mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 09:03:30 +01:00
Finish passing through all the documentation with a spell checker.
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
aac55dbac4
commit
025e97c8bb
@ -494,7 +494,7 @@ show_command() {
|
|||||||
;;
|
;;
|
||||||
classifiers|filters)
|
classifiers|filters)
|
||||||
[ $# -gt 1 ] && usage 1
|
[ $# -gt 1 ] && usage 1
|
||||||
echo "$PRODUCT $version Clasifiers at $HOSTNAME - $(date)"
|
echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)"
|
||||||
echo
|
echo
|
||||||
show_classifiers
|
show_classifiers
|
||||||
;;
|
;;
|
||||||
|
12
docs/FAQ.xml
12
docs/FAQ.xml
@ -66,8 +66,8 @@
|
|||||||
the Shorewall Debian Maintainer:</para>
|
the Shorewall Debian Maintainer:</para>
|
||||||
|
|
||||||
<para><quote>For more information about Shorewall usage on Debian
|
<para><quote>For more information about Shorewall usage on Debian
|
||||||
system please look at /usr/share/doc/shorewall/README.Debian provided
|
system please look at /usr/share/doc/shorewall-common/README.Debian
|
||||||
by [the] shorewall Debian package.</quote></para>
|
provided by [the] shorewall-common Debian package.</quote></para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>If you install using the .deb, you will find that your <filename
|
<para>If you install using the .deb, you will find that your <filename
|
||||||
@ -89,7 +89,7 @@
|
|||||||
class="directory">/usr/share/doc/shorewall/examples/</filename>.
|
class="directory">/usr/share/doc/shorewall/examples/</filename>.
|
||||||
Beginning with Shorewall 4.0, the samples are in the shorewall-common
|
Beginning with Shorewall 4.0, the samples are in the shorewall-common
|
||||||
package and are installed in <filename
|
package and are installed in <filename
|
||||||
class="directory">/usr/share/doc/shorewall-common/examples</filename>/.</para>
|
class="directory">/usr/share/doc/shorewall-common/examples/</filename>.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -1255,7 +1255,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
|
|||||||
standardized and will vary by distribution and distribution version.
|
standardized and will vary by distribution and distribution version.
|
||||||
But anytime you see no logging, it's time to look outside the
|
But anytime you see no logging, it's time to look outside the
|
||||||
Shorewall configuration for the cause. As an example, recent
|
Shorewall configuration for the cause. As an example, recent
|
||||||
<trademark>SuSE</trademark> releases use syslog-ng by default and
|
<trademark>SUSE</trademark> releases use syslog-ng by default and
|
||||||
write Shorewall messages to
|
write Shorewall messages to
|
||||||
<filename>/var/log/firewall</filename>.</para>
|
<filename>/var/log/firewall</filename>.</para>
|
||||||
|
|
||||||
@ -1861,7 +1861,7 @@ iptables: Invalid argument
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>if you don't need policy match support (you are not using the
|
<para>if you don't need policy match support (you are not using the
|
||||||
IPSEC implementation built into the 2.6 kernel) then you can rename
|
IPSEC implementation builtinto the 2.6 kernel) then you can rename
|
||||||
<filename>/lib/iptables/libipt_policy.so</filename>.</para>
|
<filename>/lib/iptables/libipt_policy.so</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
@ -2004,7 +2004,7 @@ iptables: Invalid argument
|
|||||||
<title>Traffic Shaping</title>
|
<title>Traffic Shaping</title>
|
||||||
|
|
||||||
<section id="faq67">
|
<section id="faq67">
|
||||||
<title>(FAQ 67) I just configured Shorewall's built in traffic shaping
|
<title>(FAQ 67) I just configured Shorewall's builtin traffic shaping
|
||||||
and now Shorewall fails to Start.</title>
|
and now Shorewall fails to Start.</title>
|
||||||
|
|
||||||
<para>The error I receive is as follows:<programlisting>RTNETLINK answers: No such file or directory
|
<para>The error I receive is as follows:<programlisting>RTNETLINK answers: No such file or directory
|
||||||
|
@ -268,9 +268,9 @@
|
|||||||
to configure Shorewall, please heed the advice of Lorenzo Martignoni,
|
to configure Shorewall, please heed the advice of Lorenzo Martignoni,
|
||||||
the Shorewall Debian Maintainer:</para>
|
the Shorewall Debian Maintainer:</para>
|
||||||
|
|
||||||
<para><quote>For more information about Shorewall usage on Debian system
|
<para><quote>For more information about Shorewall usage on Debian
|
||||||
please look at /usr/share/doc/shorewall/README.Debian provided by [the]
|
system please look at /usr/share/doc/shorewall-common/README.Debian
|
||||||
shorewall Debian package.</quote></para>
|
provided by [the] shorewall-common Debian package.</quote></para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>The easiest way to install Shorewall on Debian, is to use
|
<para>The easiest way to install Shorewall on Debian, is to use
|
||||||
|
@ -44,12 +44,12 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><ulink url="http://www.netfilter.org">Netfilter</ulink> - the
|
<para><ulink url="http://www.netfilter.org">Netfilter</ulink> - the
|
||||||
packet filter facility built into the 2.4 and later Linux
|
packet filter facility builtinto the 2.4 and later Linux
|
||||||
kernels.</para>
|
kernels.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>ipchains - the packet filter facility built into the 2.2 Linux
|
<para>ipchains - the packet filter facility builtinto the 2.2 Linux
|
||||||
kernels. Also the name of the utility program used to configure and
|
kernels. Also the name of the utility program used to configure and
|
||||||
control that facility. Netfilter can be used in ipchains
|
control that facility. Netfilter can be used in ipchains
|
||||||
compatibility mode.</para>
|
compatibility mode.</para>
|
||||||
|
@ -137,7 +137,7 @@ ACCEPT net loc:10.1.1.2 tcp 80 - 13
|
|||||||
routers with a long ARP cache timeout. If you move a system from parallel
|
routers with a long ARP cache timeout. If you move a system from parallel
|
||||||
to your firewall to behind your firewall with one-to-one NAT, it will
|
to your firewall to behind your firewall with one-to-one NAT, it will
|
||||||
probably be HOURS before that system can communicate with the
|
probably be HOURS before that system can communicate with the
|
||||||
internet.</para>
|
Internet.</para>
|
||||||
|
|
||||||
<para>If you sniff traffic on the firewall's external interface, you can
|
<para>If you sniff traffic on the firewall's external interface, you can
|
||||||
see incoming traffic for the internal system(s) but the traffic is never
|
see incoming traffic for the internal system(s) but the traffic is never
|
||||||
|
@ -57,7 +57,7 @@
|
|||||||
|
|
||||||
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private
|
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private
|
||||||
Network) daemon which can be used to securely link two or more private
|
Network) daemon which can be used to securely link two or more private
|
||||||
networks using an encrypted tunnel over the internet. OpenVPN is an Open
|
networks using an encrypted tunnel over the Internet. OpenVPN is an Open
|
||||||
Source project and is <ulink
|
Source project and is <ulink
|
||||||
url="http://openvpn.sourceforge.net/license.html">licensed under the
|
url="http://openvpn.sourceforge.net/license.html">licensed under the
|
||||||
GPL</ulink>. OpenVPN can be downloaded from <ulink
|
GPL</ulink>. OpenVPN can be downloaded from <ulink
|
||||||
@ -642,7 +642,7 @@ verb 3</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>OpenVPN GUI must be run as the Administrator. In the
|
<para>OpenVPN GUI must be run as the Administrator. In the
|
||||||
Explorer, right click on the OpenVPN GUI binary and select
|
Explorer, right click on the OpenVPN GUI binary and select
|
||||||
Properties->Compatibilty and select "Run this program as an
|
Properties->Compatibility and select "Run this program as an
|
||||||
administrator".</para>
|
administrator".</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
@ -255,7 +255,7 @@ esac</programlisting>
|
|||||||
|
|
||||||
<para>Here' a basic setup that treats your remote users as if they
|
<para>Here' a basic setup that treats your remote users as if they
|
||||||
were part of your <emphasis role="bold">loc</emphasis> zone. Note that
|
were part of your <emphasis role="bold">loc</emphasis> zone. Note that
|
||||||
if your primary internet connection uses ppp0, then be sure that
|
if your primary Internet connection uses ppp0, then be sure that
|
||||||
<emphasis role="bold">loc</emphasis> follows <emphasis
|
<emphasis role="bold">loc</emphasis> follows <emphasis
|
||||||
role="bold">net</emphasis> in /etc/shorewall/zones.</para>
|
role="bold">net</emphasis> in /etc/shorewall/zones.</para>
|
||||||
|
|
||||||
@ -275,7 +275,7 @@ loc ppp+</programlisting>
|
|||||||
|
|
||||||
<para>If you want to place your remote users in their own zone so that
|
<para>If you want to place your remote users in their own zone so that
|
||||||
you can control connections between these users and the local network,
|
you can control connections between these users and the local network,
|
||||||
follow this example. Note that if your primary internet connection
|
follow this example. Note that if your primary Internet connection
|
||||||
uses ppp0 then be sure that <emphasis role="bold">vpn</emphasis>
|
uses ppp0 then be sure that <emphasis role="bold">vpn</emphasis>
|
||||||
follows <emphasis role="bold">net</emphasis> in /etc/shorewall/zones
|
follows <emphasis role="bold">net</emphasis> in /etc/shorewall/zones
|
||||||
as shown below.</para>
|
as shown below.</para>
|
||||||
@ -312,7 +312,7 @@ vpn ppp+</programlisting>
|
|||||||
fileref="images/MultiPPTP.png" /></para>
|
fileref="images/MultiPPTP.png" /></para>
|
||||||
|
|
||||||
<para>Here's how you configure this in Shorewall. Note that if your
|
<para>Here's how you configure this in Shorewall. Note that if your
|
||||||
primary internet connection uses ppp0 then be sure that the <emphasis
|
primary Internet connection uses ppp0 then be sure that the <emphasis
|
||||||
role="bold">vpn{1-3}</emphasis> zones follows <emphasis
|
role="bold">vpn{1-3}</emphasis> zones follows <emphasis
|
||||||
role="bold">net</emphasis> in /etc/shorewall/zones as shown
|
role="bold">net</emphasis> in /etc/shorewall/zones as shown
|
||||||
below.</para>
|
below.</para>
|
||||||
@ -600,10 +600,10 @@ restart_pptp > /dev/null 2>&1 &</programlisting>
|
|||||||
Modem</title>
|
Modem</title>
|
||||||
|
|
||||||
<para>Some ADSL systems in Europe (most notably in Austria and the
|
<para>Some ADSL systems in Europe (most notably in Austria and the
|
||||||
Netherlands) feature a PPTP server built into an ADSL
|
Netherlands) feature a PPTP server builtinto an ADSL
|
||||||
<quote>Modem</quote>. In this setup, an ethernet interface is dedicated to
|
<quote>Modem</quote>. In this setup, an Ethernet interface is dedicated to
|
||||||
supporting the PPTP tunnel between the firewall and the
|
supporting the PPTP tunnel between the firewall and the
|
||||||
<quote>Modem</quote> while the actual internet access is through PPTP
|
<quote>Modem</quote> while the actual Internet access is through PPTP
|
||||||
(interface ppp0). If you have this type of setup, you need to modify the
|
(interface ppp0). If you have this type of setup, you need to modify the
|
||||||
sample configuration that you downloaded as described in this section.
|
sample configuration that you downloaded as described in this section.
|
||||||
<emphasis role="bold">These changes are in addition to those described in
|
<emphasis role="bold">These changes are in addition to those described in
|
||||||
|
@ -88,7 +88,7 @@
|
|||||||
where <emphasis>zone</emphasis> is the zone where the request
|
where <emphasis>zone</emphasis> is the zone where the request
|
||||||
originated. For packets that are part of an already established
|
originated. For packets that are part of an already established
|
||||||
connection, the destination rewriting takes place without any
|
connection, the destination rewriting takes place without any
|
||||||
involvement of a netfilter rule.</para>
|
involvement of a Netfilter rule.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -399,7 +399,7 @@ Blarg 1 0x100 main eth3 206.124.146.254 track,ba
|
|||||||
|
|
||||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
1:110 192.168.0.0/22 eth3 #Our internel nets get priority
|
1:110 192.168.0.0/22 eth3 #Our internal nets get priority
|
||||||
#over the server
|
#over the server
|
||||||
1:130 206.124.146.177 eth3 tcp - 873
|
1:130 206.124.146.177 eth3 tcp - 873
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
@ -133,7 +133,7 @@
|
|||||||
network associated with this address. This is the approach <ulink
|
network associated with this address. This is the approach <ulink
|
||||||
url="XenMyWay.html">that I take with my DMZ</ulink>.</para>
|
url="XenMyWay.html">that I take with my DMZ</ulink>.</para>
|
||||||
|
|
||||||
<para>To permit internet hosts to connect to the local systems, you use
|
<para>To permit Internet hosts to connect to the local systems, you use
|
||||||
ACCEPT rules. For example, if you run a web server on 130.252.100.19 which
|
ACCEPT rules. For example, if you run a web server on 130.252.100.19 which
|
||||||
you have configured to be in the <emphasis role="bold">loc</emphasis> zone
|
you have configured to be in the <emphasis role="bold">loc</emphasis> zone
|
||||||
then you would need this entry in /etc/shorewall/rules:</para>
|
then you would need this entry in /etc/shorewall/rules:</para>
|
||||||
@ -192,7 +192,7 @@ iface eth1 inet static
|
|||||||
routers with a long ARP cache timeout. If you move a system from parallel
|
routers with a long ARP cache timeout. If you move a system from parallel
|
||||||
to your firewall to behind your firewall with Proxy ARP, it will probably
|
to your firewall to behind your firewall with Proxy ARP, it will probably
|
||||||
be <emphasis role="bold">HOURS</emphasis> before that system can
|
be <emphasis role="bold">HOURS</emphasis> before that system can
|
||||||
communicate with the internet.</para>
|
communicate with the Internet.</para>
|
||||||
|
|
||||||
<para>If you sniff traffic on the firewall's external interface, you can
|
<para>If you sniff traffic on the firewall's external interface, you can
|
||||||
see incoming traffic for the internal system(s) but the traffic is never
|
see incoming traffic for the internal system(s) but the traffic is never
|
||||||
|
@ -93,11 +93,11 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>When the level of functionality of the current development
|
<para>When the level of functionality of the current development
|
||||||
release is judged adaquate, the <firstterm>Beta period</firstterm> for
|
release is judged adequate, the <firstterm>Beta period</firstterm> for
|
||||||
a new Stable release will begin. Beta releases have identifications of
|
a new Stable release will begin. Beta releases have identifications of
|
||||||
the form <emphasis>x.y.0-BetaN</emphasis> where
|
the form <emphasis>x.y.0-BetaN</emphasis> where
|
||||||
<emphasis>x.y</emphasis> is the number of the next Stable Release and
|
<emphasis>x.y</emphasis> is the number of the next Stable Release and
|
||||||
<emphasis>N</emphasis>=1,2,3... . Betas are expected to occur rougly
|
<emphasis>N</emphasis>=1,2,3... . Betas are expected to occur roughly
|
||||||
once per year. Beta releases may contain new functionality not present
|
once per year. Beta releases may contain new functionality not present
|
||||||
in the previous beta release (e.g., 2.2.0-Beta4 may contain
|
in the previous beta release (e.g., 2.2.0-Beta4 may contain
|
||||||
functionality not present in 2.2.0-Beta3). When I'm confident that the
|
functionality not present in 2.2.0-Beta3). When I'm confident that the
|
||||||
@ -106,7 +106,7 @@
|
|||||||
identifications of the form <emphasis>x.y.0-RCn</emphasis> where
|
identifications of the form <emphasis>x.y.0-RCn</emphasis> where
|
||||||
<emphasis>x.y</emphasis> is the number of the next Stable Release and
|
<emphasis>x.y</emphasis> is the number of the next Stable Release and
|
||||||
<emphasis>n</emphasis>=1,2,3... . Release candidates contain no new
|
<emphasis>n</emphasis>=1,2,3... . Release candidates contain no new
|
||||||
functionailty -- they only contain bug fixes. When the stability of
|
functionality -- they only contain bug fixes. When the stability of
|
||||||
the current release candidate is judged to be sufficient then that
|
the current release candidate is judged to be sufficient then that
|
||||||
release candidate will be released as the new stable release (e.g.,
|
release candidate will be released as the new stable release (e.g.,
|
||||||
2.2.0). At that time, the new stable release and the prior stable
|
2.2.0). At that time, the new stable release and the prior stable
|
||||||
@ -165,7 +165,7 @@
|
|||||||
<emphasis>X</emphasis>=1,b,c,... . Consequently, if a user required a
|
<emphasis>X</emphasis>=1,b,c,... . Consequently, if a user required a
|
||||||
bug fix but was not running the last minor release of the associated
|
bug fix but was not running the last minor release of the associated
|
||||||
major release then it might be necessary to accept major new
|
major release then it might be necessary to accept major new
|
||||||
functionailty along with the bug fix.</para>
|
functionality along with the bug fix.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</section>
|
</section>
|
||||||
|
@ -157,7 +157,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Use NONE policies whereever appropriate. This helps especially
|
<para>Use NONE policies wherever appropriate. This helps especially
|
||||||
in the rules activation phase of both script compilation and
|
in the rules activation phase of both script compilation and
|
||||||
execution.</para>
|
execution.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -157,7 +157,7 @@
|
|||||||
<para>With the shell-based compiler, extension scripts were copied
|
<para>With the shell-based compiler, extension scripts were copied
|
||||||
into the compiled script and executed at run-time. In many cases,
|
into the compiled script and executed at run-time. In many cases,
|
||||||
this approach doesn't work with Shorewall Perl because (almost) the
|
this approach doesn't work with Shorewall Perl because (almost) the
|
||||||
entire ruleset is built by the compiler. As a result, Shorewall-perl
|
entire rule set is built by the compiler. As a result, Shorewall-perl
|
||||||
runs some extension scripts at compile-time rather than at run-time.
