Finish passing through all the documentation with a spell checker.

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8670 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
el_cubano 2008-08-15 05:03:24 +00:00
parent aac55dbac4
commit 025e97c8bb
49 changed files with 244 additions and 244 deletions

View File

@ -494,7 +494,7 @@ show_command() {
;; ;;
classifiers|filters) classifiers|filters)
[ $# -gt 1 ] && usage 1 [ $# -gt 1 ] && usage 1
echo "$PRODUCT $version Clasifiers at $HOSTNAME - $(date)" echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)"
echo echo
show_classifiers show_classifiers
;; ;;

View File

@ -66,8 +66,8 @@
the Shorewall Debian Maintainer:</para> the Shorewall Debian Maintainer:</para>
<para><quote>For more information about Shorewall usage on Debian <para><quote>For more information about Shorewall usage on Debian
system please look at /usr/share/doc/shorewall/README.Debian provided system please look at /usr/share/doc/shorewall-common/README.Debian
by [the] shorewall Debian package.</quote></para> provided by [the] shorewall-common Debian package.</quote></para>
</important> </important>
<para>If you install using the .deb, you will find that your <filename <para>If you install using the .deb, you will find that your <filename
@ -89,7 +89,7 @@
class="directory">/usr/share/doc/shorewall/examples/</filename>. class="directory">/usr/share/doc/shorewall/examples/</filename>.
Beginning with Shorewall 4.0, the samples are in the shorewall-common Beginning with Shorewall 4.0, the samples are in the shorewall-common
package and are installed in <filename package and are installed in <filename
class="directory">/usr/share/doc/shorewall-common/examples</filename>/.</para> class="directory">/usr/share/doc/shorewall-common/examples/</filename>.</para>
</section> </section>
</section> </section>
@ -1255,7 +1255,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
standardized and will vary by distribution and distribution version. standardized and will vary by distribution and distribution version.
But anytime you see no logging, it's time to look outside the But anytime you see no logging, it's time to look outside the
Shorewall configuration for the cause. As an example, recent Shorewall configuration for the cause. As an example, recent
<trademark>SuSE</trademark> releases use syslog-ng by default and <trademark>SUSE</trademark> releases use syslog-ng by default and
write Shorewall messages to write Shorewall messages to
<filename>/var/log/firewall</filename>.</para> <filename>/var/log/firewall</filename>.</para>
@ -1861,7 +1861,7 @@ iptables: Invalid argument
<listitem> <listitem>
<para>if you don't need policy match support (you are not using the <para>if you don't need policy match support (you are not using the
IPSEC implementation built into the 2.6 kernel) then you can rename IPSEC implementation builtinto the 2.6 kernel) then you can rename
<filename>/lib/iptables/libipt_policy.so</filename>.</para> <filename>/lib/iptables/libipt_policy.so</filename>.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -2004,7 +2004,7 @@ iptables: Invalid argument
<title>Traffic Shaping</title> <title>Traffic Shaping</title>
<section id="faq67"> <section id="faq67">
<title>(FAQ 67) I just configured Shorewall's built in traffic shaping <title>(FAQ 67) I just configured Shorewall's builtin traffic shaping
and now Shorewall fails to Start.</title> and now Shorewall fails to Start.</title>
<para>The error I receive is as follows:<programlisting>RTNETLINK answers: No such file or directory <para>The error I receive is as follows:<programlisting>RTNETLINK answers: No such file or directory

View File

@ -268,9 +268,9 @@
to configure Shorewall, please heed the advice of Lorenzo Martignoni, to configure Shorewall, please heed the advice of Lorenzo Martignoni,
the Shorewall Debian Maintainer:</para> the Shorewall Debian Maintainer:</para>
<para><quote>For more information about Shorewall usage on Debian system <para><quote>For more information about Shorewall usage on Debian
please look at /usr/share/doc/shorewall/README.Debian provided by [the] system please look at /usr/share/doc/shorewall-common/README.Debian
shorewall Debian package.</quote></para> provided by [the] shorewall-common Debian package.</quote></para>
</important> </important>
<para>The easiest way to install Shorewall on Debian, is to use <para>The easiest way to install Shorewall on Debian, is to use

