won't work on BSD or Solaris). I've tested with
|
||||
Netfilter (No, it won't work on BSD or Solaris). I've tested with
|
||||
2.4.2 - 2.6.16. Check <ulink url="kernel.htm">here</ulink> for kernel
|
||||
configuration information.</para>
|
||||
</listitem>
|
||||
|
@ -109,14 +109,14 @@
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This
|
||||
is intentional. The released configuration file skeletons may be found
|
||||
on your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
|
||||
<para>Note that you must copy <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
and /usr/share/doc/shorewall/default-config/modules to <filename
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
||||
and /usr/share/doc/shorewall-common/default-config/modules to <filename
|
||||
class="directory">/etc/shorewall</filename> even if you do not modify
|
||||
those files.</para>
|
||||
</warning></para>
|
||||
@ -192,7 +192,7 @@ dmz ipv4</programlisting>
|
||||
assigned to the firewall zone, Shorewall attaches absolutely no meaning to
|
||||
zone names. Zones are entirely what YOU make of them. That means that you
|
||||
should not expect Shorewall to do something special <quote>because this is
|
||||
the internet zone</quote> or <quote>because that is the
|
||||
the Internet zone</quote> or <quote>because that is the
|
||||
DMZ</quote>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||
@ -286,11 +286,11 @@ all all REJECT info</programlisting>
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>allow all connection requests from your local network to the
|
||||
internet</para>
|
||||
Internet</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>drop (ignore) all connection requests from the internet to your
|
||||
<para>drop (ignore) all connection requests from the Internet to your
|
||||
firewall or local network and log a message at the info level (<ulink
|
||||
url="shorewall_logging.html">here is a description of log
|
||||
levels</ulink>).</para>
|
||||
@ -322,7 +322,7 @@ all all REJECT info</programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
|
||||
to isolate your internet-accessible servers from your local systems so
|
||||
to isolate your Internet-accessible servers from your local systems so
|
||||
that if one of those servers is compromised, you still have the
|
||||
firewall between the compromised system and your local systems.</para>
|
||||
</listitem>
|
||||
@ -508,7 +508,7 @@ loc eth2 detect</programlisting>
|
||||
Class C address 192.0.2.14, the network number is hex C00002 and the
|
||||
host number is hex 0E.</para>
|
||||
|
||||
<para>As the internet grew, it became clear that such a gross
|
||||
<para>As the Internet grew, it became clear that such a gross
|
||||
partitioning of the 32-bit address space was going to be very limiting
|
||||
(early on, large corporations and universities were assigned their own
|
||||
class A network!). After some false starts, the current technique of
|
||||
@ -1067,7 +1067,7 @@ Destination Gateway Genmask Flgs MSS Win irtt Iface
|
||||
|
||||
<para>One more thing needs to be emphasized -- all outgoing packet are
|
||||
sent using the routing table and reply packets are not a special case.
|
||||
There seems to be a common mis-conception whereby people think that
|
||||
There seems to be a common misconception whereby people think that
|
||||
request packets are like salmon and contain a genetic code that is
|
||||
magically transferred to reply packets so that the replies follow the
|
||||
reverse route taken by the request. That isn't the case; the replies may
|
||||
@ -1132,7 +1132,7 @@ tcpdump: listening on eth2
|
||||
|
||||
<para>The leading question marks are a result of my having specified the
|
||||
<quote>n</quote> option (Windows <quote>arp</quote> doesn't allow that
|
||||
option) which causes the <quote>arp</quote> program to forego IP->DNS
|
||||
option) which causes the <quote>arp</quote> program to forgo IP->DNS
|
||||
name translation. Had I not given that option, the question marks would
|
||||
have been replaced with the FQDN corresponding to each IP address.
|
||||
Notice that the last entry in the table records the information we saw
|
||||
@ -1167,7 +1167,7 @@ tcpdump: listening on eth2
|
||||
somewhat unfortunate because it leads people to the erroneous conclusion
|
||||
that traffic destined for one of these addresses can't be sent through a
|
||||
router. This is definitely not true; private routers (including your
|
||||
Shorewall-based firewall) can forward RFC 1918 addresed traffic just
|
||||
Shorewall-based firewall) can forward RFC 1918 addressed traffic just
|
||||
fine.</para>
|
||||
|
||||
<para>When selecting addresses from these ranges, there's a couple of
|
||||
@ -1349,7 +1349,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
|
||||
<para>With SNAT, an internal LAN segment is configured using RFC 1918
|
||||
addresses. When a host <emphasis role="bold">A</emphasis> on this
|
||||
internal segment initiates a connection to host <emphasis
|
||||
role="bold">B</emphasis> on the internet, the firewall/router rewrites
|
||||
role="bold">B</emphasis> on the Internet, the firewall/router rewrites
|
||||
the IP header in the request to use one of your public IP addresses as
|
||||
the source address. When <emphasis role="bold">B</emphasis> responds
|
||||
and the response is received by the firewall, the firewall changes the
|
||||
@ -1359,7 +1359,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
|
||||
|
||||
<para>Let's suppose that you decide to use SNAT on your local zone and
|
||||
use public address 192.0.2.176 as both your firewall's external IP
|
||||
address and the source IP address of internet requests sent from that
|
||||
address and the source IP address of Internet requests sent from that
|
||||
zone.</para>
|
||||
|
||||
<graphic align="center" fileref="images/dmz5.png" />
|
||||
@ -1396,16 +1396,16 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
||||
<section id="dnat">
|
||||
<title>DNAT</title>
|
||||
|
||||
<para>When SNAT is used, it is impossible for hosts on the internet to
|
||||
<para>When SNAT is used, it is impossible for hosts on the Internet to
|
||||
initiate a connection to one of the internal systems since those
|
||||
systems do not have a public IP address. DNAT provides a way to allow
|
||||
selected connections from the internet.</para>
|
||||
selected connections from the Internet.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||
|
||||
<para>Suppose that your daughter wants to run a web server on her
|
||||
system <quote>Local 3</quote>. You could allow connections to the
|
||||
internet to her server by adding the following entry in
|
||||
Internet to her server by adding the following entry in
|
||||
<filename><ulink
|
||||
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
|
||||
|
||||
@ -1489,12 +1489,12 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
|
||||
file.</para>
|
||||
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTANT
|
||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT
|
||||
192.0.2.177 eth2 eth0 No
|
||||
192.0.2.178 eth2 eth0 No</programlisting>
|
||||
|
||||
<para>Because the HAVE ROUTE column contains No, Shorewall will add
|
||||
host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The ethernet
|
||||
host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The Ethernet
|
||||
interfaces on DMZ 1 and DMZ 2 should be configured to have the IP
|
||||
addresses shown but should have the same default gateway as the
|
||||
firewall itself -- namely 192.0.2.254. In other words, they should be
|
||||
@ -1511,7 +1511,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
their routers with a long ARP cache timeout. If you move a system from
|
||||
parallel to your firewall to behind your firewall with Proxy ARP, it
|
||||
will probably be HOURS before that system can communicate with the
|
||||
internet. There are a couple of things that you can try:</para>
|
||||
Internet. There are a couple of things that you can try:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -1630,7 +1630,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
||||
their routers with a long ARP cache timeout. If you move a system from
|
||||
parallel to your firewall to behind your firewall with one-to-one NAT,
|
||||
it will probably be HOURS before that system can communicate with the
|
||||
internet. There are a couple of things that you can try:</para>
|
||||
Internet. There are a couple of things that you can try:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -1711,7 +1711,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||
|
||||
<para>With the default policies described earlier in this document, your
|
||||
local systems (Local 1-3) can access any server on the internet and the
|
||||
local systems (Local 1-3) can access any server on the Internet and the
|
||||
DMZ can't access any other host (including the firewall). With the
|
||||
exception of DNAT rules which cause address translation and allow the
|
||||
translated connection request to pass through the firewall, the way to
|
||||
@ -1929,7 +1929,7 @@ options {
|
||||
max-transfer-time-in 60;
|
||||
|
||||
allow-transfer {
|
||||
// Servers allowed to request zone tranfers
|
||||
// Servers allowed to request zone transfers
|
||||
<secondary NS IP>; };
|
||||
};
|
||||
|
||||
@ -2078,7 +2078,7 @@ view "external" {
|
||||
|
||||
<para>Here are the files in <filename
|
||||
class="directory">/var/named</filename> (those not shown are usually
|
||||
included in your bind disbribution).</para>
|
||||
included in your bind distribution).</para>
|
||||
|
||||
<para><filename>db.192.0.2.176</filename> - This is the reverse zone for
|
||||
the firewall's external interface</para>
|
||||
@ -2101,7 +2101,7 @@ view "external" {
|
||||
@ 604800 IN NS <name of secondary ns>.