|
runs some extension scripts at compile-time rather than at run-time.
|
||||||
Because the compiler is written in Perl, your extension scripts from
|
Because the compiler is written in Perl, your extension scripts from
|
||||||
earlier versions will no longer work.</para>
|
earlier versions will no longer work.</para>
|
||||||
@ -370,7 +370,7 @@ insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
|
|||||||
a plus sign (+) as with the shell-based compiler.</para>
|
a plus sign (+) as with the shell-based compiler.</para>
|
||||||
|
|
||||||
<para>Shorewall is now out of the ipset load/reload business. With
|
<para>Shorewall is now out of the ipset load/reload business. With
|
||||||
scripts generated by the Perl-based Compiler, the Netfilter ruleset
|
scripts generated by the Perl-based Compiler, the Netfilter rule set
|
||||||
is never cleared. That means that there is no opportunity for
|
is never cleared. That means that there is no opportunity for
|
||||||
Shorewall to load/reload your ipsets since that cannot be done while
|
Shorewall to load/reload your ipsets since that cannot be done while
|
||||||
there are any current rules using ipsets.</para>
|
there are any current rules using ipsets.</para>
|
||||||
@ -381,7 +381,7 @@ insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Your ipsets must be loaded before Shorewall starts. You
|
<para>Your ipsets must be loaded before Shorewall starts. You
|
||||||
are free to try to do that with the following code in
|
are free to try to do that with the following code in
|
||||||
<filename>/etc/shorewall/start (it works for me; your milage may
|
<filename>/etc/shorewall/start (it works for me; your mileage may
|
||||||
vary)</filename>:</para>
|
vary)</filename>:</para>
|
||||||
|
|
||||||
<programlisting>if [ "$COMMAND" = start ]; then
|
<programlisting>if [ "$COMMAND" = start ]; then
|
||||||
@ -437,7 +437,7 @@ fi</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
|
<para>DELAYBLACKLISTLOAD=Yes is not supported. The entire rule set is
|
||||||
atomically loaded with one execution of
|
atomically loaded with one execution of
|
||||||
<command>iptables-restore</command>.</para>
|
<command>iptables-restore</command>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -677,7 +677,7 @@ ACCEPT loc:eth0:192.168.1.3,eth0:192.168.1.5 $fw tcp 22</programlisting>
|
|||||||
and by the compiled program will be timestamped.<simplelist>
|
and by the compiled program will be timestamped.<simplelist>
|
||||||
<member><emphasis role="bold">--debug</emphasis></member>
|
<member><emphasis role="bold">--debug</emphasis></member>
|
||||||
</simplelist>If given, when a warning or error message is issued, it
|
</simplelist>If given, when a warning or error message is issued, it
|
||||||
is supplimented with a stack trace. Requires the Carp Perl
|
is supplemented with a stack trace. Requires the Carp Perl
|
||||||
module.<simplelist>
|
module.<simplelist>
|
||||||
<member><emphasis
|
<member><emphasis
|
||||||
role="bold">--refresh=</emphasis><<emphasis>chainlist</emphasis>></member>
|
role="bold">--refresh=</emphasis><<emphasis>chainlist</emphasis>></member>
|
||||||
@ -1055,7 +1055,7 @@ my $chainref7 = $filter_table{$name};</programlisting>Shorewall::Chains is
|
|||||||
|
|
||||||
<para>A companion function, <emphasis
|
<para>A companion function, <emphasis
|
||||||
role="bold">ensure_manual_chain()</emphasis>, can be called when a
|
role="bold">ensure_manual_chain()</emphasis>, can be called when a
|
||||||
manual chain of the desired name may have alread been created. If a
|
manual chain of the desired name may have already been created. If a
|
||||||
manual chain table entry with the passed name already exists, a
|
manual chain table entry with the passed name already exists, a
|
||||||
reference to the chain table entry is returned. Otherwise, the function
|
reference to the chain table entry is returned. Otherwise, the function
|
||||||
calls <emphasis role="bold">new_manual_chain()</emphasis> and returns
|
calls <emphasis role="bold">new_manual_chain()</emphasis> and returns
|
||||||
|
@ -45,7 +45,7 @@
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Act as a <quote>Personal Firewall</quote> that allows internet
|
<para>Act as a <quote>Personal Firewall</quote> that allows Internet
|
||||||
access control by application. If that's what you are looking for, try
|
access control by application. If that's what you are looking for, try
|
||||||
<ulink
|
<ulink
|
||||||
url="http://tuxguardian.sourceforge.net/">TuxGuardian</ulink>.</para>
|
url="http://tuxguardian.sourceforge.net/">TuxGuardian</ulink>.</para>
|
||||||
|
@ -104,7 +104,7 @@ httpd_accel_uses_host_header on</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>See your distribution's Squid documenation and <ulink
|
<para>See your distribution's Squid documentation and <ulink
|
||||||
url="http://www.squid-cache.org/">http://www.squid-cache.org/</ulink>
|
url="http://www.squid-cache.org/">http://www.squid-cache.org/</ulink>
|
||||||
for details.</para>
|
for details.</para>
|
||||||
|
|
||||||
@ -188,7 +188,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
|
|||||||
transparent proxy running in your local zone at 192.168.1.3 and
|
transparent proxy running in your local zone at 192.168.1.3 and
|
||||||
listening on port 3128. Your local interface is eth1. There may also be
|
listening on port 3128. Your local interface is eth1. There may also be
|
||||||
a web server running on 192.168.1.3. It is assumed that web access is
|
a web server running on 192.168.1.3. It is assumed that web access is
|
||||||
already enabled from the local zone to the internet.</para>
|
already enabled from the local zone to the Internet.</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -170,7 +170,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
|
|||||||
|
|
||||||
<para>Suppose that I had set up eth0:0 as above and I wanted to port
|
<para>Suppose that I had set up eth0:0 as above and I wanted to port
|
||||||
forward from that virtual interface to a web server running in my local
|
forward from that virtual interface to a web server running in my local
|
||||||
zone at 192.168.1.3. That is accomplised by a single rule in the
|
zone at 192.168.1.3. That is accomplished by a single rule in the
|
||||||
<filename>/etc/shorewall/rules</filename> file:</para>
|
<filename>/etc/shorewall/rules</filename> file:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
||||||
|
@ -68,7 +68,7 @@
|
|||||||
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
|
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
|
||||||
</tip>
|
</tip>
|
||||||
|
|
||||||
<para>Shorewall verions 2.2.0 and later also include support for the ipp2p
|
<para>Shorewall versions 2.2.0 and later also include support for the ipp2p
|
||||||
match facility which can be use to control P2P traffic. See the <ulink
|
match facility which can be use to control P2P traffic. See the <ulink
|
||||||
url="IPP2P.html">Shorewall IPP2P documentation</ulink> for details.</para>
|
url="IPP2P.html">Shorewall IPP2P documentation</ulink> for details.</para>
|
||||||
</article>
|
</article>
|
||||||
|
@ -216,7 +216,7 @@
|
|||||||
Later</title>
|
Later</title>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 2.3.2, support is included for multiple
|
<para>Beginning with Shorewall 2.3.2, support is included for multiple
|
||||||
internet connections. If you wish to use this feature, we recommend
|
Internet connections. If you wish to use this feature, we recommend
|
||||||
strongly that you upgrade to version 2.4.2 or later.</para>
|
strongly that you upgrade to version 2.4.2 or later.</para>
|
||||||
|
|
||||||
<para>Shorewall multi-ISP support is now covered in a <ulink
|
<para>Shorewall multi-ISP support is now covered in a <ulink
|
||||||
|
@ -46,7 +46,7 @@
|
|||||||
Interconnect (OSI) reference model, a router operates at layer 3.
|
Interconnect (OSI) reference model, a router operates at layer 3.
|
||||||
Shorewall may also be deployed on a GNU Linux System that acts as a
|
Shorewall may also be deployed on a GNU Linux System that acts as a
|
||||||
<firstterm>bridge</firstterm>. Bridges are layer-2 devices in the OSI
|
<firstterm>bridge</firstterm>. Bridges are layer-2 devices in the OSI
|
||||||
model (think of a bridge as an ethernet switch).</para>
|
model (think of a bridge as an Ethernet switch).</para>
|
||||||
|
|
||||||
<para>Some differences between routers and bridges are:</para>
|
<para>Some differences between routers and bridges are:</para>
|
||||||
|
|
||||||
@ -54,7 +54,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Routers determine packet destination based on the destination IP
|
<para>Routers determine packet destination based on the destination IP
|
||||||
address while bridges route traffic based on the destination MAC
|
address while bridges route traffic based on the destination MAC
|
||||||
address in the ethernet frame.</para>
|
address in the Ethernet frame.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -93,9 +93,9 @@
|
|||||||
bridge-specific changes are restricted to the
|
bridge-specific changes are restricted to the
|
||||||
<filename>/etc/shorewall/interfaces</filename> file.</para>
|
<filename>/etc/shorewall/interfaces</filename> file.</para>
|
||||||
|
|
||||||
<para>This example illustrates the bridging of two ethernet devices but
|
<para>This example illustrates the bridging of two Ethernet devices but
|
||||||
the types of the devices really isn't important. What is shown here would
|
the types of the devices really isn't important. What is shown here would
|
||||||
apply equally to bridging an ethernet device to an <ulink
|
apply equally to bridging an Ethernet device to an <ulink
|
||||||
url="OPENVPN.html">OpenVPN</ulink> tap device (e.g.,
|
url="OPENVPN.html">OpenVPN</ulink> tap device (e.g.,
|
||||||
<filename>tap0</filename>) or to a wireless device
|
<filename>tap0</filename>) or to a wireless device
|
||||||
(<filename>ath0</filename> or <filename>wlan0</filename>).</para>
|
(<filename>ath0</filename> or <filename>wlan0</filename>).</para>
|
||||||
|
@ -89,7 +89,7 @@
|
|||||||
# special IPv6 addresses
|
# special IPv6 addresses
|
||||||
::1 localhost ipv6-localhost ipv6-loopback
|
::1 localhost ipv6-localhost ipv6-loopback
|
||||||
|
|
||||||
fe00::0 ipv6-localneta
|
fe00::0 ipv6-localnet
|
||||||
|
|
||||||
ff00::0 ipv6-mcastprefix
|
ff00::0 ipv6-mcastprefix
|
||||||
ff02::1 ipv6-allnodes
|
ff02::1 ipv6-allnodes
|
||||||
|
@ -135,7 +135,7 @@
|
|||||||
</tgroup>
|
</tgroup>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<para>The above may or may not work — your milage may vary. NAT Traversal
|
<para>The above may or may not work — your mileage may vary. NAT Traversal
|
||||||
is definitely a better solution. To use NAT traversal:<table id="Table2">
|
is definitely a better solution. To use NAT traversal:<table id="Table2">
|
||||||
<title>/etc/shorewall/rules with NAT Traversal</title>
|
<title>/etc/shorewall/rules with NAT Traversal</title>
|
||||||
|
|
||||||
|
@ -436,7 +436,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
|
|||||||
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
|
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
|
||||||
exception that I've added a fourth interface for our wireless network.
|
exception that I've added a fourth interface for our wireless network.
|
||||||
The firewall runs a routed <ulink url="OPENVPN.html">OpenVPN
|
The firewall runs a routed <ulink url="OPENVPN.html">OpenVPN
|
||||||
server</ulink> to provide roadwarrior access for our three laptops and a
|
server</ulink> to provide road warrior access for our three laptops and a
|
||||||
bridged OpenVPN server for the wireless network in our home. Here is the
|
bridged OpenVPN server for the wireless network in our home. Here is the
|
||||||
firewall's view of the network:</para>
|
firewall's view of the network:</para>
|
||||||
|
|
||||||
@ -912,7 +912,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority
|
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||||
#over the server
|
#over the server
|
||||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||||
#Shorewall Mirrors.
|
#Shorewall Mirrors.
|
||||||
@ -921,7 +921,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
|
|||||||
|
|
||||||
<para>The <filename class="devicefile">tap0</filename> device used by
|
<para>The <filename class="devicefile">tap0</filename> device used by
|
||||||
the bridged OpenVPN server is created and bridged to <filename
|
the bridged OpenVPN server is created and bridged to <filename
|
||||||
class="devicefile">eth1</filename> using a SuSE-specific SysV init
|
class="devicefile">eth1</filename> using a SUSE-specific SysV init
|
||||||
script:</para>
|
script:</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
|
@ -66,7 +66,7 @@
|
|||||||
class="devicefile">eth0</filename><footnote>
|
class="devicefile">eth0</filename><footnote>
|
||||||
<para>This assumes the default Xen configuration created by
|
<para>This assumes the default Xen configuration created by
|
||||||
<command>xend </command>and assumes that the host system has a single
|
<command>xend </command>and assumes that the host system has a single
|
||||||
ethernet interface named <filename
|
Ethernet interface named <filename
|
||||||
class="devicefile">eth0</filename>.</para>
|
class="devicefile">eth0</filename>.</para>
|
||||||
</footnote>in each domain. In Dom0, Xen also creates a bridge (<filename
|
</footnote>in each domain. In Dom0, Xen also creates a bridge (<filename
|
||||||
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
|
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
|
||||||
@ -156,7 +156,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>Most of the Linux systems run <trademark>SuSE </trademark>10.1; my
|
<para>Most of the Linux systems run <trademark>SUSE </trademark>10.1; my
|
||||||
personal Linux desktop system and our Linux Laptop run
|
personal Linux desktop system and our Linux Laptop run
|
||||||
<trademark>Ubuntu</trademark> "Dapper Drake".</para>
|
<trademark>Ubuntu</trademark> "Dapper Drake".</para>
|
||||||
|
|
||||||
@ -259,7 +259,7 @@
|
|||||||
<filename class="devicefile">eth2</filename> (PCI 00:0a.0) are
|
<filename class="devicefile">eth2</filename> (PCI 00:0a.0) are
|
||||||
delegated to the firewall DomU where they become <filename
|
delegated to the firewall DomU where they become <filename
|
||||||
class="devicefile">eth3</filename> and <filename
|
class="devicefile">eth3</filename> and <filename
|
||||||
class="devicefile">eth4</filename> respectively. The SuSE 10.1 Xen
|
class="devicefile">eth4</filename> respectively. The SUSE 10.1 Xen
|
||||||
kernel compiles pciback as a module so the instructions for PCI
|
kernel compiles pciback as a module so the instructions for PCI
|
||||||
delegation in the Xen Users Manual can't be followed directly (see
|
delegation in the Xen Users Manual can't be followed directly (see
|
||||||
<ulink
|
<ulink
|
||||||
@ -292,7 +292,7 @@ extra = "3"
|
|||||||
|
|
||||||
# network interface:
|
# network interface:
|
||||||
vif = [ 'mac=aa:cc:00:00:00:02, bridge=xenbr0', 'mac=aa:cc:00:00:00:03, bridge=xenbr1' ]
|
vif = [ 'mac=aa:cc:00:00:00:02, bridge=xenbr0', 'mac=aa:cc:00:00:00:03, bridge=xenbr1' ]
|
||||||
# Interfaces deletgated from Dom0
|
# Interfaces delegated from Dom0
|
||||||
pci=[ '00:09.0' , '00:0a.0' ]
|
pci=[ '00:09.0' , '00:0a.0' ]
|
||||||
|
|
||||||
# storage devices:
|
# storage devices:
|
||||||
@ -357,7 +357,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
|||||||
|
|
||||||
<para><command>ethtool -K eth0 tx off</command></para>
|
<para><command>ethtool -K eth0 tx off</command></para>
|
||||||
|
|
||||||
<para>Under SuSE 10.1, I placed the following in
|
<para>Under SUSE 10.1, I placed the following in
|
||||||
<filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file
|
<filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file
|
||||||
is executable):</para>
|
is executable):</para>
|
||||||
|
|
||||||
@ -380,13 +380,13 @@ fi</programlisting>
|
|||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>Update. Under SuSE 10.2, communication from a domU works okay
|
<para>Update. Under SUSE 10.2, communication from a domU works okay
|
||||||
without running ethtool <emphasis role="bold">but traffic shaping in
|
without running ethtool <emphasis role="bold">but traffic shaping in
|
||||||
dom0 doesn't work!</emphasis> So it's a good idea to run it just to be
|
dom0 doesn't work!</emphasis> So it's a good idea to run it just to be
|
||||||
safe.</para>
|
safe.</para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
<para>SuSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The
|
<para>SUSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The
|
||||||
network interfaces that connect to the net and wifi zones are delegated
|
network interfaces that connect to the net and wifi zones are delegated
|
||||||
to the firewall DomU.</para>
|
to the firewall DomU.</para>
|
||||||
|
|
||||||
@ -474,7 +474,7 @@ SECTION NEW
|
|||||||
described in the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
|
described in the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
|
||||||
Guide</ulink> with the exception that I've added a fourth interface for
|
Guide</ulink> with the exception that I've added a fourth interface for
|
||||||
our wireless network. The firewall runs a routed <ulink
|
our wireless network. The firewall runs a routed <ulink
|
||||||
url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access
|
url="OPENVPN.html">OpenVPN server</ulink> to provide road warrior access
|
||||||
for our two laptops and a bridged OpenVPN server for the wireless
|
for our two laptops and a bridged OpenVPN server for the wireless
|
||||||
network in our home. Here is the firewall's view of the network:</para>
|
network in our home. Here is the firewall's view of the network:</para>
|
||||||
|
|
||||||
@ -834,7 +834,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||||
# PORT(S)
|
# PORT(S)
|
||||||
1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority
|
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||||
#over the server
|
#over the server
|
||||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||||
#Shorewall Mirrors.