View File

@ -44,12 +44,12 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><ulink url="http://www.netfilter.org">Netfilter</ulink> - the <para><ulink url="http://www.netfilter.org">Netfilter</ulink> - the
packet filter facility built into the 2.4 and later Linux packet filter facility builtinto the 2.4 and later Linux
kernels.</para> kernels.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>ipchains - the packet filter facility built into the 2.2 Linux <para>ipchains - the packet filter facility builtinto the 2.2 Linux
kernels. Also the name of the utility program used to configure and kernels. Also the name of the utility program used to configure and
control that facility. Netfilter can be used in ipchains control that facility. Netfilter can be used in ipchains
compatibility mode.</para> compatibility mode.</para>

View File

@ -137,7 +137,7 @@ ACCEPT net loc:10.1.1.2 tcp 80 - 13
routers with a long ARP cache timeout. If you move a system from parallel routers with a long ARP cache timeout. If you move a system from parallel
to your firewall to behind your firewall with one-to-one NAT, it will to your firewall to behind your firewall with one-to-one NAT, it will
probably be HOURS before that system can communicate with the probably be HOURS before that system can communicate with the
internet.</para> Internet.</para>
<para>If you sniff traffic on the firewall's external interface, you can <para>If you sniff traffic on the firewall's external interface, you can
see incoming traffic for the internal system(s) but the traffic is never see incoming traffic for the internal system(s) but the traffic is never

View File

@ -57,7 +57,7 @@
<para>OpenVPN is a robust and highly configurable VPN (Virtual Private <para>OpenVPN is a robust and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an Open networks using an encrypted tunnel over the Internet. OpenVPN is an Open
Source project and is <ulink Source project and is <ulink
url="http://openvpn.sourceforge.net/license.html">licensed under the url="http://openvpn.sourceforge.net/license.html">licensed under the
GPL</ulink>. OpenVPN can be downloaded from <ulink GPL</ulink>. OpenVPN can be downloaded from <ulink
@ -642,7 +642,7 @@ verb 3</programlisting>
<listitem> <listitem>
<para>OpenVPN GUI must be run as the Administrator. In the <para>OpenVPN GUI must be run as the Administrator. In the
Explorer, right click on the OpenVPN GUI binary and select Explorer, right click on the OpenVPN GUI binary and select
Properties-&gt;Compatibilty and select "Run this program as an Properties-&gt;Compatibility and select "Run this program as an
administrator".</para> administrator".</para>
</listitem> </listitem>

View File

@ -255,7 +255,7 @@ esac</programlisting>
<para>Here' a basic setup that treats your remote users as if they <para>Here' a basic setup that treats your remote users as if they
were part of your <emphasis role="bold">loc</emphasis> zone. Note that were part of your <emphasis role="bold">loc</emphasis> zone. Note that
if your primary internet connection uses ppp0, then be sure that if your primary Internet connection uses ppp0, then be sure that
<emphasis role="bold">loc</emphasis> follows <emphasis <emphasis role="bold">loc</emphasis> follows <emphasis
role="bold">net</emphasis> in /etc/shorewall/zones.</para> role="bold">net</emphasis> in /etc/shorewall/zones.</para>
@ -275,7 +275,7 @@ loc ppp+</programlisting>
<para>If you want to place your remote users in their own zone so that <para>If you want to place your remote users in their own zone so that
you can control connections between these users and the local network, you can control connections between these users and the local network,
follow this example. Note that if your primary internet connection follow this example. Note that if your primary Internet connection
uses ppp0 then be sure that <emphasis role="bold">vpn</emphasis> uses ppp0 then be sure that <emphasis role="bold">vpn</emphasis>
follows <emphasis role="bold">net</emphasis> in /etc/shorewall/zones follows <emphasis role="bold">net</emphasis> in /etc/shorewall/zones
as shown below.</para> as shown below.</para>
@ -312,7 +312,7 @@ vpn ppp+</programlisting>
fileref="images/MultiPPTP.png" /></para> fileref="images/MultiPPTP.png" /></para>
<para>Here's how you configure this in Shorewall. Note that if your <para>Here's how you configure this in Shorewall. Note that if your
primary internet connection uses ppp0 then be sure that the <emphasis primary Internet connection uses ppp0 then be sure that the <emphasis
role="bold">vpn{1-3}</emphasis> zones follows <emphasis role="bold">vpn{1-3}</emphasis> zones follows <emphasis
role="bold">net</emphasis> in /etc/shorewall/zones as shown role="bold">net</emphasis> in /etc/shorewall/zones as shown
below.</para> below.</para>
@ -600,10 +600,10 @@ restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;</programlisting>
Modem</title> Modem</title>
<para>Some ADSL systems in Europe (most notably in Austria and the <para>Some ADSL systems in Europe (most notably in Austria and the
Netherlands) feature a PPTP server built into an ADSL Netherlands) feature a PPTP server builtinto an ADSL
<quote>Modem</quote>. In this setup, an ethernet interface is dedicated to <quote>Modem</quote>. In this setup, an Ethernet interface is dedicated to
supporting the PPTP tunnel between the firewall and the supporting the PPTP tunnel between the firewall and the
<quote>Modem</quote> while the actual internet access is through PPTP <quote>Modem</quote> while the actual Internet access is through PPTP
(interface ppp0). If you have this type of setup, you need to modify the (interface ppp0). If you have this type of setup, you need to modify the
sample configuration that you downloaded as described in this section. sample configuration that you downloaded as described in this section.
<emphasis role="bold">These changes are in addition to those described in <emphasis role="bold">These changes are in addition to those described in