|
||||
;
|
||||
; ############################################################
|
||||
; Iverse Address Arpa Records (PTR's)
|
||||
; Inverse Address Arpa Records (PTR's)
|
||||
; ############################################################
|
||||
176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.</programlisting>
|
||||
|
||||
@ -2125,7 +2125,7 @@ view "external" {
|
||||
@ 604800 IN NS <name of secondary ns>.
|
||||
;
|
||||
; ############################################################
|
||||
; Iverse Address Arpa Records (PTR's)
|
||||
; Inverse Address Arpa Records (PTR's)
|
||||
; ############################################################
|
||||
177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.</programlisting>
|
||||
|
||||
@ -2150,7 +2150,7 @@ view "external" {
|
||||
@ 604800 IN NS <name of secondary ns>.
|
||||
;
|
||||
; ############################################################
|
||||
; Iverse Address Arpa Records (PTR's)
|
||||
; Inverse Address Arpa Records (PTR's)
|
||||
; ############################################################
|
||||
178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.</programlisting>
|
||||
|
||||
@ -2175,7 +2175,7 @@ view "external" {
|
||||
@ 604800 IN NS <name of secondary ns>.
|
||||
;
|
||||
; ############################################################
|
||||
; Iverse Address Arpa Records (PTR's)
|
||||
; Inverse Address Arpa Records (PTR's)
|
||||
; ############################################################
|
||||
179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.</programlisting>
|
||||
|
||||
@ -2198,7 +2198,7 @@ view "external" {
|
||||
@ 604800 IN NS ns1.foobar.net.
|
||||
|
||||
; ############################################################
|
||||
; Iverse Address Arpa Records (PTR's)
|
||||
; Inverse Address Arpa Records (PTR's)
|
||||
; ############################################################
|
||||
1 86400 IN PTR localhost.foobar.net.</programlisting>
|
||||
|
||||
@ -2221,7 +2221,7 @@ view "external" {
|
||||
; ############################################################
|
||||
@ 604800 IN NS ns1.foobar.net.
|
||||
; ############################################################
|
||||
; Iverse Address Arpa Records (PTR's)
|
||||
; Inverse Address Arpa Records (PTR's)
|
||||
; ############################################################
|
||||
1 86400 IN PTR gateway.foobar.net.
|
||||
2 86400 IN PTR winken.foobar.net.
|
||||
@ -2248,7 +2248,7 @@ view "external" {
|
||||
@ 604800 IN NS ns1.foobar.net.
|
||||
|
||||
; ############################################################
|
||||
; Iverse Address Arpa Records (PTR's)
|
||||
; Inverse Address Arpa Records (PTR's)
|
||||
; ############################################################
|
||||
1 86400 IN PTR dmz.foobar.net.</programlisting>
|
||||
|
||||
@ -2416,7 +2416,7 @@ foobar.net. 86400 IN A 192.0.2.177
|
||||
firewall when it is stopped.</para>
|
||||
|
||||
<caution>
|
||||
<para>If you are connected to your firewall from the internet, do not
|
||||
<para>If you are connected to your firewall from the Internet, do not
|
||||
issue a <quote>shorewall stop</quote> command unless you have added an
|
||||
entry for the IP address that you are connected from to <filename><ulink
|
||||
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
|
||||
|
@ -201,7 +201,7 @@
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This is
|
||||
intentional. The released configuration file skeletons may be found on
|
||||
your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
@ -262,11 +262,11 @@ net ipv4</programlisting>
|
||||
<filename><filename>/etc/shorewall/rules</filename></filename> file. If no
|
||||
rule in that file matches the connection request then the first policy in
|
||||
<filename>/etc/shorewall/policy</filename> that matches the request is
|
||||
applied. If there is a <ulink url="shorewall_extension_scripts.htm">comon
|
||||
applied. If there is a <ulink url="shorewall_extension_scripts.htm">common
|
||||
action</ulink> defined for the policy in
|
||||
<filename>/etc/shorewall/actions</filename> or
|
||||
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
||||
peformed before the policy is applied. The purpose of the common action is
|
||||
performed before the policy is applied. The purpose of the common action is
|
||||
two-fold:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -295,11 +295,11 @@ all all REJECT info</programlisting>
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>allow all connection requests from the firewall to the
|
||||
internet</para>
|
||||
Internet</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>drop (ignore) all connection requests from the internet to your
|
||||
<para>drop (ignore) all connection requests from the Internet to your
|
||||
firewall</para>
|
||||
</listitem>
|
||||
|
||||
@ -310,9 +310,9 @@ all all REJECT info</programlisting>
|
||||
</orderedlist>
|
||||
|
||||
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
|
||||
last two policies indicates that packets droped or rejected under those
|
||||
last two policies indicates that packets dropped or rejected under those
|
||||
policies should be <ulink url="shorewall_logging.html">logged at that
|
||||
leve</ulink>l.</para>
|
||||
level</ulink>.</para>
|
||||
|
||||
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
|
||||
and make any changes that you wish.</para>
|
||||
@ -324,7 +324,7 @@ all all REJECT info</programlisting>
|
||||
<para>The firewall has a single network interface. Where Internet
|
||||
connectivity is through a cable or <acronym>DSL</acronym>
|
||||
<quote>Modem</quote>, the <emphasis>External Interface</emphasis> will be
|
||||
the ethernet adapter (<filename class="devicefile">eth0</filename>) that
|
||||
the Ethernet adapter (<filename class="devicefile">eth0</filename>) that
|
||||
is connected to that <quote>Modem</quote> <emphasis
|
||||
role="underline">unless</emphasis> you connect via
|
||||
<emphasis>Point-to-Point Protocol over Ethernet</emphasis>
|
||||
@ -412,7 +412,7 @@ root@lists:~# </programlisting>
|
||||
<acronym>ISP</acronym>s are assigning these addresses then using
|
||||
<emphasis>Network Address Translation</emphasis> <emphasis>-
|
||||
</emphasis><acronym>NAT</acronym>) to rewrite packet headers when
|
||||
forwarding to/from the internet.</para>
|
||||
forwarding to/from the Internet.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
@ -453,7 +453,7 @@ root@lists:~# </programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><command>shorewall show log</command> (Displays the last 20
|
||||
netfilter log messages)</para>
|
||||
Netfilter log messages)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -476,12 +476,12 @@ root@lists:~# </programlisting>
|
||||
<para>Most commonly, Netfilter messages are logged to
|
||||
<filename>/var/log/messages</filename>. Recent
|
||||
<trademark>SuSE/OpenSuSE</trademark> releases come preconfigured with
|
||||
syslog-ng and log netfilter messages to
|
||||
syslog-ng and log Netfilter messages to
|
||||
<filename>/var/log/firewall</filename>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If you are running a distribution that logs netfilter messages to a
|
||||
<para>If you are running a distribution that logs Netfilter messages to a
|
||||
log other than <filename>/var/log/messages</filename>, then modify the
|
||||
LOGFILE setting in <filename>/etc/shorewall/shorewall.conf</filename> to
|
||||
specify the name of your log.</para>
|
||||
@ -501,7 +501,7 @@ root@lists:~# </programlisting>
|
||||
in your version of Shorewall using the command <command>ls
|
||||
<filename>/usr/share/shorewall/macro.*</filename></command>.</para>
|
||||
|
||||
<para>If you wish to enable connections from the internet to your firewall
|
||||
<para>If you wish to enable connections from the Internet to your firewall
|
||||
and you find an appropriate macro in
|
||||
<filename>/etc/shorewall/macro.*</filename>, the general format of a rule
|
||||
in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||
@ -544,9 +544,9 @@ ACCEPT net $FW tcp 143</programlisting></para>
|
||||
uses, see <ulink url="ports.htm">here</ulink>.</para>
|
||||
|
||||
<important>
|
||||
<para>I don't recommend enabling telnet to/from the internet because it
|
||||
<para>I don't recommend enabling telnet to/from the Internet because it
|
||||
uses clear text (even for login!). If you want shell access to your
|
||||
firewall from the internet, use <acronym>SSH</acronym>:</para>
|
||||
firewall from the Internet, use <acronym>SSH</acronym>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
SSH/ACCEPT net $FW </programlisting>
|
||||
@ -594,7 +594,7 @@ SSH/ACCEPT net $FW </programlisting>
|
||||
<quote><command>shorewall clear</command></quote>.</para>
|
||||
|
||||
<warning>
|
||||
<para>If you are connected to your firewall from the internet, do not
|
||||
<para>If you are connected to your firewall from the Internet, do not
|
||||
issue a <quote><command>shorewall stop</command></quote> command unless
|
||||
you have added an entry for the IP address that you are connected from
|
||||
to <ulink
|
||||
@ -641,4 +641,4 @@ SSH/ACCEPT net $FW </programlisting>
|
||||
page</ulink> -- it contains helpful tips about Shorewall features than
|
||||
make administering your firewall easier.</para>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
||||
|
@ -169,15 +169,15 @@
|
||||
директория <filename class="directory">/etc/shorewall</filename>
|
||||
пуста. Это сделано специально. Поставляемые шаблоны файлов
|
||||
конфигурации Вы найдете на вашей системе в директории <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
Просто скопируйте нужные Вам файлы из этой директории в <filename
|
||||
class="directory">/etc/shorewall</filename> и отредактируйте
|
||||
копии.</para>
|
||||
|
||||
<para>Заметьте, что Вы должны скопировать <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
||||
и <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config/modules</filename>
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config/modules</filename>
|
||||
в <filename class="directory">/etc/shorewall</filename> даже если Вы
|
||||
не будете изменять эти файлы.</para>
|
||||
</warning><inlinegraphic fileref="images/BD21298_.gif"
|
||||
@ -215,7 +215,7 @@
|
||||
<listitem>
|
||||
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
|
||||
директории <filename
|
||||
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>.</para>
|
||||
class="directory">/usr/share/doc/shorewall-common/examples/one-interface</filename>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
|
@ -148,7 +148,7 @@
|
||||
|
||||
<important>
|
||||
<para>The <command>shorewall stop</command> command does not remove
|
||||
all netfilter rules and open your firewall for all traffic to pass.
|
||||
all Netfilter rules and open your firewall for all traffic to pass.