|
#Shorewall Mirrors.
|
||||||
@ -842,7 +842,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>The tap0 device used by the bridged OpenVPN server is bridged to
|
<para>The tap0 device used by the bridged OpenVPN server is bridged to
|
||||||
eth0 using a SuSE-specific SysV init script:</para>
|
eth0 using a SUSE-specific SysV init script:</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#!/bin/sh
|
<programlisting>#!/bin/sh
|
||||||
|
@ -49,7 +49,7 @@
|
|||||||
Interconnect (OSI) reference model, a router operates at layer 3,
|
Interconnect (OSI) reference model, a router operates at layer 3,
|
||||||
Shorewall may also be deployed on a GNU Linux System that acts as a
|
Shorewall may also be deployed on a GNU Linux System that acts as a
|
||||||
<firstterm>bridge</firstterm>. Bridges are layer 2 devices in the OSI
|
<firstterm>bridge</firstterm>. Bridges are layer 2 devices in the OSI
|
||||||
model (think of a bridge as an ethernet switch).</para>
|
model (think of a bridge as an Ethernet switch).</para>
|
||||||
|
|
||||||
<para>Some differences between routers and bridges are:</para>
|
<para>Some differences between routers and bridges are:</para>
|
||||||
|
|
||||||
@ -57,7 +57,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Routers determine packet destination based on the destination IP
|
<para>Routers determine packet destination based on the destination IP
|
||||||
address, while bridges route traffic based on the destination MAC
|
address, while bridges route traffic based on the destination MAC
|
||||||
address in the ethernet frame.</para>
|
address in the Ethernet frame.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -142,7 +142,7 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The Shorewall system (the Bridge/Firewall) has only a single IP
|
<para>The Shorewall system (the Bridge/Firewall) has only a single IP
|
||||||
address even though it has two ethernet interfaces! The IP address is
|
address even though it has two Ethernet interfaces! The IP address is
|
||||||
configured on the bridge itself, rather than on either of the network
|
configured on the bridge itself, rather than on either of the network
|
||||||
cards.</para>
|
cards.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -454,7 +454,7 @@ ifconfig most 192.168.1.31 netmask 255.255.255.0 up
|
|||||||
#you don't use rc.inet1
|
#you don't use rc.inet1
|
||||||
#########################
|
#########################
|
||||||
|
|
||||||
3) I made rc.brige executable and added the following line to /etc/rc.d/rc.local
|
3) I made rc.bridge executable and added the following line to /etc/rc.d/rc.local
|
||||||
|
|
||||||
/etc/rc.d/rc.bridge </programlisting>
|
/etc/rc.d/rc.bridge </programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
@ -563,7 +563,7 @@ rc-update add bridge boot
|
|||||||
<filename>shorewall.conf</filename>.</para>
|
<filename>shorewall.conf</filename>.</para>
|
||||||
|
|
||||||
<para>In the scenario pictured above, there would probably be two BP zones
|
<para>In the scenario pictured above, there would probably be two BP zones
|
||||||
defined -- one for the internet and one for the local LAN so in
|
defined -- one for the Internet and one for the local LAN so in
|
||||||
<filename>/etc/shorewall/zones</filename>:</para>
|
<filename>/etc/shorewall/zones</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS
|
<programlisting>#ZONE TYPE OPTIONS
|
||||||
|
@ -203,7 +203,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><filename>/etc/shorewall/vardir</filename> - (Added in
|
<para><filename>/etc/shorewall/vardir</filename> - (Added in
|
||||||
Shoreall 4.0.0-RC2) - Determines the directory where Shorewall
|
Shorewall 4.0.0-RC2) - Determines the directory where Shorewall
|
||||||
maintains its state.</para>
|
maintains its state.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -590,7 +590,7 @@ use Shorewall::Config qw/shorewall/;</programlisting>
|
|||||||
the name to one or more IP addresses and inserts those addresses into the
|
the name to one or more IP addresses and inserts those addresses into the
|
||||||
rule. So changes in the DNS->IP address relationship that occur after
|
rule. So changes in the DNS->IP address relationship that occur after
|
||||||
the firewall has started have absolutely no effect on the firewall's
|
the firewall has started have absolutely no effect on the firewall's
|
||||||
ruleset.</para>
|
rule set.</para>
|
||||||
|
|
||||||
<para>If your firewall rules include DNS names then:</para>
|
<para>If your firewall rules include DNS names then:</para>
|
||||||
|
|
||||||
|
@ -95,12 +95,12 @@
|
|||||||
<section id="Shell-Perl">
|
<section id="Shell-Perl">
|
||||||
<title>Shorewall-shell and Shorewall-perl</title>
|
<title>Shorewall-shell and Shorewall-perl</title>
|
||||||
|
|
||||||
<para>Shorewall-shell and Shoreall-perl have no configuration files and
|
<para>Shorewall-shell and Shorewall-perl have no configuration files and
|
||||||
all of their released files are installed in a single directory. To
|
all of their released files are installed in a single directory. To
|
||||||
fallback to a prior release of one of these products using the tarballs,
|
fallback to a prior release of one of these products using the tarballs,
|
||||||
simple re-install the older version.</para>
|
simple re-install the older version.</para>
|
||||||
|
|
||||||
<para>To uninstal these products when they have been installed using the
|
<para>To uninstall these products when they have been installed using the
|
||||||
tarballs:</para>
|
tarballs:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
|
@ -37,7 +37,7 @@
|
|||||||
<section id="Ipsets">
|
<section id="Ipsets">
|
||||||
<title>What are Ipsets?</title>
|
<title>What are Ipsets?</title>
|
||||||
|
|
||||||
<para>Ipsets are an extention to Netfilter/iptables that are currently
|
<para>Ipsets are an extension to Netfilter/iptables that are currently
|
||||||
available in Patch-O-Matic-ng (<ulink
|
available in Patch-O-Matic-ng (<ulink
|
||||||
url="http://www.netfilter.org">http://www.netfilter.org</ulink>). Using
|
url="http://www.netfilter.org">http://www.netfilter.org</ulink>). Using
|
||||||
ipsets requires that you patch your kernel and iptables and that you build
|
ipsets requires that you patch your kernel and iptables and that you build
|
||||||
@ -50,7 +50,7 @@
|
|||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Blacklists. Ipsets provide an effecient way to represent large
|
<para>Blacklists. Ipsets provide an efficient way to represent large
|
||||||
sets of addresses and you can maintain the lists without the need to
|
sets of addresses and you can maintain the lists without the need to
|
||||||
restart or even refresh your Shorewall configuration.</para>
|
restart or even refresh your Shorewall configuration.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -90,7 +90,7 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>a series of "src" and "dst" options separated by commas and
|
<para>a series of "src" and "dst" options separated by commas and
|
||||||
inclosed in square brackets ([]). These will be passed directly to
|
enclosed in square brackets ([]). These will be passed directly to
|
||||||
iptables in the generated --set clause. See the ipset documentation
|
iptables in the generated --set clause. See the ipset documentation
|
||||||
for details.</para>
|
for details.</para>
|
||||||
|
|
||||||
|
@ -363,9 +363,9 @@ CONFIG_IP_NF_ARP_MANGLE=m
|
|||||||
(Ubuntu inexplicably includes connmark match support but not CONNTRACK
|
(Ubuntu inexplicably includes connmark match support but not CONNTRACK
|
||||||
target support).<graphic align="center"
|
target support).<graphic align="center"
|
||||||
fileref="images/kernel-2.6.20-2.png" />The next graphic shows the IP
|
fileref="images/kernel-2.6.20-2.png" />The next graphic shows the IP
|
||||||
Netfilter Configuration -- these are the standard Ubuntu settions.<graphic
|
Netfilter Configuration -- these are the standard Ubuntu settings.<graphic
|
||||||
align="center" fileref="images/kernel-2.6.20-3.png" />Here is the
|
align="center" fileref="images/kernel-2.6.20-3.png" />Here is the
|
||||||
corresponding CONFIG file exerpt.<programlisting>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
|
corresponding CONFIG file excerpt.<programlisting>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
|
||||||
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
|
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
|
||||||
CONFIG_NETFILTER_XT_TARGET_DSCP=m
|
CONFIG_NETFILTER_XT_TARGET_DSCP=m
|
||||||
CONFIG_NETFILTER_XT_TARGET_MARK=m
|
CONFIG_NETFILTER_XT_TARGET_MARK=m
|
||||||
|
@ -26,7 +26,7 @@
|
|||||||
</copyright>
|
</copyright>
|
||||||
|
|
||||||
<legalnotice>
|
<legalnotice>
|
||||||
<para>Permission is granted to copy, distribute and/or mify this
|
<para>Permission is granted to copy, distribute and/or modify this
|
||||||
document under the terms of the GNU Free Documentation License, Version
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
@ -232,7 +232,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
|
|||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row>
|
<row>
|
||||||
<entry>Filrewall 2</entry>
|
<entry>Firewall 2</entry>
|
||||||
|
|
||||||
<entry>192.168.1.27 in lower cloud</entry>
|
<entry>192.168.1.27 in lower cloud</entry>
|
||||||
|
|
||||||
|
@ -48,7 +48,7 @@
|
|||||||
<section id="Ping">
|
<section id="Ping">
|
||||||
<title>'Ping' Management</title>
|
<title>'Ping' Management</title>
|
||||||
|
|
||||||
<para>In Shorewall , ICMP echo-request's are treated just like any other
|
<para>In Shorewall , ICMP echo-requests are treated just like any other
|
||||||
connection request.</para>
|
connection request.</para>
|
||||||
|
|
||||||
<para>In order to accept ping requests from zone z1 to zone z2 where the
|
<para>In order to accept ping requests from zone z1 to zone z2 where the
|
||||||
@ -85,7 +85,7 @@ Ping/DROP z1 z2</programlisting>
|
|||||||
<example id="Example2">
|
<example id="Example2">
|
||||||
<title>Silently drop pings from the Internet</title>
|
<title>Silently drop pings from the Internet</title>
|
||||||
|
|
||||||
<para>To drop ping from the internet, you would need this rule in
|
<para>To drop ping from the Internet, you would need this rule in
|
||||||
<filename>/etc/shorewall/rules</filename>:</para>
|
<filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
|
@ -227,7 +227,7 @@ ICQ/ACCEPT <emphasis><source></emphasis> net</programlisting>
|
|||||||
<title>IMAP</title>
|
<title>IMAP</title>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>When accessing your mail from the internet,use <emphasis
|
<para>When accessing your mail from the Internet, use <emphasis
|
||||||
role="bold">only</emphasis> <emphasis role="bold">IMAP over
|
role="bold">only</emphasis> <emphasis role="bold">IMAP over
|
||||||
SSL.</emphasis></para>
|
SSL.</emphasis></para>
|
||||||
</caution>
|
</caution>
|
||||||
@ -281,7 +281,7 @@ LDAPS/ACCEPT <emphasis><emphasis><source></emphasis> <emphasis> &
|
|||||||
role="bold">severe security risk</emphasis>.</para>
|
role="bold">severe security risk</emphasis>.</para>
|
||||||
|
|
||||||
<para><emphasis role="bold">DO NOT USE THIS </emphasis>if you don't know
|
<para><emphasis role="bold">DO NOT USE THIS </emphasis>if you don't know
|
||||||
how to deal with the consecuences, you have been warned.</para>
|
how to deal with the consequences, you have been warned.</para>
|
||||||
</caution>
|
</caution>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||||
@ -542,7 +542,7 @@ Whois/ACCEPT <emphasis><source></emphasis> <emphasis><destination&
|
|||||||
<section id="X">
|
<section id="X">
|
||||||
<title>X/XDMCP</title>
|
<title>X/XDMCP</title>
|
||||||
|
|
||||||
<para>Assume that the Choser and/or X Server are running at
|
<para>Assume that the Chooser and/or X Server are running at
|
||||||
<<emphasis>chooser</emphasis>> and the Display Manager/X
|
<<emphasis>chooser</emphasis>> and the Display Manager/X
|
||||||
applications are running at <<emphasis>apps</emphasis>>.</para>
|
applications are running at <<emphasis>apps</emphasis>>.</para>
|
||||||
|
|
||||||
|
@ -163,7 +163,7 @@
|
|||||||
classified by the national government as secret, our security doesn't
|
classified by the national government as secret, our security doesn't
|
||||||
stop by putting a fence around our company. Information security is a
|
stop by putting a fence around our company. Information security is a
|
||||||
hot issue. We also make use of checkpoint firewalls, but not all of the
|
hot issue. We also make use of checkpoint firewalls, but not all of the
|
||||||
internet servers are guarded by checkpoint, some of them are
|
Internet servers are guarded by checkpoint, some of them are
|
||||||
running....Shorewall.</emphasis></para>
|
running....Shorewall.</emphasis></para>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
@ -172,7 +172,7 @@
|
|||||||
|
|
||||||
<para><emphasis>thanx for all your efforts you put into shorewall - this
|
<para><emphasis>thanx for all your efforts you put into shorewall - this
|
||||||
product stands out against a lot of commercial stuff i´ve been working
|
product stands out against a lot of commercial stuff i´ve been working
|
||||||
with in terms of flexibillity, quality & support</emphasis></para>
|
with in terms of flexibility, quality & support</emphasis></para>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
@ -184,7 +184,7 @@
|
|||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<attribution>RP, Guatamala</attribution>
|
<attribution>RP, Guatemala</attribution>
|
||||||
|
|
||||||
<para><emphasis>My respects... I've just found and installed Shorewall
|
<para><emphasis>My respects... I've just found and installed Shorewall
|
||||||
1.3.3-1 and it is a wonderful piece of software. I've just sent out an
|
1.3.3-1 and it is a wonderful piece of software. I've just sent out an
|
||||||
@ -193,7 +193,7 @@
|
|||||||
<para><emphasis>While I had previously taken the time (maybe 40 hours)
|
<para><emphasis>While I had previously taken the time (maybe 40 hours)
|
||||||
to really understand ipchains, then spent at least an hour per server
|
to really understand ipchains, then spent at least an hour per server
|
||||||
customizing and carefully scrutinizing firewall rules, I've got
|
customizing and carefully scrutinizing firewall rules, I've got
|
||||||
shorewall running on my home firewall, with rulesets and policies that I
|
shorewall running on my home firewall, with rule sets and policies that I
|
||||||
know make sense, in under 20 minutes.</emphasis></para>
|
know make sense, in under 20 minutes.</emphasis></para>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
@ -169,7 +169,7 @@ esac</programlisting><caution>
|
|||||||
ADMINISABSENTMINDED=Yes.</para>
|
ADMINISABSENTMINDED=Yes.</para>
|
||||||
|
|
||||||
<para>The firewall state when this script is invoked is
|
<para>The firewall state when this script is invoked is
|
||||||
indeterminent. So if you have ADMINISABSENTMINDED=No in <ulink
|
indeterminate. So if you have ADMINISABSENTMINDED=No in <ulink
|
||||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
|
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
|
||||||
output on an interface is not allowed by <ulink
|
output on an interface is not allowed by <ulink
|
||||||
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
|
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
|
||||||
@ -495,7 +495,7 @@ esac</programlisting><caution>
|
|||||||
<para>The 'continue' script has been eliminated because it no longer
|
<para>The 'continue' script has been eliminated because it no longer
|
||||||
make any sense under Shorewall-perl. That script was designed to allow
|
make any sense under Shorewall-perl. That script was designed to allow
|
||||||
you to add special temporary rules during [re]start. Shorewall-perl
|
you to add special temporary rules during [re]start. Shorewall-perl
|
||||||
doesn't need such rules since the ruleset is instantianted atomically by
|
doesn't need such rules since the rule set is instantiated atomically by
|
||||||
table.</para>
|
table.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
@ -50,7 +50,7 @@
|
|||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The packet is part of an established connecection. While the
|
<para>The packet is part of an established connection. While the
|
||||||
packet can be logged using LOG rules in the ESTABLISHED section of
|
packet can be logged using LOG rules in the ESTABLISHED section of
|
||||||
<ulink
|
<ulink
|
||||||
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
|
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
|
||||||
@ -100,7 +100,7 @@
|
|||||||
<title>Where the Traffic is Logged and How to Change the
|
<title>Where the Traffic is Logged and How to Change the
|
||||||
Destination</title>
|
Destination</title>
|
||||||
|
|
||||||
<para>By default, Shorewall directs NetFilter to log using syslog (8).