View File

@ -88,7 +88,7 @@
where <emphasis>zone</emphasis> is the zone where the request where <emphasis>zone</emphasis> is the zone where the request
originated. For packets that are part of an already established originated. For packets that are part of an already established
connection, the destination rewriting takes place without any connection, the destination rewriting takes place without any
involvement of a netfilter rule.</para> involvement of a Netfilter rule.</para>
</listitem> </listitem>
<listitem> <listitem>

View File

@ -399,7 +399,7 @@ Blarg 1 0x100 main eth3 206.124.146.254 track,ba
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST <programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S) # PORT(S)
1:110 192.168.0.0/22 eth3 #Our internel nets get priority 1:110 192.168.0.0/22 eth3 #Our internal nets get priority
#over the server #over the server
1:130 206.124.146.177 eth3 tcp - 873 1:130 206.124.146.177 eth3 tcp - 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -133,7 +133,7 @@
network associated with this address. This is the approach <ulink network associated with this address. This is the approach <ulink
url="XenMyWay.html">that I take with my DMZ</ulink>.</para> url="XenMyWay.html">that I take with my DMZ</ulink>.</para>
<para>To permit internet hosts to connect to the local systems, you use <para>To permit Internet hosts to connect to the local systems, you use
ACCEPT rules. For example, if you run a web server on 130.252.100.19 which ACCEPT rules. For example, if you run a web server on 130.252.100.19 which
you have configured to be in the <emphasis role="bold">loc</emphasis> zone you have configured to be in the <emphasis role="bold">loc</emphasis> zone
then you would need this entry in /etc/shorewall/rules:</para> then you would need this entry in /etc/shorewall/rules:</para>
@ -192,7 +192,7 @@ iface eth1 inet static
routers with a long ARP cache timeout. If you move a system from parallel routers with a long ARP cache timeout. If you move a system from parallel
to your firewall to behind your firewall with Proxy ARP, it will probably to your firewall to behind your firewall with Proxy ARP, it will probably
be <emphasis role="bold">HOURS</emphasis> before that system can be <emphasis role="bold">HOURS</emphasis> before that system can
communicate with the internet.</para> communicate with the Internet.</para>
<para>If you sniff traffic on the firewall's external interface, you can <para>If you sniff traffic on the firewall's external interface, you can
see incoming traffic for the internal system(s) but the traffic is never see incoming traffic for the internal system(s) but the traffic is never