|
||||
It rather places your firewall in a safe state defined by the
|
||||
contents of your <ulink
|
||||
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
|
||||
@ -179,7 +179,7 @@
|
||||
<para>Because of the different requirements of distribution packaging
|
||||
systems, the behavior of <filename>/etc/init.d/shorewall</filename> and
|
||||
<filename>/etc/init.d/shorewall-lite</filename> is not consistent between
|
||||
distributions. As an example, when using the distributon Shorewall
|
||||
distributions. As an example, when using the distribution Shorewall
|
||||
packages on <trademark>Debian</trademark> and
|
||||
<trademark>Ubuntu</trademark> systems, running
|
||||
<command>/etc/init.d/shorewall stop</command> will actually execute the
|
||||
@ -617,7 +617,7 @@
|
||||
<section id="State">
|
||||
<title>Shorewall State Diagram</title>
|
||||
|
||||
<para>The Shorewall State Diargram is depicted below.</para>
|
||||
<para>The Shorewall State Diagram is depicted below.</para>
|
||||
|
||||
<para><graphic align="center" fileref="images/State_Diagram.png" /></para>
|
||||
|
||||
|
@ -274,9 +274,9 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
||||
<para>If Shorewall is starting successfully and your problem is that
|
||||
some set of <emphasis role="bold">connections</emphasis> to/from or
|
||||
through your firewall <emphasis role="bold">isn't working</emphasis>
|
||||
(examples: local systems can't access the internet, you can't send
|
||||
(examples: local systems can't access the Internet, you can't send
|
||||
email through the firewall, you can't surf the web from the firewall,
|
||||
connections that you are certain should be rejected are mysterously
|
||||
connections that you are certain should be rejected are mysteriously
|
||||
accepted, etc.) or <emphasis role="bold">you are having problems with
|
||||
traffic shaping</emphasis> then please perform the following six
|
||||
steps:</para>
|
||||
@ -313,7 +313,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
||||
<listitem>
|
||||
<para>Otherwise:</para>
|
||||
|
||||
<para>Shorewall is starting successfuly and you have <emphasis
|
||||
<para>Shorewall is starting successfully and you have <emphasis
|
||||
role="bold">no connection problems</emphasis> and you have <emphasis
|
||||
role="bold">no traffic shaping problems</emphasis>. Your problem is
|
||||
with performance, logging, etc. Please include the following:</para>
|
||||
@ -409,7 +409,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The author gratefully acknowleges that the above list was
|
||||
<para>The author gratefully acknowledges that the above list was
|
||||
heavily plagiarized from the excellent LEAF document by <emphasis>Ray
|
||||
Olszewski</emphasis> found <ulink
|
||||
url="http://leaf-project.org/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=6&MMN_position=21:21">here</ulink>.</para>
|
||||
|
@ -76,7 +76,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>DMZ connected to a separate ethernet interface. The purpose of a
|
||||
<para>DMZ connected to a separate Ethernet interface. The purpose of a
|
||||
DMZ is to isolate those servers that are exposed to the Internet from
|
||||
your local systems so that if one of those servers is compromised
|
||||
there is still a firewall between the hacked server and your local
|
||||
@ -185,7 +185,7 @@
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This
|
||||
is intentional. The released configuration file skeletons may be found
|
||||
on your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
@ -286,10 +286,10 @@ dmz ipv4</programlisting>Zone names are defined in
|
||||
If no rule in that file matches the connection request then the first
|
||||
policy in <filename>/etc/shorewall/policy</filename> that matches the
|
||||
request is applied. If there is a <ulink
|
||||
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
|
||||
url="shorewall_extension_scripts.htm">common action</ulink> defined for the
|
||||
policy in <filename>/etc/shorewall/actions</filename> or
|
||||
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
||||
peformed before the action is applied. The purpose of the common action is
|
||||
performed before the action is applied. The purpose of the common action is
|
||||
two-fold:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -316,7 +316,7 @@ all all REJECT info</programlisting>
|
||||
<important>
|
||||
<para>In the three-interface sample, the line below is included but
|
||||
commented out. If you want your firewall system to have full access to
|
||||
servers on the internet, uncomment that line.</para>
|
||||
servers on the Internet, uncomment that line.</para>
|
||||
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW net ACCEPT</programlisting>
|
||||
@ -327,17 +327,17 @@ $FW net ACCEPT</programlisting>
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>allow all connection requests from your local network to the
|
||||
internet</para>
|
||||
Internet</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>drop (ignore) all connection requests from the internet to your
|
||||
<para>drop (ignore) all connection requests from the Internet to your
|
||||
firewall or local network</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>optionally accept all connection requests from the firewall to
|
||||
the internet (if you uncomment the additional policy)</para>
|
||||
the Internet (if you uncomment the additional policy)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -346,9 +346,9 @@ $FW net ACCEPT</programlisting>
|
||||
</orderedlist>
|
||||
|
||||
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
|
||||
DROP and REJECT policies indicates that packets droped or rejected under
|
||||
DROP and REJECT policies indicates that packets dropped or rejected under
|
||||
those policies should be <ulink url="shorewall_logging.html">logged at
|
||||
that leve</ulink>l.</para>
|
||||
that level</ulink>.</para>
|
||||
|
||||
<para>It is important to note that Shorewall policies (and rules) refer to
|
||||
<emphasis role="bold">connections</emphasis> and not packet flow. With the
|
||||
@ -379,7 +379,7 @@ $FW net ACCEPT</programlisting>
|
||||
|
||||
<para>The firewall has three network interfaces. Where Internet
|
||||
connectivity is through a cable or DSL <quote>Modem</quote>, the External
|
||||
Interface will be the ethernet adapter that is connected to that
|
||||
Interface will be the Ethernet adapter that is connected to that
|
||||
<quote>Modem</quote> (e.g., <filename class="devicefile">eth0</filename>)
|
||||
unless you connect via <emphasis>Point-to-Point Protocol</emphasis> over
|
||||
Ethernet (PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis>
|
||||
@ -424,7 +424,7 @@ root@lists:~# </programlisting>
|
||||
<varname>CLAMPMSS=yes</varname> in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename>.</emphasis></para>
|
||||
|
||||
<para>Your Local Interface will be an ethernet adapter (<filename
|
||||
<para>Your Local Interface will be an Ethernet adapter (<filename
|
||||
class="devicefile">eth0</filename>, <filename
|
||||
class="devicefile">eth1</filename> or <filename
|
||||
class="devicefile">eth2</filename>) and will be connected to a hub or
|
||||
@ -432,7 +432,7 @@ root@lists:~# </programlisting>
|
||||
If you have only a single local system, you can connect the firewall
|
||||
directly to the computer using a cross-over cable).</para>
|
||||
|
||||
<para>Your DMZ Interface will also be an ethernet adapter (<filename
|
||||
<para>Your DMZ Interface will also be an Ethernet adapter (<filename
|
||||
class="devicefile">eth0</filename>, <filename
|
||||
class="devicefile">eth1</filename> or <filename
|
||||
class="devicefile">eth2</filename>) and will be connected to a hub or
|
||||
@ -604,7 +604,7 @@ root@lists:~# </programlisting>
|
||||
Routing</quote>, Thomas A. Maufer, Prentice-Hall, 1999, ISBN
|
||||
0-13-975483-0.</para>
|
||||
|
||||
<para>The remainder of this quide will assume that you have configured
|
||||
<para>The remainder of this guide will assume that you have configured
|
||||
your network as shown here:</para>
|
||||
|
||||
<figure id="Figure3">
|
||||
@ -641,14 +641,14 @@ root@lists:~# </programlisting>
|
||||
<para>The addresses reserved by RFC 1918 are sometimes referred to as
|
||||
non-routable because the Internet backbone routers don't forward packets
|
||||
which have an RFC-1918 destination address. When one of your local systems
|
||||
(let's assume local computer 1) sends a connection request to an internet
|
||||
(let's assume local computer 1) sends a connection request to an Internet
|
||||
host, the firewall must perform Network Address Translation (NAT). The
|
||||
firewall rewrites the source address in the packet to be the address of
|
||||
the firewall's external interface; in other words, the firewall makes it
|
||||
look as if the firewall itself is initiating the connection. This is
|
||||
necessary so that the destination host will be able to route return
|
||||
packets back to the firewall (remember that packets whose destination
|
||||
address is reserved by RFC 1918 can't be routed accross the internet).
|
||||
address is reserved by RFC 1918 can't be routed across the Internet).