|
<para>By default, Shorewall directs Netfilter to log using syslog (8).
|
||||||
Syslog classifies log messages by a <emphasis>facility</emphasis> and a
|
Syslog classifies log messages by a <emphasis>facility</emphasis> and a
|
||||||
<emphasis>priority</emphasis> (using the notation
|
<emphasis>priority</emphasis> (using the notation
|
||||||
<emphasis>facility.priority</emphasis>).</para>
|
<emphasis>facility.priority</emphasis>).</para>
|
||||||
@ -111,7 +111,7 @@
|
|||||||
|
|
||||||
<para>Throughout the Shorewall documentation, I will use the term
|
<para>Throughout the Shorewall documentation, I will use the term
|
||||||
<emphasis>level</emphasis> rather than <emphasis>priority </emphasis>since
|
<emphasis>level</emphasis> rather than <emphasis>priority </emphasis>since
|
||||||
<emphasis>level</emphasis> is the term used by NetFilter. The syslog
|
<emphasis>level</emphasis> is the term used by Netfilter. The syslog
|
||||||
documentation uses the term <emphasis>priority</emphasis>.</para>
|
documentation uses the term <emphasis>priority</emphasis>.</para>
|
||||||
|
|
||||||
<section id="Levels">
|
<section id="Levels">
|
||||||
@ -150,7 +150,7 @@
|
|||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>For most Shorewall logging, a level of 6 (info) is appropriate.
|
<para>For most Shorewall logging, a level of 6 (info) is appropriate.
|
||||||
Shorewall log messages are generated by NetFilter and are logged using
|
Shorewall log messages are generated by Netfilter and are logged using
|
||||||
the <emphasis>kern</emphasis> facility and the level that you specify.
|
the <emphasis>kern</emphasis> facility and the level that you specify.
|
||||||
If you are unsure of the level to choose, 6 (info) is a safe bet. You
|
If you are unsure of the level to choose, 6 (info) is a safe bet. You
|
||||||
may specify levels by name or by number.</para>
|
may specify levels by name or by number.</para>
|
||||||
@ -180,14 +180,14 @@
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>All kernel.info messages will go to that destination and not
|
<para>All kernel.info messages will go to that destination and not
|
||||||
just those from NetFilter.</para>
|
just those from Netfilter.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>Beginning with Shorewall version 1.3.12, if your kernel has ULOG
|
<para>Beginning with Shorewall version 1.3.12, if your kernel has ULOG
|
||||||
target support (and most vendor-supplied kernels do), you may also
|
target support (and most vendor-supplied kernels do), you may also
|
||||||
specify a log level of ULOG (must be all caps). When ULOG is used,
|
specify a log level of ULOG (must be all caps). When ULOG is used,
|
||||||
Shorewall will direct netfilter to log the related messages via the ULOG
|
Shorewall will direct Netfilter to log the related messages via the ULOG
|
||||||
target which will send them to a process called <quote>ulogd</quote>.
|
target which will send them to a process called <quote>ulogd</quote>.
|
||||||
The ulogd program is included in most distributions and is also
|
The ulogd program is included in most distributions and is also
|
||||||
available from <ulink
|
available from <ulink
|
||||||
@ -276,7 +276,7 @@ ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlis
|
|||||||
<para><ulink
|
<para><ulink
|
||||||
url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</ulink>
|
url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</ulink>
|
||||||
is a post describing configuring syslog-ng to work with Shorewall. Recent
|
is a post describing configuring syslog-ng to work with Shorewall. Recent
|
||||||
<trademark>SuSE</trademark> releases come preconfigured with syslog-ng
|
<trademark>SUSE</trademark> releases come preconfigured with syslog-ng
|
||||||
with Netfilter messages (including Shorewall's) are written to
|
with Netfilter messages (including Shorewall's) are written to
|
||||||
<filename>/var/log/firewall</filename>.</para>
|
<filename>/var/log/firewall</filename>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
@ -45,7 +45,7 @@
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>A <emphasis role="bold">Linux</emphasis> kernel that supports
|
<para>A <emphasis role="bold">Linux</emphasis> kernel that supports
|
||||||
netfilter (No, it won't work on BSD or Solaris). I've tested with
|
Netfilter (No, it won't work on BSD or Solaris). I've tested with
|
||||||
2.4.2 - 2.6.16. Check <ulink url="kernel.htm">here</ulink> for kernel
|
2.4.2 - 2.6.16. Check <ulink url="kernel.htm">here</ulink> for kernel
|
||||||
configuration information.</para>
|
configuration information.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -109,14 +109,14 @@
|
|||||||
class="directory">/etc/shorewall</filename> directory is empty. This
|
class="directory">/etc/shorewall</filename> directory is empty. This
|
||||||
is intentional. The released configuration file skeletons may be found
|
is intentional. The released configuration file skeletons may be found
|
||||||
on your system in the directory <filename
|
on your system in the directory <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||||
Simply copy the files you need from that directory to <filename
|
Simply copy the files you need from that directory to <filename
|
||||||
class="directory">/etc/shorewall</filename> and modify the
|
class="directory">/etc/shorewall</filename> and modify the
|
||||||
copies.</para>
|
copies.</para>
|
||||||
|
|
||||||
<para>Note that you must copy <filename
|
<para>Note that you must copy <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
||||||
and /usr/share/doc/shorewall/default-config/modules to <filename
|
and /usr/share/doc/shorewall-common/default-config/modules to <filename
|
||||||
class="directory">/etc/shorewall</filename> even if you do not modify
|
class="directory">/etc/shorewall</filename> even if you do not modify
|
||||||
those files.</para>
|
those files.</para>
|
||||||
</warning></para>
|
</warning></para>
|
||||||
@ -192,7 +192,7 @@ dmz ipv4</programlisting>
|
|||||||
assigned to the firewall zone, Shorewall attaches absolutely no meaning to
|
assigned to the firewall zone, Shorewall attaches absolutely no meaning to
|
||||||
zone names. Zones are entirely what YOU make of them. That means that you
|
zone names. Zones are entirely what YOU make of them. That means that you
|
||||||
should not expect Shorewall to do something special <quote>because this is
|
should not expect Shorewall to do something special <quote>because this is
|
||||||
the internet zone</quote> or <quote>because that is the
|
the Internet zone</quote> or <quote>because that is the
|
||||||
DMZ</quote>.</para>
|
DMZ</quote>.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||||
@ -286,11 +286,11 @@ all all REJECT info</programlisting>
|
|||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>allow all connection requests from your local network to the
|
<para>allow all connection requests from your local network to the
|
||||||
internet</para>
|
Internet</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>drop (ignore) all connection requests from the internet to your
|
<para>drop (ignore) all connection requests from the Internet to your
|
||||||
firewall or local network and log a message at the info level (<ulink
|
firewall or local network and log a message at the info level (<ulink
|
||||||
url="shorewall_logging.html">here is a description of log
|
url="shorewall_logging.html">here is a description of log
|
||||||
levels</ulink>).</para>
|
levels</ulink>).</para>
|
||||||
@ -322,7 +322,7 @@ all all REJECT info</programlisting>
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
|
<para>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
|
||||||
to isolate your internet-accessible servers from your local systems so
|
to isolate your Internet-accessible servers from your local systems so
|
||||||
that if one of those servers is compromised, you still have the
|
that if one of those servers is compromised, you still have the
|
||||||
firewall between the compromised system and your local systems.</para>
|
firewall between the compromised system and your local systems.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -508,7 +508,7 @@ loc eth2 detect</programlisting>
|
|||||||
Class C address 192.0.2.14, the network number is hex C00002 and the
|
Class C address 192.0.2.14, the network number is hex C00002 and the
|
||||||
host number is hex 0E.</para>
|
host number is hex 0E.</para>
|
||||||
|
|
||||||
<para>As the internet grew, it became clear that such a gross
|
<para>As the Internet grew, it became clear that such a gross
|
||||||
partitioning of the 32-bit address space was going to be very limiting
|
partitioning of the 32-bit address space was going to be very limiting
|
||||||
(early on, large corporations and universities were assigned their own
|
(early on, large corporations and universities were assigned their own
|
||||||
class A network!). After some false starts, the current technique of
|
class A network!). After some false starts, the current technique of
|
||||||
@ -1067,7 +1067,7 @@ Destination Gateway Genmask Flgs MSS Win irtt Iface
|
|||||||
|
|
||||||
<para>One more thing needs to be emphasized -- all outgoing packet are
|
<para>One more thing needs to be emphasized -- all outgoing packet are
|
||||||
sent using the routing table and reply packets are not a special case.
|
sent using the routing table and reply packets are not a special case.
|
||||||
There seems to be a common mis-conception whereby people think that
|
There seems to be a common misconception whereby people think that
|
||||||
request packets are like salmon and contain a genetic code that is
|
request packets are like salmon and contain a genetic code that is
|
||||||
magically transferred to reply packets so that the replies follow the
|
magically transferred to reply packets so that the replies follow the
|
||||||
reverse route taken by the request. That isn't the case; the replies may
|
reverse route taken by the request. That isn't the case; the replies may
|
||||||
@ -1132,7 +1132,7 @@ tcpdump: listening on eth2
|
|||||||
|
|
||||||
<para>The leading question marks are a result of my having specified the
|
<para>The leading question marks are a result of my having specified the
|
||||||
<quote>n</quote> option (Windows <quote>arp</quote> doesn't allow that
|
<quote>n</quote> option (Windows <quote>arp</quote> doesn't allow that
|
||||||
option) which causes the <quote>arp</quote> program to forego IP->DNS
|
option) which causes the <quote>arp</quote> program to forgo IP->DNS
|
||||||
name translation. Had I not given that option, the question marks would
|
name translation. Had I not given that option, the question marks would
|
||||||
have been replaced with the FQDN corresponding to each IP address.
|
have been replaced with the FQDN corresponding to each IP address.
|
||||||
Notice that the last entry in the table records the information we saw
|
Notice that the last entry in the table records the information we saw
|
||||||
@ -1167,7 +1167,7 @@ tcpdump: listening on eth2
|
|||||||
somewhat unfortunate because it leads people to the erroneous conclusion
|
somewhat unfortunate because it leads people to the erroneous conclusion
|
||||||
that traffic destined for one of these addresses can't be sent through a
|
that traffic destined for one of these addresses can't be sent through a
|
||||||
router. This is definitely not true; private routers (including your
|
router. This is definitely not true; private routers (including your
|
||||||
Shorewall-based firewall) can forward RFC 1918 addresed traffic just
|
Shorewall-based firewall) can forward RFC 1918 addressed traffic just
|
||||||
fine.</para>
|
fine.</para>
|
||||||
|
|
||||||
<para>When selecting addresses from these ranges, there's a couple of
|
<para>When selecting addresses from these ranges, there's a couple of
|
||||||
@ -1349,7 +1349,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
|
|||||||
<para>With SNAT, an internal LAN segment is configured using RFC 1918
|
<para>With SNAT, an internal LAN segment is configured using RFC 1918
|
||||||
addresses. When a host <emphasis role="bold">A</emphasis> on this
|
addresses. When a host <emphasis role="bold">A</emphasis> on this
|
||||||
internal segment initiates a connection to host <emphasis
|
internal segment initiates a connection to host <emphasis
|
||||||
role="bold">B</emphasis> on the internet, the firewall/router rewrites
|
role="bold">B</emphasis> on the Internet, the firewall/router rewrites
|
||||||
the IP header in the request to use one of your public IP addresses as
|
the IP header in the request to use one of your public IP addresses as
|
||||||
the source address. When <emphasis role="bold">B</emphasis> responds
|
the source address. When <emphasis role="bold">B</emphasis> responds
|
||||||
and the response is received by the firewall, the firewall changes the
|
and the response is received by the firewall, the firewall changes the
|
||||||
@ -1359,7 +1359,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
|
|||||||
|
|
||||||
<para>Let's suppose that you decide to use SNAT on your local zone and
|
<para>Let's suppose that you decide to use SNAT on your local zone and
|
||||||
use public address 192.0.2.176 as both your firewall's external IP
|
use public address 192.0.2.176 as both your firewall's external IP
|
||||||
address and the source IP address of internet requests sent from that
|
address and the source IP address of Internet requests sent from that
|
||||||
zone.</para>
|
zone.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/dmz5.png" />
|
<graphic align="center" fileref="images/dmz5.png" />
|
||||||
@ -1396,16 +1396,16 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
|
|||||||
<section id="dnat">
|
<section id="dnat">
|
||||||
<title>DNAT</title>
|
<title>DNAT</title>
|
||||||
|
|
||||||
<para>When SNAT is used, it is impossible for hosts on the internet to
|
<para>When SNAT is used, it is impossible for hosts on the Internet to
|
||||||
initiate a connection to one of the internal systems since those
|
initiate a connection to one of the internal systems since those
|
||||||
systems do not have a public IP address. DNAT provides a way to allow
|
systems do not have a public IP address. DNAT provides a way to allow
|
||||||
selected connections from the internet.</para>
|
selected connections from the Internet.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||||
|
|
||||||
<para>Suppose that your daughter wants to run a web server on her
|
<para>Suppose that your daughter wants to run a web server on her
|
||||||
system <quote>Local 3</quote>. You could allow connections to the
|
system <quote>Local 3</quote>. You could allow connections to the
|
||||||
internet to her server by adding the following entry in
|
Internet to her server by adding the following entry in
|
||||||
<filename><ulink
|
<filename><ulink
|
||||||
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
|
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
|
||||||
|
|
||||||
@ -1489,12 +1489,12 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
|||||||
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
|
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTANT
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT
|
||||||
192.0.2.177 eth2 eth0 No
|
192.0.2.177 eth2 eth0 No
|
||||||
192.0.2.178 eth2 eth0 No</programlisting>
|
192.0.2.178 eth2 eth0 No</programlisting>
|
||||||
|
|
||||||
<para>Because the HAVE ROUTE column contains No, Shorewall will add
|
<para>Because the HAVE ROUTE column contains No, Shorewall will add
|
||||||
host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The ethernet
|
host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The Ethernet
|
||||||
interfaces on DMZ 1 and DMZ 2 should be configured to have the IP
|
interfaces on DMZ 1 and DMZ 2 should be configured to have the IP
|
||||||
addresses shown but should have the same default gateway as the
|
addresses shown but should have the same default gateway as the
|
||||||
firewall itself -- namely 192.0.2.254. In other words, they should be
|
firewall itself -- namely 192.0.2.254. In other words, they should be
|
||||||
@ -1511,7 +1511,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
|||||||
their routers with a long ARP cache timeout. If you move a system from
|
their routers with a long ARP cache timeout. If you move a system from
|
||||||
parallel to your firewall to behind your firewall with Proxy ARP, it
|
parallel to your firewall to behind your firewall with Proxy ARP, it
|
||||||
will probably be HOURS before that system can communicate with the
|
will probably be HOURS before that system can communicate with the
|
||||||
internet. There are a couple of things that you can try:</para>
|
Internet. There are a couple of things that you can try:</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1630,7 +1630,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
|||||||
their routers with a long ARP cache timeout. If you move a system from
|
their routers with a long ARP cache timeout. If you move a system from
|
||||||
parallel to your firewall to behind your firewall with one-to-one NAT,
|
parallel to your firewall to behind your firewall with one-to-one NAT,
|
||||||
it will probably be HOURS before that system can communicate with the
|
it will probably be HOURS before that system can communicate with the
|
||||||
internet. There are a couple of things that you can try:</para>
|
Internet. There are a couple of things that you can try:</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1711,7 +1711,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
|||||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||||
|
|
||||||
<para>With the default policies described earlier in this document, your
|
<para>With the default policies described earlier in this document, your
|
||||||
local systems (Local 1-3) can access any server on the internet and the
|
local systems (Local 1-3) can access any server on the Internet and the
|
||||||
DMZ can't access any other host (including the firewall). With the
|
DMZ can't access any other host (including the firewall). With the
|
||||||
exception of DNAT rules which cause address translation and allow the
|
exception of DNAT rules which cause address translation and allow the
|
||||||
translated connection request to pass through the firewall, the way to
|
translated connection request to pass through the firewall, the way to
|
||||||
@ -1929,7 +1929,7 @@ options {
|
|||||||
max-transfer-time-in 60;
|
max-transfer-time-in 60;
|
||||||
|
|
||||||
allow-transfer {
|
allow-transfer {
|
||||||
// Servers allowed to request zone tranfers
|
// Servers allowed to request zone transfers
|
||||||
<secondary NS IP>; };
|
<secondary NS IP>; };
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -2078,7 +2078,7 @@ view "external" {
|
|||||||
|
|
||||||
<para>Here are the files in <filename
|
<para>Here are the files in <filename
|
||||||
class="directory">/var/named</filename> (those not shown are usually
|
class="directory">/var/named</filename> (those not shown are usually
|
||||||
included in your bind disbribution).</para>
|
included in your bind distribution).</para>
|
||||||
|
|
||||||
<para><filename>db.192.0.2.176</filename> - This is the reverse zone for
|
<para><filename>db.192.0.2.176</filename> - This is the reverse zone for
|
||||||
the firewall's external interface</para>
|
the firewall's external interface</para>
|
||||||
@ -2101,7 +2101,7 @@ view "external" {
|
|||||||
@ 604800 IN NS <name of secondary ns>.
|
@ 604800 IN NS <name of secondary ns>.