View File

@ -93,11 +93,11 @@
<listitem> <listitem>
<para>When the level of functionality of the current development <para>When the level of functionality of the current development
release is judged adaquate, the <firstterm>Beta period</firstterm> for release is judged adequate, the <firstterm>Beta period</firstterm> for
a new Stable release will begin. Beta releases have identifications of a new Stable release will begin. Beta releases have identifications of
the form <emphasis>x.y.0-BetaN</emphasis> where the form <emphasis>x.y.0-BetaN</emphasis> where
<emphasis>x.y</emphasis> is the number of the next Stable Release and <emphasis>x.y</emphasis> is the number of the next Stable Release and
<emphasis>N</emphasis>=1,2,3... . Betas are expected to occur rougly <emphasis>N</emphasis>=1,2,3... . Betas are expected to occur roughly
once per year. Beta releases may contain new functionality not present once per year. Beta releases may contain new functionality not present
in the previous beta release (e.g., 2.2.0-Beta4 may contain in the previous beta release (e.g., 2.2.0-Beta4 may contain
functionality not present in 2.2.0-Beta3). When I'm confident that the functionality not present in 2.2.0-Beta3). When I'm confident that the
@ -106,7 +106,7 @@
identifications of the form <emphasis>x.y.0-RCn</emphasis> where identifications of the form <emphasis>x.y.0-RCn</emphasis> where
<emphasis>x.y</emphasis> is the number of the next Stable Release and <emphasis>x.y</emphasis> is the number of the next Stable Release and
<emphasis>n</emphasis>=1,2,3... . Release candidates contain no new <emphasis>n</emphasis>=1,2,3... . Release candidates contain no new
functionailty -- they only contain bug fixes. When the stability of functionality -- they only contain bug fixes. When the stability of
the current release candidate is judged to be sufficient then that the current release candidate is judged to be sufficient then that
release candidate will be released as the new stable release (e.g., release candidate will be released as the new stable release (e.g.,
2.2.0). At that time, the new stable release and the prior stable 2.2.0). At that time, the new stable release and the prior stable
@ -165,7 +165,7 @@
<emphasis>X</emphasis>=1,b,c,... . Consequently, if a user required a <emphasis>X</emphasis>=1,b,c,... . Consequently, if a user required a
bug fix but was not running the last minor release of the associated bug fix but was not running the last minor release of the associated
major release then it might be necessary to accept major new major release then it might be necessary to accept major new
functionailty along with the bug fix.</para> functionality along with the bug fix.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>

View File

@ -157,7 +157,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para>Use NONE policies whereever appropriate. This helps especially <para>Use NONE policies wherever appropriate. This helps especially
in the rules activation phase of both script compilation and in the rules activation phase of both script compilation and
execution.</para> execution.</para>
</listitem> </listitem>

View File

@ -157,7 +157,7 @@
<para>With the shell-based compiler, extension scripts were copied <para>With the shell-based compiler, extension scripts were copied
into the compiled script and executed at run-time. In many cases, into the compiled script and executed at run-time. In many cases,
this approach doesn't work with Shorewall Perl because (almost) the this approach doesn't work with Shorewall Perl because (almost) the
entire ruleset is built by the compiler. As a result, Shorewall-perl entire rule set is built by the compiler. As a result, Shorewall-perl
runs some extension scripts at compile-time rather than at run-time. runs some extension scripts at compile-time rather than at run-time.
Because the compiler is written in Perl, your extension scripts from Because the compiler is written in Perl, your extension scripts from
earlier versions will no longer work.</para> earlier versions will no longer work.</para>
@ -370,7 +370,7 @@ insert_rule $filter_table-&gt;{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
a plus sign (+) as with the shell-based compiler.</para> a plus sign (+) as with the shell-based compiler.</para>
<para>Shorewall is now out of the ipset load/reload business. With <para>Shorewall is now out of the ipset load/reload business. With
scripts generated by the Perl-based Compiler, the Netfilter ruleset scripts generated by the Perl-based Compiler, the Netfilter rule set
is never cleared. That means that there is no opportunity for is never cleared. That means that there is no opportunity for
Shorewall to load/reload your ipsets since that cannot be done while Shorewall to load/reload your ipsets since that cannot be done while
there are any current rules using ipsets.</para> there are any current rules using ipsets.</para>
@ -381,7 +381,7 @@ insert_rule $filter_table-&gt;{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
<listitem> <listitem>
<para>Your ipsets must be loaded before Shorewall starts. You <para>Your ipsets must be loaded before Shorewall starts. You
are free to try to do that with the following code in are free to try to do that with the following code in
<filename>/etc/shorewall/start (it works for me; your milage may <filename>/etc/shorewall/start (it works for me; your mileage may
vary)</filename>:</para> vary)</filename>:</para>
<programlisting>if [ "$COMMAND" = start ]; then <programlisting>if [ "$COMMAND" = start ]; then
@ -437,7 +437,7 @@ fi</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is <para>DELAYBLACKLISTLOAD=Yes is not supported. The entire rule set is
atomically loaded with one execution of atomically loaded with one execution of
<command>iptables-restore</command>.</para> <command>iptables-restore</command>.</para>
</listitem> </listitem>
@ -677,7 +677,7 @@ ACCEPT loc:eth0:192.168.1.3,eth0:192.168.1.5 $fw tcp 22</programlisting>
and by the compiled program will be timestamped.<simplelist> and by the compiled program will be timestamped.<simplelist>
<member><emphasis role="bold">--debug</emphasis></member> <member><emphasis role="bold">--debug</emphasis></member>
</simplelist>If given, when a warning or error message is issued, it </simplelist>If given, when a warning or error message is issued, it
is supplimented with a stack trace. Requires the Carp Perl is supplemented with a stack trace. Requires the Carp Perl
module.<simplelist> module.<simplelist>
<member><emphasis <member><emphasis
role="bold">--refresh=</emphasis>&lt;<emphasis>chainlist</emphasis>&gt;</member> role="bold">--refresh=</emphasis>&lt;<emphasis>chainlist</emphasis>&gt;</member>
@ -1055,7 +1055,7 @@ my $chainref7 = $filter_table{$name};</programlisting>Shorewall::Chains is
<para>A companion function, <emphasis <para>A companion function, <emphasis
role="bold">ensure_manual_chain()</emphasis>, can be called when a role="bold">ensure_manual_chain()</emphasis>, can be called when a
manual chain of the desired name may have alread been created. If a manual chain of the desired name may have already been created. If a
manual chain table entry with the passed name already exists, a manual chain table entry with the passed name already exists, a
reference to the chain table entry is returned. Otherwise, the function reference to the chain table entry is returned. Otherwise, the function
calls <emphasis role="bold">new_manual_chain()</emphasis> and returns calls <emphasis role="bold">new_manual_chain()</emphasis> and returns