|
||||
When the firewall receives a return packet, it rewrites the destination
|
||||
address back to 10.10.10.1 and forwards the packet on to local computer
|
||||
1.</para>
|
||||
@ -736,7 +736,7 @@ DNAT net dmz:<emphasis><server local IP address></emphasis>[:<e
|
||||
|
||||
<important>
|
||||
<para>Be sure to add your rules after the line that reads <emphasis
|
||||
role="bold">SECTON NEW.</emphasis></para>
|
||||
role="bold">SECTION NEW.</emphasis></para>
|
||||
</important>
|
||||
|
||||
<example id="Example1">
|
||||
@ -975,7 +975,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><command>shorewall show log</command> (Displays the last 20
|
||||
netfilter log messages)</para>
|
||||
Netfilter log messages)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -185,15 +185,15 @@
|
||||
директория <filename class="directory">/etc/shorewall</filename>
|
||||
пуста. Это сделано специально. Поставляемые шаблоны файлов
|
||||
конфигурации Вы найдете на вашей системе в директории <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
Просто скопируйте нужные Вам файлы из этой директории в <filename
|
||||
class="directory">/etc/shorewall</filename> и отредактируйте
|
||||
копии.</para>
|
||||
|
||||
<para>Заметьте, что Вы должны скопировать <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
||||
и <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config/modules</filename>
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config/modules</filename>
|
||||
в <filename class="directory">/etc/shorewall</filename> даже если Вы
|
||||
не будете изменять эти файлы.</para>
|
||||
</warning><inlinegraphic fileref="images/BD21298_.gif"
|
||||
@ -233,7 +233,7 @@
|
||||
<listitem>
|
||||
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
|
||||
директории<filename
|
||||
class="directory">/usr/share/doc/shorewall/examples/three-interface</filename>.</para>
|
||||
class="directory">/usr/share/doc/shorewall-common/examples/three-interface</filename>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
|
@ -48,7 +48,7 @@
|
||||
|
||||
<important>
|
||||
<para>Traffic shaping is complex and the Shorewall community is not well
|
||||
equiped to answer traffic shaping questions. So if you are the type of
|
||||
equipped to answer traffic shaping questions. So if you are the type of
|
||||
person who needs "insert tab A into slot B" instructions for everything
|
||||
that you do, then please don't try to implement traffic shaping using
|
||||
Shorewall. You will just frustrate yourself and we won't be able to help
|
||||
@ -92,7 +92,7 @@
|
||||
traffic shaping and control. Before this version, the support was quite
|
||||
limited. You were able to use your own tcstart script (and you still are),
|
||||
but besides the tcrules file it was not possible to define classes or
|
||||
queueing discplines inside the Shorewall config files.</para>
|
||||
queuing disciplines inside the Shorewall config files.</para>
|
||||
|
||||
<para>The support for traffic shaping and control still does not cover all
|
||||
options available (and especially all algorithms that can be used to queue
|
||||
@ -108,7 +108,7 @@
|
||||
<title>Linux traffic shaping and control</title>
|
||||
|
||||
<para>This section gives a brief introduction of how controlling traffic
|
||||
with the linux kernel works. Although this might be enough for configuring
|
||||
with the Linux kernel works. Although this might be enough for configuring
|
||||
it in the Shorewall configuration files, we strongly recommend that you
|
||||
take a deeper look into the <ulink url="http://lartc.org/howto/">Linux
|
||||
Advanced Routing and Shaping HOWTO</ulink>. At the time of writing this,
|
||||
@ -119,7 +119,7 @@
|
||||
traffic before it leaves an interface. The standard one is called pfifo
|
||||
and is (as the name suggests) of the type First In First out. This means,
|
||||
that it does not shape anything, if you have a connection that eats up all
|
||||
your bandwidth, this qeueing algorithm will not stop it from doing
|
||||
your bandwidth, this queuing algorithm will not stop it from doing
|
||||
so.</para>
|
||||
|
||||
<para>For Shorewall traffic shaping we use two algorithms, one is called
|
||||
@ -127,9 +127,9 @@
|
||||
is easy to explain: it just tries to track your connections (tcp or udp
|
||||
streams) and balances the traffic between them. This normally works well.
|
||||
HTB allows you to define a set of classes, and you can put the traffic you
|
||||
want into these classes. You can define minimum and maximum bandwitdh
|
||||
settings for those classes and order them hierachically (the less
|
||||
priorized classes only get bandwitdth if the more important have what they
|
||||
want into these classes. You can define minimum and maximum bandwidth
|
||||
settings for those classes and order them hierarchically (the less
|
||||
prioritized classes only get bandwidth if the more important have what they
|
||||
need). Shorewall builtin traffic shaping allows you to define these
|
||||
classes (and their bandwidth limits), and it uses SFQ inside these classes
|
||||
to make sure, that different data streams are handled equally.</para>
|
||||
@ -148,7 +148,7 @@
|
||||
outgoing interface as fast as possible.</para>
|
||||
|
||||
<para>There is one exception, though. Limiting incoming traffic to a
|
||||
value a bit slower than your actual line speed will avoid queueing on
|
||||
value a bit slower than your actual line speed will avoid queuing on
|
||||
the other end of that connection. This is mostly useful if you don't
|
||||
have access to traffic control on the other side and if this other
|
||||
side has a faster network connection than you do (the line speed
|
||||
@ -160,16 +160,16 @@
|
||||
has not (but the protocol over UDP might recognize it , if there is
|
||||
any).</para>
|
||||
|
||||
<para>The reason why queing is bad in these cases is, that you might
|
||||
have packets which need to be priorized over others, e.g. VoIP or ssh.
|
||||
<para>The reason why queuing is bad in these cases is, that you might
|
||||
have packets which need to be prioritized over others, e.g. VoIP or ssh.
|
||||
For this type of connections it is important that packets arrive in a
|
||||
certain amount of time. For others like http downloads, it does not
|
||||
certain amount of time. For others like HTTP downloads, it does not
|
||||
really matter if it takes a few seconds more.</para>
|
||||
|
||||
<para>If you have a large queue on the other side and the router there
|
||||
does not care about QoS or the QoS bits are not set properly, your
|
||||
important packets will go into the same queue as your less
|
||||
timecritical download packets which will result in a large
|
||||
time critical download packets which will result in a large
|
||||
delay.</para>
|
||||
</blockquote></para>
|
||||
|
||||
@ -211,7 +211,7 @@
|
||||
<para>RATE - The minimum bandwidth this class should get, when the
|
||||
traffic load rises. Classes with a higher priority (lower PRIORITY
|
||||
value) are served even if there are others that have a guaranteed
|
||||
bandwith but have a lower priority (higher PRIORITY value).</para>
|
||||
bandwidth but have a lower priority (higher PRIORITY value).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -338,7 +338,7 @@
|
||||
the facility. Again, please see the links at top of this article.</para>
|
||||
|
||||
<para>For defining bandwidths (for either devices or classes) please use
|
||||
kbit or kbps(for Kilobytes per second) and make sure there is <emphasis
|
||||
kbit or kbps (for Kilobytes per second) and make sure there is <emphasis
|
||||
role="bold">NO</emphasis> space between the number and the unit (it is
|
||||
100kbit <emphasis role="bold">not</emphasis> 100 kbit). Using mbit, mbps
|
||||
or a raw number (which means bytes) could be used, but note that only
|
||||
@ -414,7 +414,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>OUT-BANDWIDTH - Specifiy the outgoing bandwidth of that
|
||||
<para>OUT-BANDWIDTH - Specify the outgoing bandwidth of that
|
||||
interface. This is the maximum speed your connection can handle. It
|
||||
is also the speed you can refer as "full" if you define the tc
|
||||
classes. Outgoing traffic above this rate will be dropped.</para>
|
||||
@ -488,7 +488,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
<listitem>
|
||||
<para>MARK - The mark value which is an integer in the range 1-255.