|
||||||
;
|
;
|
||||||
; ############################################################
|
; ############################################################
|
||||||
; Iverse Address Arpa Records (PTR's)
|
; Inverse Address Arpa Records (PTR's)
|
||||||
; ############################################################
|
; ############################################################
|
||||||
176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.</programlisting>
|
176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.</programlisting>
|
||||||
|
|
||||||
@ -2125,7 +2125,7 @@ view "external" {
|
|||||||
@ 604800 IN NS <name of secondary ns>.
|
@ 604800 IN NS <name of secondary ns>.
|
||||||
;
|
;
|
||||||
; ############################################################
|
; ############################################################
|
||||||
; Iverse Address Arpa Records (PTR's)
|
; Inverse Address Arpa Records (PTR's)
|
||||||
; ############################################################
|
; ############################################################
|
||||||
177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.</programlisting>
|
177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.</programlisting>
|
||||||
|
|
||||||
@ -2150,7 +2150,7 @@ view "external" {
|
|||||||
@ 604800 IN NS <name of secondary ns>.
|
@ 604800 IN NS <name of secondary ns>.
|
||||||
;
|
;
|
||||||
; ############################################################
|
; ############################################################
|
||||||
; Iverse Address Arpa Records (PTR's)
|
; Inverse Address Arpa Records (PTR's)
|
||||||
; ############################################################
|
; ############################################################
|
||||||
178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.</programlisting>
|
178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.</programlisting>
|
||||||
|
|
||||||
@ -2175,7 +2175,7 @@ view "external" {
|
|||||||
@ 604800 IN NS <name of secondary ns>.
|
@ 604800 IN NS <name of secondary ns>.
|
||||||
;
|
;
|
||||||
; ############################################################
|
; ############################################################
|
||||||
; Iverse Address Arpa Records (PTR's)
|
; Inverse Address Arpa Records (PTR's)
|
||||||
; ############################################################
|
; ############################################################
|
||||||
179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.</programlisting>
|
179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.</programlisting>
|
||||||
|
|
||||||
@ -2198,7 +2198,7 @@ view "external" {
|
|||||||
@ 604800 IN NS ns1.foobar.net.
|
@ 604800 IN NS ns1.foobar.net.
|
||||||
|
|
||||||
; ############################################################
|
; ############################################################
|
||||||
; Iverse Address Arpa Records (PTR's)
|
; Inverse Address Arpa Records (PTR's)
|
||||||
; ############################################################
|
; ############################################################
|
||||||
1 86400 IN PTR localhost.foobar.net.</programlisting>
|
1 86400 IN PTR localhost.foobar.net.</programlisting>
|
||||||
|
|
||||||
@ -2221,7 +2221,7 @@ view "external" {
|
|||||||
; ############################################################
|
; ############################################################
|
||||||
@ 604800 IN NS ns1.foobar.net.
|
@ 604800 IN NS ns1.foobar.net.
|
||||||
; ############################################################
|
; ############################################################
|
||||||
; Iverse Address Arpa Records (PTR's)
|
; Inverse Address Arpa Records (PTR's)
|
||||||
; ############################################################
|
; ############################################################
|
||||||
1 86400 IN PTR gateway.foobar.net.
|
1 86400 IN PTR gateway.foobar.net.
|
||||||
2 86400 IN PTR winken.foobar.net.
|
2 86400 IN PTR winken.foobar.net.
|
||||||
@ -2248,7 +2248,7 @@ view "external" {
|
|||||||
@ 604800 IN NS ns1.foobar.net.
|
@ 604800 IN NS ns1.foobar.net.
|
||||||
|
|
||||||
; ############################################################
|
; ############################################################
|
||||||
; Iverse Address Arpa Records (PTR's)
|
; Inverse Address Arpa Records (PTR's)
|
||||||
; ############################################################
|
; ############################################################
|
||||||
1 86400 IN PTR dmz.foobar.net.</programlisting>
|
1 86400 IN PTR dmz.foobar.net.</programlisting>
|
||||||
|
|
||||||
@ -2416,7 +2416,7 @@ foobar.net. 86400 IN A 192.0.2.177
|
|||||||
firewall when it is stopped.</para>
|
firewall when it is stopped.</para>
|
||||||
|
|
||||||
<caution>
|
<caution>
|
||||||
<para>If you are connected to your firewall from the internet, do not
|
<para>If you are connected to your firewall from the Internet, do not
|
||||||
issue a <quote>shorewall stop</quote> command unless you have added an
|
issue a <quote>shorewall stop</quote> command unless you have added an
|
||||||
entry for the IP address that you are connected from to <filename><ulink
|
entry for the IP address that you are connected from to <filename><ulink
|
||||||
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
|
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.
|
||||||
|
@ -201,7 +201,7 @@
|
|||||||
class="directory">/etc/shorewall</filename> directory is empty. This is
|
class="directory">/etc/shorewall</filename> directory is empty. This is
|
||||||
intentional. The released configuration file skeletons may be found on
|
intentional. The released configuration file skeletons may be found on
|
||||||
your system in the directory <filename
|
your system in the directory <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||||
Simply copy the files you need from that directory to <filename
|
Simply copy the files you need from that directory to <filename
|
||||||
class="directory">/etc/shorewall</filename> and modify the
|
class="directory">/etc/shorewall</filename> and modify the
|
||||||
copies.</para>
|
copies.</para>
|
||||||
@ -262,11 +262,11 @@ net ipv4</programlisting>
|
|||||||
<filename><filename>/etc/shorewall/rules</filename></filename> file. If no
|
<filename><filename>/etc/shorewall/rules</filename></filename> file. If no
|
||||||
rule in that file matches the connection request then the first policy in
|
rule in that file matches the connection request then the first policy in
|
||||||
<filename>/etc/shorewall/policy</filename> that matches the request is
|
<filename>/etc/shorewall/policy</filename> that matches the request is
|
||||||
applied. If there is a <ulink url="shorewall_extension_scripts.htm">comon
|
applied. If there is a <ulink url="shorewall_extension_scripts.htm">common
|
||||||
action</ulink> defined for the policy in
|
action</ulink> defined for the policy in
|
||||||
<filename>/etc/shorewall/actions</filename> or
|
<filename>/etc/shorewall/actions</filename> or
|
||||||
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
||||||
peformed before the policy is applied. The purpose of the common action is
|
performed before the policy is applied. The purpose of the common action is
|
||||||
two-fold:</para>
|
two-fold:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -295,11 +295,11 @@ all all REJECT info</programlisting>
|
|||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>allow all connection requests from the firewall to the
|
<para>allow all connection requests from the firewall to the
|
||||||
internet</para>
|
Internet</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>drop (ignore) all connection requests from the internet to your
|
<para>drop (ignore) all connection requests from the Internet to your
|
||||||
firewall</para>
|
firewall</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -310,9 +310,9 @@ all all REJECT info</programlisting>
|
|||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
|
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
|
||||||
last two policies indicates that packets droped or rejected under those
|
last two policies indicates that packets dropped or rejected under those
|
||||||
policies should be <ulink url="shorewall_logging.html">logged at that
|
policies should be <ulink url="shorewall_logging.html">logged at that
|
||||||
leve</ulink>l.</para>
|
level</ulink>.</para>
|
||||||
|
|
||||||
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
|
<para>At this point, edit your <filename>/etc/shorewall/policy</filename>
|
||||||
and make any changes that you wish.</para>
|
and make any changes that you wish.</para>
|
||||||
@ -324,7 +324,7 @@ all all REJECT info</programlisting>
|
|||||||
<para>The firewall has a single network interface. Where Internet
|
<para>The firewall has a single network interface. Where Internet
|
||||||
connectivity is through a cable or <acronym>DSL</acronym>
|
connectivity is through a cable or <acronym>DSL</acronym>
|
||||||
<quote>Modem</quote>, the <emphasis>External Interface</emphasis> will be
|
<quote>Modem</quote>, the <emphasis>External Interface</emphasis> will be
|
||||||
the ethernet adapter (<filename class="devicefile">eth0</filename>) that
|
the Ethernet adapter (<filename class="devicefile">eth0</filename>) that
|
||||||
is connected to that <quote>Modem</quote> <emphasis
|
is connected to that <quote>Modem</quote> <emphasis
|
||||||
role="underline">unless</emphasis> you connect via
|
role="underline">unless</emphasis> you connect via
|
||||||
<emphasis>Point-to-Point Protocol over Ethernet</emphasis>
|
<emphasis>Point-to-Point Protocol over Ethernet</emphasis>
|
||||||
@ -412,7 +412,7 @@ root@lists:~# </programlisting>
|
|||||||
<acronym>ISP</acronym>s are assigning these addresses then using
|
<acronym>ISP</acronym>s are assigning these addresses then using
|
||||||
<emphasis>Network Address Translation</emphasis> <emphasis>-
|
<emphasis>Network Address Translation</emphasis> <emphasis>-
|
||||||
</emphasis><acronym>NAT</acronym>) to rewrite packet headers when
|
</emphasis><acronym>NAT</acronym>) to rewrite packet headers when
|
||||||
forwarding to/from the internet.</para>
|
forwarding to/from the Internet.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
@ -453,7 +453,7 @@ root@lists:~# </programlisting>
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><command>shorewall show log</command> (Displays the last 20
|
<para><command>shorewall show log</command> (Displays the last 20
|
||||||
netfilter log messages)</para>
|
Netfilter log messages)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -476,12 +476,12 @@ root@lists:~# </programlisting>
|
|||||||
<para>Most commonly, Netfilter messages are logged to
|
<para>Most commonly, Netfilter messages are logged to
|
||||||
<filename>/var/log/messages</filename>. Recent
|
<filename>/var/log/messages</filename>. Recent
|
||||||
<trademark>SuSE/OpenSuSE</trademark> releases come preconfigured with
|
<trademark>SuSE/OpenSuSE</trademark> releases come preconfigured with
|
||||||
syslog-ng and log netfilter messages to
|
syslog-ng and log Netfilter messages to
|
||||||
<filename>/var/log/firewall</filename>.</para>
|
<filename>/var/log/firewall</filename>.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
<para>If you are running a distribution that logs netfilter messages to a
|
<para>If you are running a distribution that logs Netfilter messages to a
|
||||||
log other than <filename>/var/log/messages</filename>, then modify the
|
log other than <filename>/var/log/messages</filename>, then modify the
|
||||||
LOGFILE setting in <filename>/etc/shorewall/shorewall.conf</filename> to
|
LOGFILE setting in <filename>/etc/shorewall/shorewall.conf</filename> to
|
||||||
specify the name of your log.</para>
|
specify the name of your log.</para>
|
||||||
@ -501,7 +501,7 @@ root@lists:~# </programlisting>
|
|||||||
in your version of Shorewall using the command <command>ls
|
in your version of Shorewall using the command <command>ls
|
||||||
<filename>/usr/share/shorewall/macro.*</filename></command>.</para>
|
<filename>/usr/share/shorewall/macro.*</filename></command>.</para>
|
||||||
|
|
||||||
<para>If you wish to enable connections from the internet to your firewall
|
<para>If you wish to enable connections from the Internet to your firewall
|
||||||
and you find an appropriate macro in
|
and you find an appropriate macro in
|
||||||
<filename>/etc/shorewall/macro.*</filename>, the general format of a rule
|
<filename>/etc/shorewall/macro.*</filename>, the general format of a rule
|
||||||
in <filename>/etc/shorewall/rules</filename> is:</para>
|
in <filename>/etc/shorewall/rules</filename> is:</para>
|
||||||
@ -544,9 +544,9 @@ ACCEPT net $FW tcp 143</programlisting></para>
|
|||||||
uses, see <ulink url="ports.htm">here</ulink>.</para>
|
uses, see <ulink url="ports.htm">here</ulink>.</para>
|
||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>I don't recommend enabling telnet to/from the internet because it
|
<para>I don't recommend enabling telnet to/from the Internet because it
|
||||||
uses clear text (even for login!). If you want shell access to your
|
uses clear text (even for login!). If you want shell access to your
|
||||||
firewall from the internet, use <acronym>SSH</acronym>:</para>
|
firewall from the Internet, use <acronym>SSH</acronym>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||||
SSH/ACCEPT net $FW </programlisting>
|
SSH/ACCEPT net $FW </programlisting>
|
||||||
@ -594,7 +594,7 @@ SSH/ACCEPT net $FW </programlisting>
|
|||||||
<quote><command>shorewall clear</command></quote>.</para>
|
<quote><command>shorewall clear</command></quote>.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>If you are connected to your firewall from the internet, do not
|
<para>If you are connected to your firewall from the Internet, do not
|
||||||
issue a <quote><command>shorewall stop</command></quote> command unless
|
issue a <quote><command>shorewall stop</command></quote> command unless
|
||||||
you have added an entry for the IP address that you are connected from
|
you have added an entry for the IP address that you are connected from
|
||||||
to <ulink
|
to <ulink
|
||||||
@ -641,4 +641,4 @@ SSH/ACCEPT net $FW </programlisting>
|
|||||||
page</ulink> -- it contains helpful tips about Shorewall features than
|
page</ulink> -- it contains helpful tips about Shorewall features than
|
||||||
make administering your firewall easier.</para>
|
make administering your firewall easier.</para>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
||||||
|
@ -169,15 +169,15 @@
|
|||||||
директория <filename class="directory">/etc/shorewall</filename>
|
директория <filename class="directory">/etc/shorewall</filename>
|
||||||
пуста. Это сделано специально. Поставляемые шаблоны файлов
|
пуста. Это сделано специально. Поставляемые шаблоны файлов
|
||||||
конфигурации Вы найдете на вашей системе в директории <filename
|
конфигурации Вы найдете на вашей системе в директории <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||||
Просто скопируйте нужные Вам файлы из этой директории в <filename
|
Просто скопируйте нужные Вам файлы из этой директории в <filename
|
||||||
class="directory">/etc/shorewall</filename> и отредактируйте
|
class="directory">/etc/shorewall</filename> и отредактируйте
|
||||||
копии.</para>
|
копии.</para>
|
||||||
|
|
||||||
<para>Заметьте, что Вы должны скопировать <filename
|
<para>Заметьте, что Вы должны скопировать <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
||||||
и <filename
|
и <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config/modules</filename>
|
class="directory">/usr/share/doc/shorewall-common/default-config/modules</filename>
|
||||||
в <filename class="directory">/etc/shorewall</filename> даже если Вы
|
в <filename class="directory">/etc/shorewall</filename> даже если Вы
|
||||||
не будете изменять эти файлы.</para>
|
не будете изменять эти файлы.</para>
|
||||||
</warning><inlinegraphic fileref="images/BD21298_.gif"
|
</warning><inlinegraphic fileref="images/BD21298_.gif"
|
||||||
@ -215,7 +215,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
|
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
|
||||||
директории <filename
|
директории <filename
|
||||||
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>.</para>
|
class="directory">/usr/share/doc/shorewall-common/examples/one-interface</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
|
@ -148,7 +148,7 @@
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>The <command>shorewall stop</command> command does not remove
|
<para>The <command>shorewall stop</command> command does not remove
|
||||||
all netfilter rules and open your firewall for all traffic to pass.
|
all Netfilter rules and open your firewall for all traffic to pass.