View File

@ -45,7 +45,7 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Act as a <quote>Personal Firewall</quote> that allows internet <para>Act as a <quote>Personal Firewall</quote> that allows Internet
access control by application. If that's what you are looking for, try access control by application. If that's what you are looking for, try
<ulink <ulink
url="http://tuxguardian.sourceforge.net/">TuxGuardian</ulink>.</para> url="http://tuxguardian.sourceforge.net/">TuxGuardian</ulink>.</para>

View File

@ -104,7 +104,7 @@ httpd_accel_uses_host_header on</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>See your distribution's Squid documenation and <ulink <para>See your distribution's Squid documentation and <ulink
url="http://www.squid-cache.org/">http://www.squid-cache.org/</ulink> url="http://www.squid-cache.org/">http://www.squid-cache.org/</ulink>
for details.</para> for details.</para>
@ -188,7 +188,7 @@ REDIRECT loc 3128 tcp www - !206.124.146.
transparent proxy running in your local zone at 192.168.1.3 and transparent proxy running in your local zone at 192.168.1.3 and
listening on port 3128. Your local interface is eth1. There may also be listening on port 3128. Your local interface is eth1. There may also be
a web server running on 192.168.1.3. It is assumed that web access is a web server running on 192.168.1.3. It is assumed that web access is
already enabled from the local zone to the internet.</para> already enabled from the local zone to the Internet.</para>
<orderedlist> <orderedlist>
<listitem> <listitem>

View File

@ -170,7 +170,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
<para>Suppose that I had set up eth0:0 as above and I wanted to port <para>Suppose that I had set up eth0:0 as above and I wanted to port
forward from that virtual interface to a web server running in my local forward from that virtual interface to a web server running in my local
zone at 192.168.1.3. That is accomplised by a single rule in the zone at 192.168.1.3. That is accomplished by a single rule in the
<filename>/etc/shorewall/rules</filename> file:</para> <filename>/etc/shorewall/rules</filename> file:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL

View File

@ -68,7 +68,7 @@
url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para> url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
</tip> </tip>
<para>Shorewall verions 2.2.0 and later also include support for the ipp2p <para>Shorewall versions 2.2.0 and later also include support for the ipp2p
match facility which can be use to control P2P traffic. See the <ulink match facility which can be use to control P2P traffic. See the <ulink
url="IPP2P.html">Shorewall IPP2P documentation</ulink> for details.</para> url="IPP2P.html">Shorewall IPP2P documentation</ulink> for details.</para>
</article> </article>