|
||||
You define these marks in the tcrules file, marking the traffic you
|
||||
want to go into the queueing classes defined in here. You can use
|
||||
want to go into the queuing classes defined in here. You can use
|
||||
the same marks for different Interfaces. You must specify "-' in
|
||||
this column if the device specified in the INTERFACE column has the
|
||||
<emphasis role="bold">classify</emphasis> option in
|
||||
@ -499,7 +499,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
<para>RATE - The minimum bandwidth this class should get, when the
|
||||
traffic load rises. Please note that first the classes which equal
|
||||
or a lesser priority value are served even if there are others that
|
||||
have a guaranteed bandwith but a lower priority. <emphasis
|
||||
have a guaranteed bandwidth but a lower priority. <emphasis
|
||||
role="bold">If the sum of the RATEs for all classes assigned to an
|
||||
INTERFACE exceed that interfaces's OUT-BANDWIDTH, then the
|
||||
OUT-BANDWIDTH limit will not be honored.</emphasis></para>
|
||||
@ -517,7 +517,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
<listitem>
|
||||
<para>PRIORITY - you have to define a priority for the class.
|
||||
packets in a class with a higher priority (=lesser value) are
|
||||
handled before less priorized onces. You can just define the mark
|
||||
handled before less prioritized ones. You can just define the mark
|
||||
value here also, if you are increasing the mark values with lesser
|
||||
priority.</para>
|
||||
</listitem>
|
||||
@ -749,7 +749,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
iprange match support, IP address ranges are also allowed. List
|
||||
elements may also consist of an interface name followed by ":" and
|
||||
an address (e.g., eth1:192.168.1.0/24). If the MARK column
|
||||
specificies a classification of the form <major>:<minor>
|
||||
specifies a classification of the form <major>:<minor>
|
||||
then this column may also contain an interface name.</para>
|
||||
</listitem>
|
||||
|
||||
@ -791,7 +791,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
<para>[!][<user name or number>]:[<group name or
|
||||
number>][+<program name>]</para>
|
||||
|
||||
<para>The colon is optionnal when specifying only a user.</para>
|
||||
<para>The colon is optional when specifying only a user.</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
@ -833,7 +833,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
match.</para>
|
||||
|
||||
<para>You must have iptables length support for this to work. If you
|
||||
let it empy or place an "-" here, no length match will be
|
||||
let it empty or place an "-" here, no length match will be
|
||||
done.</para>
|
||||
|
||||
<para>Examples: 1024, 64:1500, :100</para>
|
||||
@ -861,7 +861,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>HELPER (Optional, added in Shorewall version 4.2.0 Beta 2).
|
||||
Names one of the Netfiler protocol helper modules such as
|
||||
Names one of the Netfilter protocol helper modules such as
|
||||
<emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
|
||||
<emphasis>amanda</emphasis>, etc.</para>
|
||||
</listitem>
|
||||
@ -939,7 +939,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
|
||||
<para>The last four rules can be translated as:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>"If a packet hasn't been classifed (packet mark is 0), copy
|
||||
<para>"If a packet hasn't been classified (packet mark is 0), copy
|
||||
the connection mark to the packet mark. If the packet mark is set,
|
||||
we're done. If the packet is P2P, set the packet mark to 4. If the
|
||||
packet mark has been set, save it to the connection mark."</para>
|
||||
@ -966,10 +966,10 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
|
||||
<section id="ppp">
|
||||
<title>ppp devices</title>
|
||||
|
||||
<para>If you use ppp/pppoe/pppoa) to connect to your internet provider
|
||||
<para>If you use ppp/pppoe/pppoa) to connect to your Internet provider
|
||||
and you use traffic shaping you need to restart shorewall traffic
|
||||
shaping. The reason for this is, that if the ppp connection gets
|
||||
restarted (and it usally does this at least daily), all
|
||||
restarted (and it usually does this at least daily), all
|
||||
<quote>tc</quote> filters/qdiscs related to that interface are
|
||||
deleted.</para>
|
||||
|
||||
@ -994,7 +994,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
|
||||
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>.