|
||||||
It rather places your firewall in a safe state defined by the
|
It rather places your firewall in a safe state defined by the
|
||||||
contents of your <ulink
|
contents of your <ulink
|
||||||
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
|
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
|
||||||
@ -179,7 +179,7 @@
|
|||||||
<para>Because of the different requirements of distribution packaging
|
<para>Because of the different requirements of distribution packaging
|
||||||
systems, the behavior of <filename>/etc/init.d/shorewall</filename> and
|
systems, the behavior of <filename>/etc/init.d/shorewall</filename> and
|
||||||
<filename>/etc/init.d/shorewall-lite</filename> is not consistent between
|
<filename>/etc/init.d/shorewall-lite</filename> is not consistent between
|
||||||
distributions. As an example, when using the distributon Shorewall
|
distributions. As an example, when using the distribution Shorewall
|
||||||
packages on <trademark>Debian</trademark> and
|
packages on <trademark>Debian</trademark> and
|
||||||
<trademark>Ubuntu</trademark> systems, running
|
<trademark>Ubuntu</trademark> systems, running
|
||||||
<command>/etc/init.d/shorewall stop</command> will actually execute the
|
<command>/etc/init.d/shorewall stop</command> will actually execute the
|
||||||
@ -617,7 +617,7 @@
|
|||||||
<section id="State">
|
<section id="State">
|
||||||
<title>Shorewall State Diagram</title>
|
<title>Shorewall State Diagram</title>
|
||||||
|
|
||||||
<para>The Shorewall State Diargram is depicted below.</para>
|
<para>The Shorewall State Diagram is depicted below.</para>
|
||||||
|
|
||||||
<para><graphic align="center" fileref="images/State_Diagram.png" /></para>
|
<para><graphic align="center" fileref="images/State_Diagram.png" /></para>
|
||||||
|
|
||||||
|
@ -274,9 +274,9 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
|||||||
<para>If Shorewall is starting successfully and your problem is that
|
<para>If Shorewall is starting successfully and your problem is that
|
||||||
some set of <emphasis role="bold">connections</emphasis> to/from or
|
some set of <emphasis role="bold">connections</emphasis> to/from or
|
||||||
through your firewall <emphasis role="bold">isn't working</emphasis>
|
through your firewall <emphasis role="bold">isn't working</emphasis>
|
||||||
(examples: local systems can't access the internet, you can't send
|
(examples: local systems can't access the Internet, you can't send
|
||||||
email through the firewall, you can't surf the web from the firewall,
|
email through the firewall, you can't surf the web from the firewall,
|
||||||
connections that you are certain should be rejected are mysterously
|
connections that you are certain should be rejected are mysteriously
|
||||||
accepted, etc.) or <emphasis role="bold">you are having problems with
|
accepted, etc.) or <emphasis role="bold">you are having problems with
|
||||||
traffic shaping</emphasis> then please perform the following six
|
traffic shaping</emphasis> then please perform the following six
|
||||||
steps:</para>
|
steps:</para>
|
||||||
@ -313,7 +313,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Otherwise:</para>
|
<para>Otherwise:</para>
|
||||||
|
|
||||||
<para>Shorewall is starting successfuly and you have <emphasis
|
<para>Shorewall is starting successfully and you have <emphasis
|
||||||
role="bold">no connection problems</emphasis> and you have <emphasis
|
role="bold">no connection problems</emphasis> and you have <emphasis
|
||||||
role="bold">no traffic shaping problems</emphasis>. Your problem is
|
role="bold">no traffic shaping problems</emphasis>. Your problem is
|
||||||
with performance, logging, etc. Please include the following:</para>
|
with performance, logging, etc. Please include the following:</para>
|
||||||
@ -409,7 +409,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The author gratefully acknowleges that the above list was
|
<para>The author gratefully acknowledges that the above list was
|
||||||
heavily plagiarized from the excellent LEAF document by <emphasis>Ray
|
heavily plagiarized from the excellent LEAF document by <emphasis>Ray
|
||||||
Olszewski</emphasis> found <ulink
|
Olszewski</emphasis> found <ulink
|
||||||
url="http://leaf-project.org/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=6&MMN_position=21:21">here</ulink>.</para>
|
url="http://leaf-project.org/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=6&MMN_position=21:21">here</ulink>.</para>
|
||||||
|
@ -76,7 +76,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>DMZ connected to a separate ethernet interface. The purpose of a
|
<para>DMZ connected to a separate Ethernet interface. The purpose of a
|
||||||
DMZ is to isolate those servers that are exposed to the Internet from
|
DMZ is to isolate those servers that are exposed to the Internet from
|
||||||
your local systems so that if one of those servers is compromised
|
your local systems so that if one of those servers is compromised
|
||||||
there is still a firewall between the hacked server and your local
|
there is still a firewall between the hacked server and your local
|
||||||
@ -185,7 +185,7 @@
|
|||||||
class="directory">/etc/shorewall</filename> directory is empty. This
|
class="directory">/etc/shorewall</filename> directory is empty. This
|
||||||
is intentional. The released configuration file skeletons may be found
|
is intentional. The released configuration file skeletons may be found
|
||||||
on your system in the directory <filename
|
on your system in the directory <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||||
Simply copy the files you need from that directory to <filename
|
Simply copy the files you need from that directory to <filename
|
||||||
class="directory">/etc/shorewall</filename> and modify the
|
class="directory">/etc/shorewall</filename> and modify the
|
||||||
copies.</para>
|
copies.</para>
|
||||||
@ -286,10 +286,10 @@ dmz ipv4</programlisting>Zone names are defined in
|
|||||||
If no rule in that file matches the connection request then the first
|
If no rule in that file matches the connection request then the first
|
||||||
policy in <filename>/etc/shorewall/policy</filename> that matches the
|
policy in <filename>/etc/shorewall/policy</filename> that matches the
|
||||||
request is applied. If there is a <ulink
|
request is applied. If there is a <ulink
|
||||||
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
|
url="shorewall_extension_scripts.htm">common action</ulink> defined for the
|
||||||
policy in <filename>/etc/shorewall/actions</filename> or
|
policy in <filename>/etc/shorewall/actions</filename> or
|
||||||
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
||||||
peformed before the action is applied. The purpose of the common action is
|
performed before the action is applied. The purpose of the common action is
|
||||||
two-fold:</para>
|
two-fold:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -316,7 +316,7 @@ all all REJECT info</programlisting>
|
|||||||
<important>
|
<important>
|
||||||
<para>In the three-interface sample, the line below is included but
|
<para>In the three-interface sample, the line below is included but
|
||||||
commented out. If you want your firewall system to have full access to
|
commented out. If you want your firewall system to have full access to
|
||||||
servers on the internet, uncomment that line.</para>
|
servers on the Internet, uncomment that line.</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
$FW net ACCEPT</programlisting>
|
$FW net ACCEPT</programlisting>
|
||||||
@ -327,17 +327,17 @@ $FW net ACCEPT</programlisting>
|
|||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>allow all connection requests from your local network to the
|
<para>allow all connection requests from your local network to the
|
||||||
internet</para>
|
Internet</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>drop (ignore) all connection requests from the internet to your
|
<para>drop (ignore) all connection requests from the Internet to your
|
||||||
firewall or local network</para>
|
firewall or local network</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>optionally accept all connection requests from the firewall to
|
<para>optionally accept all connection requests from the firewall to
|
||||||
the internet (if you uncomment the additional policy)</para>
|
the Internet (if you uncomment the additional policy)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -346,9 +346,9 @@ $FW net ACCEPT</programlisting>
|
|||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
|
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
|
||||||
DROP and REJECT policies indicates that packets droped or rejected under
|
DROP and REJECT policies indicates that packets dropped or rejected under
|
||||||
those policies should be <ulink url="shorewall_logging.html">logged at
|
those policies should be <ulink url="shorewall_logging.html">logged at
|
||||||
that leve</ulink>l.</para>
|
that level</ulink>.</para>
|
||||||
|
|
||||||
<para>It is important to note that Shorewall policies (and rules) refer to
|
<para>It is important to note that Shorewall policies (and rules) refer to
|
||||||
<emphasis role="bold">connections</emphasis> and not packet flow. With the
|
<emphasis role="bold">connections</emphasis> and not packet flow. With the
|
||||||
@ -379,7 +379,7 @@ $FW net ACCEPT</programlisting>
|
|||||||
|
|
||||||
<para>The firewall has three network interfaces. Where Internet
|
<para>The firewall has three network interfaces. Where Internet
|
||||||
connectivity is through a cable or DSL <quote>Modem</quote>, the External
|
connectivity is through a cable or DSL <quote>Modem</quote>, the External
|
||||||
Interface will be the ethernet adapter that is connected to that
|
Interface will be the Ethernet adapter that is connected to that
|
||||||
<quote>Modem</quote> (e.g., <filename class="devicefile">eth0</filename>)
|
<quote>Modem</quote> (e.g., <filename class="devicefile">eth0</filename>)
|
||||||
unless you connect via <emphasis>Point-to-Point Protocol</emphasis> over
|
unless you connect via <emphasis>Point-to-Point Protocol</emphasis> over
|
||||||
Ethernet (PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis>
|
Ethernet (PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis>
|
||||||
@ -424,7 +424,7 @@ root@lists:~# </programlisting>
|
|||||||
<varname>CLAMPMSS=yes</varname> in
|
<varname>CLAMPMSS=yes</varname> in
|
||||||
<filename>/etc/shorewall/shorewall.conf</filename>.</emphasis></para>
|
<filename>/etc/shorewall/shorewall.conf</filename>.</emphasis></para>
|
||||||
|
|
||||||
<para>Your Local Interface will be an ethernet adapter (<filename
|
<para>Your Local Interface will be an Ethernet adapter (<filename
|
||||||
class="devicefile">eth0</filename>, <filename
|
class="devicefile">eth0</filename>, <filename
|
||||||
class="devicefile">eth1</filename> or <filename
|
class="devicefile">eth1</filename> or <filename
|
||||||
class="devicefile">eth2</filename>) and will be connected to a hub or
|
class="devicefile">eth2</filename>) and will be connected to a hub or
|
||||||
@ -432,7 +432,7 @@ root@lists:~# </programlisting>
|
|||||||
If you have only a single local system, you can connect the firewall
|
If you have only a single local system, you can connect the firewall
|
||||||
directly to the computer using a cross-over cable).</para>
|
directly to the computer using a cross-over cable).</para>
|
||||||
|
|
||||||
<para>Your DMZ Interface will also be an ethernet adapter (<filename
|
<para>Your DMZ Interface will also be an Ethernet adapter (<filename
|
||||||
class="devicefile">eth0</filename>, <filename
|
class="devicefile">eth0</filename>, <filename
|
||||||
class="devicefile">eth1</filename> or <filename
|
class="devicefile">eth1</filename> or <filename
|
||||||
class="devicefile">eth2</filename>) and will be connected to a hub or
|
class="devicefile">eth2</filename>) and will be connected to a hub or
|
||||||
@ -604,7 +604,7 @@ root@lists:~# </programlisting>
|
|||||||
Routing</quote>, Thomas A. Maufer, Prentice-Hall, 1999, ISBN
|
Routing</quote>, Thomas A. Maufer, Prentice-Hall, 1999, ISBN
|
||||||
0-13-975483-0.</para>
|
0-13-975483-0.</para>
|
||||||
|
|
||||||
<para>The remainder of this quide will assume that you have configured
|
<para>The remainder of this guide will assume that you have configured
|
||||||
your network as shown here:</para>
|
your network as shown here:</para>
|
||||||
|
|
||||||
<figure id="Figure3">
|
<figure id="Figure3">
|
||||||
@ -641,14 +641,14 @@ root@lists:~# </programlisting>
|
|||||||
<para>The addresses reserved by RFC 1918 are sometimes referred to as
|
<para>The addresses reserved by RFC 1918 are sometimes referred to as
|
||||||
non-routable because the Internet backbone routers don't forward packets
|
non-routable because the Internet backbone routers don't forward packets
|
||||||
which have an RFC-1918 destination address. When one of your local systems
|
which have an RFC-1918 destination address. When one of your local systems
|
||||||
(let's assume local computer 1) sends a connection request to an internet
|
(let's assume local computer 1) sends a connection request to an Internet
|
||||||
host, the firewall must perform Network Address Translation (NAT). The
|
host, the firewall must perform Network Address Translation (NAT). The
|
||||||
firewall rewrites the source address in the packet to be the address of
|
firewall rewrites the source address in the packet to be the address of
|
||||||
the firewall's external interface; in other words, the firewall makes it
|
the firewall's external interface; in other words, the firewall makes it
|
||||||
look as if the firewall itself is initiating the connection. This is
|
look as if the firewall itself is initiating the connection. This is
|
||||||
necessary so that the destination host will be able to route return
|
necessary so that the destination host will be able to route return
|
||||||
packets back to the firewall (remember that packets whose destination
|
packets back to the firewall (remember that packets whose destination
|
||||||
address is reserved by RFC 1918 can't be routed accross the internet).
|
address is reserved by RFC 1918 can't be routed across the Internet).
|
||||||
When the firewall receives a return packet, it rewrites the destination
|
When the firewall receives a return packet, it rewrites the destination
|
||||||
address back to 10.10.10.1 and forwards the packet on to local computer
|
address back to 10.10.10.1 and forwards the packet on to local computer
|
||||||
1.</para>
|
1.</para>
|
||||||
@ -736,7 +736,7 @@ DNAT net dmz:<emphasis><server local IP address></emphasis>[:<e
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Be sure to add your rules after the line that reads <emphasis
|
<para>Be sure to add your rules after the line that reads <emphasis
|
||||||
role="bold">SECTON NEW.</emphasis></para>
|
role="bold">SECTION NEW.</emphasis></para>
|
||||||
</important>
|
</important>
|
||||||
|
|
||||||
<example id="Example1">
|
<example id="Example1">
|
||||||
@ -975,7 +975,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><command>shorewall show log</command> (Displays the last 20
|
<para><command>shorewall show log</command> (Displays the last 20
|
||||||
netfilter log messages)</para>
|
Netfilter log messages)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -185,15 +185,15 @@
|
|||||||
директория <filename class="directory">/etc/shorewall</filename>
|
директория <filename class="directory">/etc/shorewall</filename>
|
||||||
пуста. Это сделано специально. Поставляемые шаблоны файлов
|
пуста. Это сделано специально. Поставляемые шаблоны файлов
|
||||||
конфигурации Вы найдете на вашей системе в директории <filename
|
конфигурации Вы найдете на вашей системе в директории <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||||
Просто скопируйте нужные Вам файлы из этой директории в <filename
|
Просто скопируйте нужные Вам файлы из этой директории в <filename
|
||||||
class="directory">/etc/shorewall</filename> и отредактируйте
|
class="directory">/etc/shorewall</filename> и отредактируйте
|
||||||
копии.</para>
|
копии.</para>
|
||||||
|
|
||||||
<para>Заметьте, что Вы должны скопировать <filename
|
<para>Заметьте, что Вы должны скопировать <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
||||||
и <filename
|
и <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config/modules</filename>
|
class="directory">/usr/share/doc/shorewall-common/default-config/modules</filename>
|
||||||
в <filename class="directory">/etc/shorewall</filename> даже если Вы
|
в <filename class="directory">/etc/shorewall</filename> даже если Вы
|
||||||
не будете изменять эти файлы.</para>
|
не будете изменять эти файлы.</para>
|
||||||
</warning><inlinegraphic fileref="images/BD21298_.gif"
|
</warning><inlinegraphic fileref="images/BD21298_.gif"
|
||||||
@ -233,7 +233,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
|
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
|
||||||
директории<filename
|
директории<filename
|
||||||
class="directory">/usr/share/doc/shorewall/examples/three-interface</filename>.</para>
|
class="directory">/usr/share/doc/shorewall-common/examples/three-interface</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
|
@ -48,7 +48,7 @@
|
|||||||
|
|
||||||
<important>
|
<important>
|
||||||
<para>Traffic shaping is complex and the Shorewall community is not well
|
<para>Traffic shaping is complex and the Shorewall community is not well
|
||||||
equiped to answer traffic shaping questions. So if you are the type of
|
equipped to answer traffic shaping questions. So if you are the type of
|
||||||
person who needs "insert tab A into slot B" instructions for everything
|
person who needs "insert tab A into slot B" instructions for everything
|
||||||
that you do, then please don't try to implement traffic shaping using
|
that you do, then please don't try to implement traffic shaping using
|
||||||
Shorewall. You will just frustrate yourself and we won't be able to help
|
Shorewall. You will just frustrate yourself and we won't be able to help
|
||||||
@ -92,7 +92,7 @@
|
|||||||
traffic shaping and control. Before this version, the support was quite
|
traffic shaping and control. Before this version, the support was quite
|
||||||
limited. You were able to use your own tcstart script (and you still are),
|
limited. You were able to use your own tcstart script (and you still are),
|
||||||
but besides the tcrules file it was not possible to define classes or
|
but besides the tcrules file it was not possible to define classes or
|
||||||
queueing discplines inside the Shorewall config files.</para>
|
queuing disciplines inside the Shorewall config files.</para>
|
||||||
|
|
||||||
<para>The support for traffic shaping and control still does not cover all
|
<para>The support for traffic shaping and control still does not cover all
|
||||||
options available (and especially all algorithms that can be used to queue
|
options available (and especially all algorithms that can be used to queue
|
||||||
@ -108,7 +108,7 @@
|
|||||||
<title>Linux traffic shaping and control</title>
|
<title>Linux traffic shaping and control</title>
|
||||||
|
|
||||||
<para>This section gives a brief introduction of how controlling traffic
|
<para>This section gives a brief introduction of how controlling traffic
|
||||||
with the linux kernel works. Although this might be enough for configuring
|
with the Linux kernel works. Although this might be enough for configuring
|
||||||
it in the Shorewall configuration files, we strongly recommend that you
|
it in the Shorewall configuration files, we strongly recommend that you
|
||||||
take a deeper look into the <ulink url="http://lartc.org/howto/">Linux
|
take a deeper look into the <ulink url="http://lartc.org/howto/">Linux
|
||||||
Advanced Routing and Shaping HOWTO</ulink>. At the time of writing this,
|
Advanced Routing and Shaping HOWTO</ulink>. At the time of writing this,
|
||||||
@ -119,7 +119,7 @@
|
|||||||
traffic before it leaves an interface. The standard one is called pfifo
|
traffic before it leaves an interface. The standard one is called pfifo
|
||||||
and is (as the name suggests) of the type First In First out. This means,
|
and is (as the name suggests) of the type First In First out. This means,
|
||||||
that it does not shape anything, if you have a connection that eats up all
|
that it does not shape anything, if you have a connection that eats up all
|
||||||
your bandwidth, this qeueing algorithm will not stop it from doing
|
your bandwidth, this queuing algorithm will not stop it from doing
|
||||||
so.</para>
|
so.</para>
|
||||||
|
|
||||||
<para>For Shorewall traffic shaping we use two algorithms, one is called
|
<para>For Shorewall traffic shaping we use two algorithms, one is called
|
||||||
@ -127,9 +127,9 @@
|
|||||||
is easy to explain: it just tries to track your connections (tcp or udp
|
is easy to explain: it just tries to track your connections (tcp or udp
|
||||||
streams) and balances the traffic between them. This normally works well.
|
streams) and balances the traffic between them. This normally works well.