View File

@ -216,7 +216,7 @@
Later</title> Later</title>
<para>Beginning with Shorewall 2.3.2, support is included for multiple <para>Beginning with Shorewall 2.3.2, support is included for multiple
internet connections. If you wish to use this feature, we recommend Internet connections. If you wish to use this feature, we recommend
strongly that you upgrade to version 2.4.2 or later.</para> strongly that you upgrade to version 2.4.2 or later.</para>
<para>Shorewall multi-ISP support is now covered in a <ulink <para>Shorewall multi-ISP support is now covered in a <ulink

View File

@ -46,7 +46,7 @@
Interconnect (OSI) reference model, a router operates at layer 3. Interconnect (OSI) reference model, a router operates at layer 3.
Shorewall may also be deployed on a GNU Linux System that acts as a Shorewall may also be deployed on a GNU Linux System that acts as a
<firstterm>bridge</firstterm>. Bridges are layer-2 devices in the OSI <firstterm>bridge</firstterm>. Bridges are layer-2 devices in the OSI
model (think of a bridge as an ethernet switch).</para> model (think of a bridge as an Ethernet switch).</para>
<para>Some differences between routers and bridges are:</para> <para>Some differences between routers and bridges are:</para>
@ -54,7 +54,7 @@
<listitem> <listitem>
<para>Routers determine packet destination based on the destination IP <para>Routers determine packet destination based on the destination IP
address while bridges route traffic based on the destination MAC address while bridges route traffic based on the destination MAC
address in the ethernet frame.</para> address in the Ethernet frame.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -93,9 +93,9 @@
bridge-specific changes are restricted to the bridge-specific changes are restricted to the
<filename>/etc/shorewall/interfaces</filename> file.</para> <filename>/etc/shorewall/interfaces</filename> file.</para>
<para>This example illustrates the bridging of two ethernet devices but <para>This example illustrates the bridging of two Ethernet devices but
the types of the devices really isn't important. What is shown here would the types of the devices really isn't important. What is shown here would
apply equally to bridging an ethernet device to an <ulink apply equally to bridging an Ethernet device to an <ulink
url="OPENVPN.html">OpenVPN</ulink> tap device (e.g., url="OPENVPN.html">OpenVPN</ulink> tap device (e.g.,
<filename>tap0</filename>) or to a wireless device <filename>tap0</filename>) or to a wireless device
(<filename>ath0</filename> or <filename>wlan0</filename>).</para> (<filename>ath0</filename> or <filename>wlan0</filename>).</para>

View File

@ -89,7 +89,7 @@
# special IPv6 addresses # special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback ::1 localhost ipv6-localhost ipv6-loopback
fe00::0 ipv6-localneta fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes ff02::1 ipv6-allnodes

View File

@ -135,7 +135,7 @@
</tgroup> </tgroup>
</table> </table>
<para>The above may or may not work — your milage may vary. NAT Traversal <para>The above may or may not work — your mileage may vary. NAT Traversal
is definitely a better solution. To use NAT traversal:<table id="Table2"> is definitely a better solution. To use NAT traversal:<table id="Table2">
<title>/etc/shorewall/rules with NAT Traversal</title> <title>/etc/shorewall/rules with NAT Traversal</title>

View File

@ -436,7 +436,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the url="shorewall_setup_guide.htm">Shorewall Setup Guide</ulink> with the
exception that I've added a fourth interface for our wireless network. exception that I've added a fourth interface for our wireless network.
The firewall runs a routed <ulink url="OPENVPN.html">OpenVPN The firewall runs a routed <ulink url="OPENVPN.html">OpenVPN
server</ulink> to provide roadwarrior access for our three laptops and a server</ulink> to provide road warrior access for our three laptops and a
bridged OpenVPN server for the wireless network in our home. Here is the bridged OpenVPN server for the wireless network in our home. Here is the
firewall's view of the network:</para> firewall's view of the network:</para>
@ -912,7 +912,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST <para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S) # PORT(S)
1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority 1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server #over the server
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the 1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors. #Shorewall Mirrors.
@ -921,7 +921,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
<para>The <filename class="devicefile">tap0</filename> device used by <para>The <filename class="devicefile">tap0</filename> device used by
the bridged OpenVPN server is created and bridged to <filename the bridged OpenVPN server is created and bridged to <filename
class="devicefile">eth1</filename> using a SuSE-specific SysV init class="devicefile">eth1</filename> using a SUSE-specific SysV init
script:</para> script:</para>
<blockquote> <blockquote>