|
||||
Please note that they are just examples and need to be adjusted to
|
||||
work for you. In this example it is assumed that your interface for
|
||||
you internet connection is ppp0 (for DSL), if you use another
|
||||
your Internet connection is ppp0 (for DSL), if you use another
|
||||
connection type, you have to change it. You also need to change the
|
||||
settings in the tcdevices.wondershaper file to reflect your line
|
||||
speed. The relevant lines of the config files follow here. Please note
|
||||
@ -1071,7 +1071,7 @@ NOPRIOPORTDST="6662 6663" </programlisting>
|
||||
<section id="simiple">
|
||||
<title>A simple setup</title>
|
||||
|
||||
<para>This is a simple setup for people sharing an internet connection
|
||||
<para>This is a simple setup for people sharing an Internet connection
|
||||
and using different computers for this. It just basically shapes
|
||||
between 2 hosts which have the ip addresses 192.168.2.23 and
|
||||
192.168.2.42</para>
|
||||
@ -1167,7 +1167,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Traffic being forwarded from the internet</para>
|
||||
<para>Traffic being forwarded from the Internet</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -1687,4 +1687,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
|
||||
<para>At least one Shorewall user has found this tool helpful: <ulink
|
||||
url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
||||
|
@ -140,7 +140,7 @@ gateway:~/test # </programlisting>This information is useful to Shorewall
|
||||
|
||||
<para>The end of the compile phase is signaled by a message such as the
|
||||
following:<programlisting>Shorewall configuration compiled to /var/lib/shorewall/.restart</programlisting>Errors
|
||||
occuring past that point are said to occur at
|
||||
occurring past that point are said to occur at
|
||||
<firstterm>run-time</firstterm> because they occur during the running of
|
||||
the compiled firewall script (/var/lib/shorewall/.restart in the case of
|
||||
the above message).</para>
|
||||
|
@ -164,7 +164,7 @@
|
||||
class="directory">/etc/shorewall</filename> directory is empty. This
|
||||
is intentional. The released configuration file skeletons may be found
|
||||
on your system in the directory <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
Simply copy the files you need from that directory to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify the
|
||||
copies.</para>
|
||||
@ -269,10 +269,10 @@ loc ipv4</programlisting>Zones are defined in the <ulink
|
||||
first policy in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
that matches the request is applied. If there is a <ulink
|
||||
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
|
||||
url="shorewall_extension_scripts.htm">common action</ulink> defined for the
|
||||
policy in <filename>/etc/shorewall/actions</filename> or
|
||||
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
||||
peformed before the action is applied. The purpose of the common action is
|
||||
performed before the action is applied. The purpose of the common action is
|
||||
two-fold:</para>
|
||||
|
||||
<itemizedlist>
|
||||
@ -296,32 +296,32 @@ loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>In the two-interface
|
||||
sample, the line below is included but commented out. If you want your
|
||||
firewall system to have full access to servers on the internet, uncomment
|
||||
firewall system to have full access to servers on the Internet, uncomment
|
||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW net ACCEPT</programlisting> The above policy will:
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Allow all connection requests from your local network to the
|
||||
internet</para>
|
||||
Internet</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Drop (ignore) all connection requests from the internet to
|
||||
<para>Drop (ignore) all connection requests from the Internet to
|
||||
your firewall or local network</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Optionally accept all connection requests from the firewall to
|
||||
the internet (if you uncomment the additional policy)</para>
|
||||
the Internet (if you uncomment the additional policy)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>reject all other connection requests.</para>
|
||||
</listitem>
|
||||
</itemizedlist> The word <firstterm>info</firstterm> in the LOG LEVEL
|
||||
column for the DROP and REJECT policies indicates that packets droped or
|
||||
column for the DROP and REJECT policies indicates that packets dropped or
|
||||
rejected under those policies should be <ulink
|
||||
url="shorewall_logging.html">logged at that leve</ulink>l.</para>
|
||||
url="shorewall_logging.html">logged at that level</ulink>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
@ -349,7 +349,7 @@ $FW net ACCEPT</programlisting> The above policy will:
|
||||
|
||||
<para>The firewall has two network interfaces. Where Internet connectivity
|
||||
is through a cable or <acronym>DSL</acronym> <quote>Modem</quote>, the
|
||||
<emphasis>External Interface</emphasis> will be the ethernet adapter that
|
||||
<emphasis>External Interface</emphasis> will be the Ethernet adapter that
|
||||
is connected to that <quote>Modem</quote> (e.g., <filename
|
||||
class="devicefile">eth0</filename>) unless you connect via
|
||||
<emphasis>Point-to-Point Protocol</emphasis> over Ethernet
|
||||
@ -395,7 +395,7 @@ root@lists:~# </programlisting>
|
||||
<varname>CLAMPMSS=yes</varname> in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename></emphasis>.</para>
|
||||
|
||||
<para>Your <emphasis>Internal Interface</emphasis> will be an ethernet
|
||||
<para>Your <emphasis>Internal Interface</emphasis> will be an Ethernet
|
||||
adapter (<filename class="devicefile">eth1</filename> or <filename
|
||||
class="devicefile">eth0</filename>) and will be connected to a hub or
|
||||
switch. Your other computers will be connected to the same hub/switch
|
||||
@ -565,7 +565,7 @@ root@lists:~# </programlisting>
|
||||
(<ulink
|
||||