|
||||||
HTB allows you to define a set of classes, and you can put the traffic you
|
HTB allows you to define a set of classes, and you can put the traffic you
|
||||||
want into these classes. You can define minimum and maximum bandwitdh
|
want into these classes. You can define minimum and maximum bandwidth
|
||||||
settings for those classes and order them hierachically (the less
|
settings for those classes and order them hierarchically (the less
|
||||||
priorized classes only get bandwitdth if the more important have what they
|
prioritized classes only get bandwidth if the more important have what they
|
||||||
need). Shorewall builtin traffic shaping allows you to define these
|
need). Shorewall builtin traffic shaping allows you to define these
|
||||||
classes (and their bandwidth limits), and it uses SFQ inside these classes
|
classes (and their bandwidth limits), and it uses SFQ inside these classes
|
||||||
to make sure, that different data streams are handled equally.</para>
|
to make sure, that different data streams are handled equally.</para>
|
||||||
@ -148,7 +148,7 @@
|
|||||||
outgoing interface as fast as possible.</para>
|
outgoing interface as fast as possible.</para>
|
||||||
|
|
||||||
<para>There is one exception, though. Limiting incoming traffic to a
|
<para>There is one exception, though. Limiting incoming traffic to a
|
||||||
value a bit slower than your actual line speed will avoid queueing on
|
value a bit slower than your actual line speed will avoid queuing on
|
||||||
the other end of that connection. This is mostly useful if you don't
|
the other end of that connection. This is mostly useful if you don't
|
||||||
have access to traffic control on the other side and if this other
|
have access to traffic control on the other side and if this other
|
||||||
side has a faster network connection than you do (the line speed
|
side has a faster network connection than you do (the line speed
|
||||||
@ -160,16 +160,16 @@
|
|||||||
has not (but the protocol over UDP might recognize it , if there is
|
has not (but the protocol over UDP might recognize it , if there is
|
||||||
any).</para>
|
any).</para>
|
||||||
|
|
||||||
<para>The reason why queing is bad in these cases is, that you might
|
<para>The reason why queuing is bad in these cases is, that you might
|
||||||
have packets which need to be priorized over others, e.g. VoIP or ssh.
|
have packets which need to be prioritized over others, e.g. VoIP or ssh.
|
||||||
For this type of connections it is important that packets arrive in a
|
For this type of connections it is important that packets arrive in a
|
||||||
certain amount of time. For others like http downloads, it does not
|
certain amount of time. For others like HTTP downloads, it does not
|
||||||
really matter if it takes a few seconds more.</para>
|
really matter if it takes a few seconds more.</para>
|
||||||
|
|
||||||
<para>If you have a large queue on the other side and the router there
|
<para>If you have a large queue on the other side and the router there
|
||||||
does not care about QoS or the QoS bits are not set properly, your
|
does not care about QoS or the QoS bits are not set properly, your
|
||||||
important packets will go into the same queue as your less
|
important packets will go into the same queue as your less
|
||||||
timecritical download packets which will result in a large
|
time critical download packets which will result in a large
|
||||||
delay.</para>
|
delay.</para>
|
||||||
</blockquote></para>
|
</blockquote></para>
|
||||||
|
|
||||||
@ -211,7 +211,7 @@
|
|||||||
<para>RATE - The minimum bandwidth this class should get, when the
|
<para>RATE - The minimum bandwidth this class should get, when the
|
||||||
traffic load rises. Classes with a higher priority (lower PRIORITY
|
traffic load rises. Classes with a higher priority (lower PRIORITY
|
||||||
value) are served even if there are others that have a guaranteed
|
value) are served even if there are others that have a guaranteed
|
||||||
bandwith but have a lower priority (higher PRIORITY value).</para>
|
bandwidth but have a lower priority (higher PRIORITY value).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -338,7 +338,7 @@
|
|||||||
the facility. Again, please see the links at top of this article.</para>
|
the facility. Again, please see the links at top of this article.</para>
|
||||||
|
|
||||||
<para>For defining bandwidths (for either devices or classes) please use
|
<para>For defining bandwidths (for either devices or classes) please use
|
||||||
kbit or kbps(for Kilobytes per second) and make sure there is <emphasis
|
kbit or kbps (for Kilobytes per second) and make sure there is <emphasis
|
||||||
role="bold">NO</emphasis> space between the number and the unit (it is
|
role="bold">NO</emphasis> space between the number and the unit (it is
|
||||||
100kbit <emphasis role="bold">not</emphasis> 100 kbit). Using mbit, mbps
|
100kbit <emphasis role="bold">not</emphasis> 100 kbit). Using mbit, mbps
|
||||||
or a raw number (which means bytes) could be used, but note that only
|
or a raw number (which means bytes) could be used, but note that only
|
||||||
@ -414,7 +414,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>OUT-BANDWIDTH - Specifiy the outgoing bandwidth of that
|
<para>OUT-BANDWIDTH - Specify the outgoing bandwidth of that
|
||||||
interface. This is the maximum speed your connection can handle. It
|
interface. This is the maximum speed your connection can handle. It
|
||||||
is also the speed you can refer as "full" if you define the tc
|
is also the speed you can refer as "full" if you define the tc
|
||||||
classes. Outgoing traffic above this rate will be dropped.</para>
|
classes. Outgoing traffic above this rate will be dropped.</para>
|
||||||
@ -488,7 +488,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>MARK - The mark value which is an integer in the range 1-255.
|
<para>MARK - The mark value which is an integer in the range 1-255.
|
||||||
You define these marks in the tcrules file, marking the traffic you
|
You define these marks in the tcrules file, marking the traffic you
|
||||||
want to go into the queueing classes defined in here. You can use
|
want to go into the queuing classes defined in here. You can use
|
||||||
the same marks for different Interfaces. You must specify "-' in
|
the same marks for different Interfaces. You must specify "-' in
|
||||||
this column if the device specified in the INTERFACE column has the
|
this column if the device specified in the INTERFACE column has the
|
||||||
<emphasis role="bold">classify</emphasis> option in
|
<emphasis role="bold">classify</emphasis> option in
|
||||||
@ -499,7 +499,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
<para>RATE - The minimum bandwidth this class should get, when the
|
<para>RATE - The minimum bandwidth this class should get, when the
|
||||||
traffic load rises. Please note that first the classes which equal
|
traffic load rises. Please note that first the classes which equal
|
||||||
or a lesser priority value are served even if there are others that
|
or a lesser priority value are served even if there are others that
|
||||||
have a guaranteed bandwith but a lower priority. <emphasis
|
have a guaranteed bandwidth but a lower priority. <emphasis
|
||||||
role="bold">If the sum of the RATEs for all classes assigned to an
|
role="bold">If the sum of the RATEs for all classes assigned to an
|
||||||
INTERFACE exceed that interfaces's OUT-BANDWIDTH, then the
|
INTERFACE exceed that interfaces's OUT-BANDWIDTH, then the
|
||||||
OUT-BANDWIDTH limit will not be honored.</emphasis></para>
|
OUT-BANDWIDTH limit will not be honored.</emphasis></para>
|
||||||
@ -517,7 +517,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>PRIORITY - you have to define a priority for the class.
|
<para>PRIORITY - you have to define a priority for the class.
|
||||||
packets in a class with a higher priority (=lesser value) are
|
packets in a class with a higher priority (=lesser value) are
|
||||||
handled before less priorized onces. You can just define the mark
|
handled before less prioritized ones. You can just define the mark
|
||||||
value here also, if you are increasing the mark values with lesser
|
value here also, if you are increasing the mark values with lesser
|
||||||
priority.</para>
|
priority.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -749,7 +749,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
iprange match support, IP address ranges are also allowed. List
|
iprange match support, IP address ranges are also allowed. List
|
||||||
elements may also consist of an interface name followed by ":" and
|
elements may also consist of an interface name followed by ":" and
|
||||||
an address (e.g., eth1:192.168.1.0/24). If the MARK column
|
an address (e.g., eth1:192.168.1.0/24). If the MARK column
|
||||||
specificies a classification of the form <major>:<minor>
|
specifies a classification of the form <major>:<minor>
|
||||||
then this column may also contain an interface name.</para>
|
then this column may also contain an interface name.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -791,7 +791,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
<para>[!][<user name or number>]:[<group name or
|
<para>[!][<user name or number>]:[<group name or
|
||||||
number>][+<program name>]</para>
|
number>][+<program name>]</para>
|
||||||
|
|
||||||
<para>The colon is optionnal when specifying only a user.</para>
|
<para>The colon is optional when specifying only a user.</para>
|
||||||
|
|
||||||
<para>Examples:</para>
|
<para>Examples:</para>
|
||||||
|
|
||||||
@ -833,7 +833,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
match.</para>
|
match.</para>
|
||||||
|
|
||||||
<para>You must have iptables length support for this to work. If you
|
<para>You must have iptables length support for this to work. If you
|
||||||
let it empy or place an "-" here, no length match will be
|
let it empty or place an "-" here, no length match will be
|
||||||
done.</para>
|
done.</para>
|
||||||
|
|
||||||
<para>Examples: 1024, 64:1500, :100</para>
|
<para>Examples: 1024, 64:1500, :100</para>
|
||||||
@ -861,7 +861,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>HELPER (Optional, added in Shorewall version 4.2.0 Beta 2).
|
<para>HELPER (Optional, added in Shorewall version 4.2.0 Beta 2).
|
||||||
Names one of the Netfiler protocol helper modules such as
|
Names one of the Netfilter protocol helper modules such as
|
||||||
<emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
|
<emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
|
||||||
<emphasis>amanda</emphasis>, etc.</para>
|
<emphasis>amanda</emphasis>, etc.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@ -939,7 +939,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
|
|||||||
<para>The last four rules can be translated as:</para>
|
<para>The last four rules can be translated as:</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<para>"If a packet hasn't been classifed (packet mark is 0), copy
|
<para>"If a packet hasn't been classified (packet mark is 0), copy
|
||||||
the connection mark to the packet mark. If the packet mark is set,
|
the connection mark to the packet mark. If the packet mark is set,
|
||||||
we're done. If the packet is P2P, set the packet mark to 4. If the
|
we're done. If the packet is P2P, set the packet mark to 4. If the
|
||||||
packet mark has been set, save it to the connection mark."</para>
|
packet mark has been set, save it to the connection mark."</para>
|
||||||
@ -966,10 +966,10 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
|
|||||||
<section id="ppp">
|
<section id="ppp">
|
||||||
<title>ppp devices</title>
|
<title>ppp devices</title>
|
||||||
|
|
||||||
<para>If you use ppp/pppoe/pppoa) to connect to your internet provider
|
<para>If you use ppp/pppoe/pppoa) to connect to your Internet provider
|
||||||
and you use traffic shaping you need to restart shorewall traffic
|
and you use traffic shaping you need to restart shorewall traffic
|
||||||
shaping. The reason for this is, that if the ppp connection gets
|
shaping. The reason for this is, that if the ppp connection gets
|
||||||
restarted (and it usally does this at least daily), all
|
restarted (and it usually does this at least daily), all
|
||||||
<quote>tc</quote> filters/qdiscs related to that interface are
|
<quote>tc</quote> filters/qdiscs related to that interface are
|
||||||
deleted.</para>
|
deleted.</para>
|
||||||
|
|
||||||
@ -994,7 +994,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
|
|||||||
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>.
|
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>.
|
||||||
Please note that they are just examples and need to be adjusted to
|
Please note that they are just examples and need to be adjusted to
|
||||||
work for you. In this example it is assumed that your interface for
|
work for you. In this example it is assumed that your interface for
|
||||||
you internet connection is ppp0 (for DSL), if you use another
|
your Internet connection is ppp0 (for DSL), if you use another
|
||||||
connection type, you have to change it. You also need to change the
|
connection type, you have to change it. You also need to change the
|
||||||
settings in the tcdevices.wondershaper file to reflect your line
|
settings in the tcdevices.wondershaper file to reflect your line
|
||||||
speed. The relevant lines of the config files follow here. Please note
|
speed. The relevant lines of the config files follow here. Please note
|
||||||
@ -1071,7 +1071,7 @@ NOPRIOPORTDST="6662 6663" </programlisting>
|
|||||||
<section id="simiple">
|
<section id="simiple">
|
||||||
<title>A simple setup</title>
|
<title>A simple setup</title>
|
||||||
|
|
||||||
<para>This is a simple setup for people sharing an internet connection
|
<para>This is a simple setup for people sharing an Internet connection
|
||||||
and using different computers for this. It just basically shapes
|
and using different computers for this. It just basically shapes
|
||||||
between 2 hosts which have the ip addresses 192.168.2.23 and
|
between 2 hosts which have the ip addresses 192.168.2.23 and
|
||||||
192.168.2.42</para>
|
192.168.2.42</para>
|
||||||
@ -1167,7 +1167,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Traffic being forwarded from the internet</para>
|
<para>Traffic being forwarded from the Internet</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -1687,4 +1687,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
|
|||||||
<para>At least one Shorewall user has found this tool helpful: <ulink
|
<para>At least one Shorewall user has found this tool helpful: <ulink
|
||||||
url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
|
url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
||||||
|
@ -140,7 +140,7 @@ gateway:~/test # </programlisting>This information is useful to Shorewall
|
|||||||
|
|
||||||
<para>The end of the compile phase is signaled by a message such as the
|
<para>The end of the compile phase is signaled by a message such as the
|
||||||
following:<programlisting>Shorewall configuration compiled to /var/lib/shorewall/.restart</programlisting>Errors
|
following:<programlisting>Shorewall configuration compiled to /var/lib/shorewall/.restart</programlisting>Errors
|
||||||
occuring past that point are said to occur at
|
occurring past that point are said to occur at
|
||||||
<firstterm>run-time</firstterm> because they occur during the running of
|
<firstterm>run-time</firstterm> because they occur during the running of
|
||||||
the compiled firewall script (/var/lib/shorewall/.restart in the case of
|
the compiled firewall script (/var/lib/shorewall/.restart in the case of
|
||||||
the above message).</para>
|
the above message).</para>
|
||||||
|
@ -164,7 +164,7 @@
|
|||||||
class="directory">/etc/shorewall</filename> directory is empty. This
|
class="directory">/etc/shorewall</filename> directory is empty. This
|
||||||
is intentional. The released configuration file skeletons may be found
|
is intentional. The released configuration file skeletons may be found
|
||||||
on your system in the directory <filename
|
on your system in the directory <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||||
Simply copy the files you need from that directory to <filename
|
Simply copy the files you need from that directory to <filename
|
||||||
class="directory">/etc/shorewall</filename> and modify the
|
class="directory">/etc/shorewall</filename> and modify the
|
||||||
copies.</para>
|
copies.</para>
|
||||||
@ -269,10 +269,10 @@ loc ipv4</programlisting>Zones are defined in the <ulink
|
|||||||
first policy in <filename
|
first policy in <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||||
that matches the request is applied. If there is a <ulink
|
that matches the request is applied. If there is a <ulink
|
||||||
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the
|
url="shorewall_extension_scripts.htm">common action</ulink> defined for the
|
||||||
policy in <filename>/etc/shorewall/actions</filename> or
|
policy in <filename>/etc/shorewall/actions</filename> or
|
||||||
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
<filename>/usr/share/shorewall/actions.std</filename> then that action is
|
||||||
peformed before the action is applied. The purpose of the common action is
|
performed before the action is applied. The purpose of the common action is
|
||||||
two-fold:</para>
|
two-fold:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
@ -296,32 +296,32 @@ loc net ACCEPT
|
|||||||
net all DROP info
|
net all DROP info
|
||||||
all all REJECT info</programlisting>In the two-interface
|
all all REJECT info</programlisting>In the two-interface
|
||||||
sample, the line below is included but commented out. If you want your
|
sample, the line below is included but commented out. If you want your
|
||||||
firewall system to have full access to servers on the internet, uncomment
|
firewall system to have full access to servers on the Internet, uncomment
|
||||||
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||||
$FW net ACCEPT</programlisting> The above policy will:
|
$FW net ACCEPT</programlisting> The above policy will:
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Allow all connection requests from your local network to the
|
<para>Allow all connection requests from your local network to the
|
||||||
internet</para>
|
Internet</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Drop (ignore) all connection requests from the internet to
|
<para>Drop (ignore) all connection requests from the Internet to
|
||||||
your firewall or local network</para>
|
your firewall or local network</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Optionally accept all connection requests from the firewall to
|
<para>Optionally accept all connection requests from the firewall to
|
||||||
the internet (if you uncomment the additional policy)</para>
|
the Internet (if you uncomment the additional policy)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>reject all other connection requests.</para>
|
<para>reject all other connection requests.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist> The word <firstterm>info</firstterm> in the LOG LEVEL
|
</itemizedlist> The word <firstterm>info</firstterm> in the LOG LEVEL