View File

@ -66,7 +66,7 @@
class="devicefile">eth0</filename><footnote> class="devicefile">eth0</filename><footnote>
<para>This assumes the default Xen configuration created by <para>This assumes the default Xen configuration created by
<command>xend </command>and assumes that the host system has a single <command>xend </command>and assumes that the host system has a single
ethernet interface named <filename Ethernet interface named <filename
class="devicefile">eth0</filename>.</para> class="devicefile">eth0</filename>.</para>
</footnote>in each domain. In Dom0, Xen also creates a bridge (<filename </footnote>in each domain. In Dom0, Xen also creates a bridge (<filename
class="devicefile">xenbr0</filename>) and a number of virtual interfaces class="devicefile">xenbr0</filename>) and a number of virtual interfaces
@ -156,7 +156,7 @@
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>Most of the Linux systems run <trademark>SuSE </trademark>10.1; my <para>Most of the Linux systems run <trademark>SUSE </trademark>10.1; my
personal Linux desktop system and our Linux Laptop run personal Linux desktop system and our Linux Laptop run
<trademark>Ubuntu</trademark> "Dapper Drake".</para> <trademark>Ubuntu</trademark> "Dapper Drake".</para>
@ -259,7 +259,7 @@
<filename class="devicefile">eth2</filename> (PCI 00:0a.0) are <filename class="devicefile">eth2</filename> (PCI 00:0a.0) are
delegated to the firewall DomU where they become <filename delegated to the firewall DomU where they become <filename
class="devicefile">eth3</filename> and <filename class="devicefile">eth3</filename> and <filename
class="devicefile">eth4</filename> respectively. The SuSE 10.1 Xen class="devicefile">eth4</filename> respectively. The SUSE 10.1 Xen
kernel compiles pciback as a module so the instructions for PCI kernel compiles pciback as a module so the instructions for PCI
delegation in the Xen Users Manual can't be followed directly (see delegation in the Xen Users Manual can't be followed directly (see
<ulink <ulink
@ -292,7 +292,7 @@ extra = "3"
# network interface: # network interface:
vif = [ 'mac=aa:cc:00:00:00:02, bridge=xenbr0', 'mac=aa:cc:00:00:00:03, bridge=xenbr1' ] vif = [ 'mac=aa:cc:00:00:00:02, bridge=xenbr0', 'mac=aa:cc:00:00:00:03, bridge=xenbr1' ]
# Interfaces deletgated from Dom0 # Interfaces delegated from Dom0
pci=[ '00:09.0' , '00:0a.0' ] pci=[ '00:09.0' , '00:0a.0' ]
# storage devices: # storage devices:
@ -357,7 +357,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
<para><command>ethtool -K eth0 tx off</command></para> <para><command>ethtool -K eth0 tx off</command></para>
<para>Under SuSE 10.1, I placed the following in <para>Under SUSE 10.1, I placed the following in
<filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file <filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file
is executable):</para> is executable):</para>
@ -380,13 +380,13 @@ fi</programlisting>
</caution> </caution>
<caution> <caution>
<para>Update. Under SuSE 10.2, communication from a domU works okay <para>Update. Under SUSE 10.2, communication from a domU works okay
without running ethtool <emphasis role="bold">but traffic shaping in without running ethtool <emphasis role="bold">but traffic shaping in
dom0 doesn't work!</emphasis> So it's a good idea to run it just to be dom0 doesn't work!</emphasis> So it's a good idea to run it just to be
safe.</para> safe.</para>
</caution> </caution>
<para>SuSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The <para>SUSE 10.1 includes Xen 3.0.2 which supports PCI delegation. The
network interfaces that connect to the net and wifi zones are delegated network interfaces that connect to the net and wifi zones are delegated
to the firewall DomU.</para> to the firewall DomU.</para>
@ -474,7 +474,7 @@ SECTION NEW
described in the <ulink url="shorewall_setup_guide.htm">Shorewall Setup described in the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
Guide</ulink> with the exception that I've added a fourth interface for Guide</ulink> with the exception that I've added a fourth interface for
our wireless network. The firewall runs a routed <ulink our wireless network. The firewall runs a routed <ulink
url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access url="OPENVPN.html">OpenVPN server</ulink> to provide road warrior access
for our two laptops and a bridged OpenVPN server for the wireless for our two laptops and a bridged OpenVPN server for the wireless
network in our home. Here is the firewall's view of the network:</para> network in our home. Here is the firewall's view of the network:</para>
@ -834,7 +834,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST <para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S) # PORT(S)
1:110 192.168.0.0/22 $EXT_IF #Our internel nets get priority 1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server #over the server
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the 1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors. #Shorewall Mirrors.
@ -842,7 +842,7 @@ $EXT_IF 30 2*full/10 6*full/10 3
</blockquote> </blockquote>
<para>The tap0 device used by the bridged OpenVPN server is bridged to <para>The tap0 device used by the bridged OpenVPN server is bridged to
eth0 using a SuSE-specific SysV init script:</para> eth0 using a SUSE-specific SysV init script:</para>
<blockquote> <blockquote>
<programlisting>#!/bin/sh <programlisting>#!/bin/sh