url="http://www.phptr.com/browse/product.asp?product_id={58D4F6D4-54C5-48BA-8EDD-86EBD7A42AF6}">link</ulink>).</para>
|
||||
|
||||
<para id="Diagram">The remainder of this quide will assume that you have
|
||||
<para id="Diagram">The remainder of this guide will assume that you have
|
||||
configured your network as shown here: <mediaobject>
|
||||
<imageobject>
|
||||
<imagedata align="center" fileref="images/basics1.png" format="PNG" />
|
||||
@ -588,14 +588,14 @@ root@lists:~# </programlisting>
|
||||
don't forward packets which have an RFC-1918 destination address. When one
|
||||
of your local systems (let's assume computer 1 in the <link
|
||||
linkend="Diagram">above diagram</link>) sends a connection request to an
|
||||
internet host, the firewall must perform <emphasis>Network Address
|
||||
Internet host, the firewall must perform <emphasis>Network Address
|
||||
Translation</emphasis> (<acronym>NAT</acronym>). The firewall rewrites the
|
||||
source address in the packet to be the address of the firewall's external
|
||||
interface; in other words, the firewall makes it appear to the destination
|
||||
internet host as if the firewall itself is initiating the connection. This
|
||||
Internet host as if the firewall itself is initiating the connection. This
|
||||
is necessary so that the destination host will be able to route return
|
||||
packets back to the firewall (remember that packets whose destination
|
||||
address is reserved by RFC 1918 can't be routed across the internet so the
|
||||
address is reserved by RFC 1918 can't be routed across the Internet so the
|
||||
remote host can't address its response to computer 1). When the firewall
|
||||
receives a return packet, it rewrites the destination address back to
|
||||
<systemitem class="ipaddress">10.10.10.1</systemitem> and forwards the
|
||||
@ -662,7 +662,7 @@ root@lists:~# </programlisting>
|
||||
|
||||
<para>One of your goals may be to run one or more servers on your local
|
||||
computers. Because these computers have RFC-1918 addresses, it is not
|
||||
possible for clients on the internet to connect directly to them. It is
|
||||
possible for clients on the Internet to connect directly to them. It is
|
||||
rather necessary for those clients to address their connection requests to
|
||||
the firewall who rewrites the destination address to the address of your
|
||||
server and forwards the packet to that server. When your server responds,
|
||||
@ -682,7 +682,7 @@ root@lists:~# </programlisting>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNAT net loc:<emphasis><server local ip address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting><important>
|
||||
<para>Be sure to add your rules after the line that reads <emphasis
|
||||
role="bold">SECTON NEW.</emphasis></para>
|
||||
role="bold">SECTION NEW.</emphasis></para>
|
||||
</important><important>
|
||||
<para>The server must have a static IP address. If you assign IP
|
||||
addresses to your local system using DHCP, you need to configure your
|
||||
@ -822,7 +822,7 @@ DNS/ACCEPT $FW net</programlisting>This rule allows
|
||||
<acronym>DNS</acronym> access from your firewall and may be removed if you
|
||||
uncommented the line in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
allowing all connections from the firewall to the internet.</para>
|
||||
allowing all connections from the firewall to the Internet.</para>
|
||||
|
||||
<para>In the rule shown above, <quote>DNS/ACCEPT</quote> is an example of
|
||||
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
|
||||
@ -863,8 +863,8 @@ Web/ACCEPT loc $FW </programlisting>Those two rules would of
|
||||
</example> If you don't know what port and protocol a particular
|
||||
application uses, look <ulink url="ports.htm">here</ulink>. <important>
|
||||
<para>I don't recommend enabling <command>telnet</command> to/from the
|
||||
internet because it uses clear text (even for login!). If you want
|
||||
shell access to your firewall from the internet, use
|
||||
Internet because it uses clear text (even for login!). If you want
|
||||
shell access to your firewall from the Internet, use
|
||||
<acronym>SSH</acronym>:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
@ -1022,7 +1022,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
access to/from other hosts, change <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>
|
||||
accordingly. <warning>
|
||||
<para>If you are connected to your firewall from the internet, do not
|
||||
<para>If you are connected to your firewall from the Internet, do not
|
||||
issue a <quote><command>shorewall stop</command></quote> command
|
||||
unless you have added an entry for the <acronym>IP</acronym> address
|
||||
that you are connected from to <filename
|
||||
@ -1073,11 +1073,11 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
|
||||
<para>Once you have the two-interface setup working, the next logical step
|
||||
is to add a Wireless Network. The first step involves adding an additional
|
||||
network card to your firewall, either a Wireless card or an ethernet card
|
||||
network card to your firewall, either a Wireless card or an Ethernet card
|
||||
that is connected to a Wireless Access Point.<caution>
|
||||
<para>When you add a network card, it won't necessarily be detected as
|
||||
the next highest ethernet interface. For example, if you have two
|
||||
ethernet cards in your system (<filename
|
||||
the next highest Ethernet interface. For example, if you have two
|
||||
Ethernet cards in your system (<filename
|
||||
class="devicefile">eth0</filename> and <filename
|
||||
class="devicefile">eth1</filename>) and you add a third card that uses
|
||||
the same driver as one of the other two, that third card won't
|
||||
@ -1130,7 +1130,7 @@ loc wlan0 detect maclist</programlisting>
|
||||
url="MAC_Validation.html">maclist option</ulink> for the wireless
|
||||
segment. By adding entries for computers 3 and 4 in
|
||||
<filename>/etc/shorewall/maclist</filename>, you help ensure that your
|
||||
neighbors aren't getting a free ride on your internet connection.