|
||||||
column for the DROP and REJECT policies indicates that packets droped or
|
column for the DROP and REJECT policies indicates that packets dropped or
|
||||||
rejected under those policies should be <ulink
|
rejected under those policies should be <ulink
|
||||||
url="shorewall_logging.html">logged at that leve</ulink>l.</para>
|
url="shorewall_logging.html">logged at that level</ulink>.</para>
|
||||||
|
|
||||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||||
|
|
||||||
@ -349,7 +349,7 @@ $FW net ACCEPT</programlisting> The above policy will:
|
|||||||
|
|
||||||
<para>The firewall has two network interfaces. Where Internet connectivity
|
<para>The firewall has two network interfaces. Where Internet connectivity
|
||||||
is through a cable or <acronym>DSL</acronym> <quote>Modem</quote>, the
|
is through a cable or <acronym>DSL</acronym> <quote>Modem</quote>, the
|
||||||
<emphasis>External Interface</emphasis> will be the ethernet adapter that
|
<emphasis>External Interface</emphasis> will be the Ethernet adapter that
|
||||||
is connected to that <quote>Modem</quote> (e.g., <filename
|
is connected to that <quote>Modem</quote> (e.g., <filename
|
||||||
class="devicefile">eth0</filename>) unless you connect via
|
class="devicefile">eth0</filename>) unless you connect via
|
||||||
<emphasis>Point-to-Point Protocol</emphasis> over Ethernet
|
<emphasis>Point-to-Point Protocol</emphasis> over Ethernet
|
||||||
@ -395,7 +395,7 @@ root@lists:~# </programlisting>
|
|||||||
<varname>CLAMPMSS=yes</varname> in <filename
|
<varname>CLAMPMSS=yes</varname> in <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename></emphasis>.</para>
|
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename></emphasis>.</para>
|
||||||
|
|
||||||
<para>Your <emphasis>Internal Interface</emphasis> will be an ethernet
|
<para>Your <emphasis>Internal Interface</emphasis> will be an Ethernet
|
||||||
adapter (<filename class="devicefile">eth1</filename> or <filename
|
adapter (<filename class="devicefile">eth1</filename> or <filename
|
||||||
class="devicefile">eth0</filename>) and will be connected to a hub or
|
class="devicefile">eth0</filename>) and will be connected to a hub or
|
||||||
switch. Your other computers will be connected to the same hub/switch
|
switch. Your other computers will be connected to the same hub/switch
|
||||||
@ -565,7 +565,7 @@ root@lists:~# </programlisting>
|
|||||||
(<ulink
|
(<ulink
|
||||||
url="http://www.phptr.com/browse/product.asp?product_id={58D4F6D4-54C5-48BA-8EDD-86EBD7A42AF6}">link</ulink>).</para>
|
url="http://www.phptr.com/browse/product.asp?product_id={58D4F6D4-54C5-48BA-8EDD-86EBD7A42AF6}">link</ulink>).</para>
|
||||||
|
|
||||||
<para id="Diagram">The remainder of this quide will assume that you have
|
<para id="Diagram">The remainder of this guide will assume that you have
|
||||||
configured your network as shown here: <mediaobject>
|
configured your network as shown here: <mediaobject>
|
||||||
<imageobject>
|
<imageobject>
|
||||||
<imagedata align="center" fileref="images/basics1.png" format="PNG" />
|
<imagedata align="center" fileref="images/basics1.png" format="PNG" />
|
||||||
@ -588,14 +588,14 @@ root@lists:~# </programlisting>
|
|||||||
don't forward packets which have an RFC-1918 destination address. When one
|
don't forward packets which have an RFC-1918 destination address. When one
|
||||||
of your local systems (let's assume computer 1 in the <link
|
of your local systems (let's assume computer 1 in the <link
|
||||||
linkend="Diagram">above diagram</link>) sends a connection request to an
|
linkend="Diagram">above diagram</link>) sends a connection request to an
|
||||||
internet host, the firewall must perform <emphasis>Network Address
|
Internet host, the firewall must perform <emphasis>Network Address
|
||||||
Translation</emphasis> (<acronym>NAT</acronym>). The firewall rewrites the
|
Translation</emphasis> (<acronym>NAT</acronym>). The firewall rewrites the
|
||||||
source address in the packet to be the address of the firewall's external
|
source address in the packet to be the address of the firewall's external
|
||||||
interface; in other words, the firewall makes it appear to the destination
|
interface; in other words, the firewall makes it appear to the destination
|
||||||
internet host as if the firewall itself is initiating the connection. This
|
Internet host as if the firewall itself is initiating the connection. This
|
||||||
is necessary so that the destination host will be able to route return
|
is necessary so that the destination host will be able to route return
|
||||||
packets back to the firewall (remember that packets whose destination
|
packets back to the firewall (remember that packets whose destination
|
||||||
address is reserved by RFC 1918 can't be routed across the internet so the
|
address is reserved by RFC 1918 can't be routed across the Internet so the
|
||||||
remote host can't address its response to computer 1). When the firewall
|
remote host can't address its response to computer 1). When the firewall
|
||||||
receives a return packet, it rewrites the destination address back to
|
receives a return packet, it rewrites the destination address back to
|
||||||
<systemitem class="ipaddress">10.10.10.1</systemitem> and forwards the
|
<systemitem class="ipaddress">10.10.10.1</systemitem> and forwards the
|
||||||
@ -662,7 +662,7 @@ root@lists:~# </programlisting>
|
|||||||
|
|
||||||
<para>One of your goals may be to run one or more servers on your local
|
<para>One of your goals may be to run one or more servers on your local
|
||||||
computers. Because these computers have RFC-1918 addresses, it is not
|
computers. Because these computers have RFC-1918 addresses, it is not
|
||||||
possible for clients on the internet to connect directly to them. It is
|
possible for clients on the Internet to connect directly to them. It is
|
||||||
rather necessary for those clients to address their connection requests to
|
rather necessary for those clients to address their connection requests to
|
||||||
the firewall who rewrites the destination address to the address of your
|
the firewall who rewrites the destination address to the address of your
|
||||||
server and forwards the packet to that server. When your server responds,
|
server and forwards the packet to that server. When your server responds,
|
||||||
@ -682,7 +682,7 @@ root@lists:~# </programlisting>
|
|||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
DNAT net loc:<emphasis><server local ip address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting><important>
|
DNAT net loc:<emphasis><server local ip address></emphasis>[:<emphasis><server port></emphasis>] <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting><important>
|
||||||
<para>Be sure to add your rules after the line that reads <emphasis
|
<para>Be sure to add your rules after the line that reads <emphasis
|
||||||
role="bold">SECTON NEW.</emphasis></para>
|
role="bold">SECTION NEW.</emphasis></para>
|
||||||
</important><important>
|
</important><important>
|
||||||
<para>The server must have a static IP address. If you assign IP
|
<para>The server must have a static IP address. If you assign IP
|
||||||
addresses to your local system using DHCP, you need to configure your
|
addresses to your local system using DHCP, you need to configure your
|
||||||
@ -822,7 +822,7 @@ DNS/ACCEPT $FW net</programlisting>This rule allows
|
|||||||
<acronym>DNS</acronym> access from your firewall and may be removed if you
|
<acronym>DNS</acronym> access from your firewall and may be removed if you
|
||||||
uncommented the line in <filename
|
uncommented the line in <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||||
allowing all connections from the firewall to the internet.</para>
|
allowing all connections from the firewall to the Internet.</para>
|
||||||
|
|
||||||
<para>In the rule shown above, <quote>DNS/ACCEPT</quote> is an example of
|
<para>In the rule shown above, <quote>DNS/ACCEPT</quote> is an example of
|
||||||
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
|
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
|
||||||
@ -863,8 +863,8 @@ Web/ACCEPT loc $FW </programlisting>Those two rules would of
|
|||||||
</example> If you don't know what port and protocol a particular
|
</example> If you don't know what port and protocol a particular
|
||||||
application uses, look <ulink url="ports.htm">here</ulink>. <important>
|
application uses, look <ulink url="ports.htm">here</ulink>. <important>
|
||||||
<para>I don't recommend enabling <command>telnet</command> to/from the
|
<para>I don't recommend enabling <command>telnet</command> to/from the
|
||||||
internet because it uses clear text (even for login!). If you want
|
Internet because it uses clear text (even for login!). If you want
|
||||||
shell access to your firewall from the internet, use
|
shell access to your firewall from the Internet, use
|
||||||
<acronym>SSH</acronym>:</para>
|
<acronym>SSH</acronym>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||||
@ -1022,7 +1022,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
|||||||
access to/from other hosts, change <filename
|
access to/from other hosts, change <filename
|
||||||
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>
|
class="directory">/etc/shorewall/</filename><filename>routestopped</filename>
|
||||||
accordingly. <warning>
|
accordingly. <warning>
|
||||||
<para>If you are connected to your firewall from the internet, do not
|
<para>If you are connected to your firewall from the Internet, do not
|
||||||
issue a <quote><command>shorewall stop</command></quote> command
|
issue a <quote><command>shorewall stop</command></quote> command
|
||||||
unless you have added an entry for the <acronym>IP</acronym> address
|
unless you have added an entry for the <acronym>IP</acronym> address
|
||||||
that you are connected from to <filename
|
that you are connected from to <filename
|
||||||
@ -1073,11 +1073,11 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
|||||||
|
|
||||||
<para>Once you have the two-interface setup working, the next logical step
|
<para>Once you have the two-interface setup working, the next logical step
|
||||||
is to add a Wireless Network. The first step involves adding an additional
|
is to add a Wireless Network. The first step involves adding an additional
|
||||||
network card to your firewall, either a Wireless card or an ethernet card
|
network card to your firewall, either a Wireless card or an Ethernet card
|
||||||
that is connected to a Wireless Access Point.<caution>
|
that is connected to a Wireless Access Point.<caution>
|
||||||
<para>When you add a network card, it won't necessarily be detected as
|
<para>When you add a network card, it won't necessarily be detected as
|
||||||
the next highest ethernet interface. For example, if you have two
|
the next highest Ethernet interface. For example, if you have two
|
||||||
ethernet cards in your system (<filename
|
Ethernet cards in your system (<filename
|
||||||
class="devicefile">eth0</filename> and <filename
|
class="devicefile">eth0</filename> and <filename
|
||||||
class="devicefile">eth1</filename>) and you add a third card that uses
|
class="devicefile">eth1</filename>) and you add a third card that uses
|
||||||
the same driver as one of the other two, that third card won't
|
the same driver as one of the other two, that third card won't
|
||||||
@ -1130,7 +1130,7 @@ loc wlan0 detect maclist</programlisting>
|
|||||||
url="MAC_Validation.html">maclist option</ulink> for the wireless
|
url="MAC_Validation.html">maclist option</ulink> for the wireless
|
||||||
segment. By adding entries for computers 3 and 4 in
|
segment. By adding entries for computers 3 and 4 in
|
||||||
<filename>/etc/shorewall/maclist</filename>, you help ensure that your
|
<filename>/etc/shorewall/maclist</filename>, you help ensure that your
|
||||||
neighbors aren't getting a free ride on your internet connection.
|
neighbors aren't getting a free ride on your Internet connection.
|
||||||
Start by omitting that option; when you have everything working, then
|
Start by omitting that option; when you have everything working, then
|
||||||
add the option and configure your
|
add the option and configure your
|
||||||
<filename>/etc/shorewall/maclist</filename> file.</para>
|
<filename>/etc/shorewall/maclist</filename> file.</para>
|
||||||
@ -1139,7 +1139,7 @@ loc wlan0 detect maclist</programlisting>
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>You need to add an entry to the
|
<para>You need to add an entry to the
|
||||||
<filename>/etc/shorewall/masq</filename> file to masquerade traffic
|
<filename>/etc/shorewall/masq</filename> file to masquerade traffic
|
||||||
from the wireless network to the internet. If your internet interface
|
from the wireless network to the Internet. If your Internet interface
|
||||||
is <filename class="devicefile">eth0</filename> and your wireless
|
is <filename class="devicefile">eth0</filename> and your wireless
|
||||||
interface is <filename class="devicefile">wlan0</filename>, the entry
|
interface is <filename class="devicefile">wlan0</filename>, the entry
|
||||||
would be:</para>
|
would be:</para>
|
||||||
|
@ -173,15 +173,15 @@
|
|||||||
директория <filename class="directory">/etc/shorewall</filename>
|
директория <filename class="directory">/etc/shorewall</filename>
|
||||||
пуста. Это сделано специально. Поставляемые шаблоны файлов
|
пуста. Это сделано специально. Поставляемые шаблоны файлов
|
||||||
конфигурации Вы найдете на вашей системе в директории <filename
|
конфигурации Вы найдете на вашей системе в директории <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config</filename>.
|
class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
|
||||||
Просто скопируйте нужные Вам файлы из этой директории в <filename
|
Просто скопируйте нужные Вам файлы из этой директории в <filename
|
||||||
class="directory">/etc/shorewall</filename> и отредактируйте
|
class="directory">/etc/shorewall</filename> и отредактируйте
|
||||||
копии.</para>
|
копии.</para>
|
||||||
|
|
||||||
<para>Заметьте, что Вы должны скопировать <filename
|
<para>Заметьте, что Вы должны скопировать <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
|
class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
|
||||||
и <filename
|
и <filename
|
||||||
class="directory">/usr/share/doc/shorewall/default-config/modules</filename>
|
class="directory">/usr/share/doc/shorewall=common/default-config/modules</filename>
|
||||||
в <filename class="directory">/etc/shorewall</filename> даже если Вы
|
в <filename class="directory">/etc/shorewall</filename> даже если Вы
|
||||||
не будете изменять эти файлы.</para>
|
не будете изменять эти файлы.</para>
|
||||||
</warning><inlinegraphic fileref="images/BD21298_.gif"
|
</warning><inlinegraphic fileref="images/BD21298_.gif"
|
||||||
@ -221,7 +221,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
|
<para>Если же Вы пользовались пакетом .deb, примеры находятся в
|
||||||
директории<filename
|
директории<filename
|
||||||
class="directory">/usr/share/doc/shorewall/examples/two-interface</filename>.</para>
|
class="directory">/usr/share/doc/shorewall-common/examples/two-interface</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
|
|
||||||
@ -1068,4 +1068,4 @@ eth0 wlan0</programlisting>
|
|||||||
Вашем файерволе потребует правил, перечисленных в <ulink
|
Вашем файерволе потребует правил, перечисленных в <ulink
|
||||||
url="samba.htm">документации Shorewall/Samba</ulink>.</para>
|
url="samba.htm">документации Shorewall/Samba</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
||||||
|
@ -167,7 +167,7 @@ shorewall restart</command></programlisting> The RPMs are set up so that if
|
|||||||
<para>Insure correct operation. Default actions can also avoid
|
<para>Insure correct operation. Default actions can also avoid
|
||||||
common pitfalls like dropping connection requests on TCP port 113.
|
common pitfalls like dropping connection requests on TCP port 113.
|
||||||
If these connections are dropped (rather than rejected) then you
|
If these connections are dropped (rather than rejected) then you
|
||||||
may encounter problems connecting to internet services that
|
may encounter problems connecting to Internet services that
|
||||||
utilize the AUTH protocol of client authentication.</para>
|
utilize the AUTH protocol of client authentication.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
@ -485,7 +485,7 @@ all all REJECT:MyReject info</programlisting>
|
|||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Beginning with this release, the way in which packet marking in
|
<para>Beginning with this release, the way in which packet marking in
|
||||||
the PREROUTING chain interracts with the 'track' option in
|
the PREROUTING chain interacts with the 'track' option in
|
||||||
/etc/shorewall/providers has changed in two ways:</para>
|
/etc/shorewall/providers has changed in two ways:</para>
|
||||||
|
|
||||||
<orderedlist numeration="loweralpha">
|
<orderedlist numeration="loweralpha">
|
||||||
|
@ -42,7 +42,7 @@
|
|||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row rowsep="0" valign="middle">
|
<row rowsep="0" valign="middle">
|
||||||
<entry align="left">NetFilter Site: <ulink
|
<entry align="left">Netfilter Site: <ulink
|
||||||
url="http://www.netfilter.org/">http://www.netfilter.org/</ulink></entry>
|
url="http://www.netfilter.org/">http://www.netfilter.org/</ulink></entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
@ -79,7 +79,7 @@
|
|||||||
|
|
||||||
<row rowsep="0" valign="middle">
|
<row rowsep="0" valign="middle">
|
||||||
<entry>Debian apt-get sources for Shorewall: <ulink
|
<entry>Debian apt-get sources for Shorewall: <ulink
|
||||||
url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian</ulink></entry>
|
url="http://people.connexer.com/~roberto/debian/"></ulink>http://people.connexer.com/~roberto/debian/</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
<row rowsep="0" valign="middle">
|
<row rowsep="0" valign="middle">
|
||||||
|
@ -42,7 +42,7 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The local network uses <acronym>SNAT</acronym> to the internet and
|
<para>The local network uses <acronym>SNAT</acronym> to the Internet and
|
||||||
is comprised of the Class B network <literal>10.10.0.0/16</literal>
|
is comprised of the Class B network <literal>10.10.0.0/16</literal>
|
||||||
(Note: While this example uses an RFC 1918 local network, the technique
|
(Note: While this example uses an RFC 1918 local network, the technique
|
||||||
described here in no way depends on that or on <acronym>SNAT</acronym>.
|
described here in no way depends on that or on <acronym>SNAT</acronym>.
|
||||||
@ -90,7 +90,7 @@ dmz ipv4</programlisting>
|
|||||||
|
|
||||||
<bridgehead renderas="sect4">Interfaces File</bridgehead>
|
<bridgehead renderas="sect4">Interfaces File</bridgehead>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROACAST OPTIONS
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
net eth0 <whatever> ...
|
net eth0 <whatever> ...
|
||||||
dmz eth1 <whatever> ...
|
dmz eth1 <whatever> ...
|
||||||
- eth2 10.10.255.255</programlisting>
|
- eth2 10.10.255.255</programlisting>
|
||||||
|
Loading…
Reference in New Issue
Block a user