|
||||
neighbors aren't getting a free ride on your Internet connection.
|
||||
Start by omitting that option; when you have everything working, then
|
||||
add the option and configure your
|
||||
<filename>/etc/shorewall/maclist</filename> file.</para>
|
||||
@ -1139,7 +1139,7 @@ loc wlan0 detect maclist</programlisting>
|
||||
<listitem>
|
||||
<para>You need to add an entry to the
|
||||
<filename>/etc/shorewall/masq</filename> file to masquerade traffic
|
||||
from the wireless network to the internet. If your internet interface
|
||||
from the wireless network to the Internet. If your Internet interface
|
||||
is <filename class="devicefile">eth0</filename> and your wireless
|
||||
interface is <filename class="devicefile">wlan0</filename>, the entry
|
||||
would be:</para>
|
||||
|
@ -173,15 +173,15 @@
|
||||
директория <filename class="directory">/etc/shorewall</filename>
|
||||
пуста. Это сделано специально. Поставляемые шаблоны файлов
|
||||
конфигурации Вы найдете на вашей системе в директории <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||
Просто скопируйте нужные Вам файлы из этой директории в <filename
|
||||
class="directory">/etc/shorewall</filename> и отредактируйте
|
||||
копии.</para>
|
||||
|
||||
<para>Заметьте, что Вы должны скопировать <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
||||
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
||||
и <filename
|
||||
class="directory">/usr/share/doc/shorewall/default-config/modules</filename>
|
||||
class="directory">/usr/share/doc/shorewall=common/default-config/modules</filename>
|
||||
в <filename class="directory">/etc/shorewall</filename> даже если Вы
|
||||
не будете изменять эти файлы.</para>
|
||||
</warning><inlinegraphic fileref="images/BD21298_.gif"
|
||||
@ -221,7 +221,7 @@
|
||||
<listitem>
|
||||
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
|
||||
директории<filename
|
||||
class="directory">/usr/share/doc/shorewall/examples/two-interface</filename>.</para>
|
||||
class="directory">/usr/share/doc/shorewall-common/examples/two-interface</filename>.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
@ -1068,4 +1068,4 @@ eth0 wlan0</programlisting>
|
||||
Вашем файерволе потребует правил, перечисленных в <ulink
|
||||
url="samba.htm">документации Shorewall/Samba</ulink>.</para>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
||||
|
@ -167,7 +167,7 @@ shorewall restart</command></programlisting> The RPMs are set up so that if
|
||||
<para>Insure correct operation. Default actions can also avoid
|
||||
common pitfalls like dropping connection requests on TCP port 113.
|
||||
If these connections are dropped (rather than rejected) then you
|
||||
may encounter problems connecting to internet services that
|
||||
may encounter problems connecting to Internet services that
|
||||
utilize the AUTH protocol of client authentication.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
@ -485,7 +485,7 @@ all all REJECT:MyReject info</programlisting>
|
||||
|
||||
<listitem>
|
||||
<para>Beginning with this release, the way in which packet marking in
|
||||
the PREROUTING chain interracts with the 'track' option in
|
||||
the PREROUTING chain interacts with the 'track' option in
|
||||
/etc/shorewall/providers has changed in two ways:</para>
|
||||
|
||||
<orderedlist numeration="loweralpha">
|
||||
|
@ -42,7 +42,7 @@
|
||||
</row>
|
||||
|
||||
<row rowsep="0" valign="middle">
|
||||
<entry align="left">NetFilter Site: <ulink
|
||||
<entry align="left">Netfilter Site: <ulink
|
||||
url="http://www.netfilter.org/">http://www.netfilter.org/</ulink></entry>
|
||||
</row>
|
||||
|
||||
@ -79,7 +79,7 @@
|
||||
|
||||
<row rowsep="0" valign="middle">
|
||||
<entry>Debian apt-get sources for Shorewall: <ulink
|
||||
url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian</ulink></entry>
|
||||
url="http://people.connexer.com/~roberto/debian/"></ulink>http://people.connexer.com/~roberto/debian/</entry>
|
||||
</row>
|
||||
|
||||
<row rowsep="0" valign="middle">
|
||||
|
@ -42,7 +42,7 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The local network uses <acronym>SNAT</acronym> to the internet and
|
||||
<para>The local network uses <acronym>SNAT</acronym> to the Internet and
|
||||
is comprised of the Class B network <literal>10.10.0.0/16</literal>
|
||||
(Note: While this example uses an RFC 1918 local network, the technique
|
||||
described here in no way depends on that or on <acronym>SNAT</acronym>.
|
||||
@ -90,7 +90,7 @@ dmz ipv4</programlisting>
|
||||
|
||||
<bridgehead renderas="sect4">Interfaces File</bridgehead>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROACAST OPTIONS
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 <whatever> ...
|
||||
dmz eth1 <whatever> ...
|
||||
- eth2 10.10.255.255</programlisting>
|
||||
|
Loading…
Reference in New Issue
Block a user