View File

@ -49,7 +49,7 @@
Interconnect (OSI) reference model, a router operates at layer 3, Interconnect (OSI) reference model, a router operates at layer 3,
Shorewall may also be deployed on a GNU Linux System that acts as a Shorewall may also be deployed on a GNU Linux System that acts as a
<firstterm>bridge</firstterm>. Bridges are layer 2 devices in the OSI <firstterm>bridge</firstterm>. Bridges are layer 2 devices in the OSI
model (think of a bridge as an ethernet switch).</para> model (think of a bridge as an Ethernet switch).</para>
<para>Some differences between routers and bridges are:</para> <para>Some differences between routers and bridges are:</para>
@ -57,7 +57,7 @@
<listitem> <listitem>
<para>Routers determine packet destination based on the destination IP <para>Routers determine packet destination based on the destination IP
address, while bridges route traffic based on the destination MAC address, while bridges route traffic based on the destination MAC
address in the ethernet frame.</para> address in the Ethernet frame.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -142,7 +142,7 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>The Shorewall system (the Bridge/Firewall) has only a single IP <para>The Shorewall system (the Bridge/Firewall) has only a single IP
address even though it has two ethernet interfaces! The IP address is address even though it has two Ethernet interfaces! The IP address is
configured on the bridge itself, rather than on either of the network configured on the bridge itself, rather than on either of the network
cards.</para> cards.</para>
</listitem> </listitem>
@ -454,7 +454,7 @@ ifconfig most 192.168.1.31 netmask 255.255.255.0 up
#you don't use rc.inet1 #you don't use rc.inet1
######################### #########################
3) I made rc.brige executable and added the following line to /etc/rc.d/rc.local 3) I made rc.bridge executable and added the following line to /etc/rc.d/rc.local
/etc/rc.d/rc.bridge </programlisting> /etc/rc.d/rc.bridge </programlisting>
</blockquote> </blockquote>
@ -563,7 +563,7 @@ rc-update add bridge boot
<filename>shorewall.conf</filename>.</para> <filename>shorewall.conf</filename>.</para>
<para>In the scenario pictured above, there would probably be two BP zones <para>In the scenario pictured above, there would probably be two BP zones
defined -- one for the internet and one for the local LAN so in defined -- one for the Internet and one for the local LAN so in
<filename>/etc/shorewall/zones</filename>:</para> <filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS <programlisting>#ZONE TYPE OPTIONS

View File

@ -203,7 +203,7 @@
<listitem> <listitem>
<para><filename>/etc/shorewall/vardir</filename> - (Added in <para><filename>/etc/shorewall/vardir</filename> - (Added in
Shoreall 4.0.0-RC2) - Determines the directory where Shorewall Shorewall 4.0.0-RC2) - Determines the directory where Shorewall
maintains its state.</para> maintains its state.</para>
</listitem> </listitem>
@ -590,7 +590,7 @@ use Shorewall::Config qw/shorewall/;</programlisting>
the name to one or more IP addresses and inserts those addresses into the the name to one or more IP addresses and inserts those addresses into the
rule. So changes in the DNS-&gt;IP address relationship that occur after rule. So changes in the DNS-&gt;IP address relationship that occur after
the firewall has started have absolutely no effect on the firewall's the firewall has started have absolutely no effect on the firewall's
ruleset.</para> rule set.</para>
<para>If your firewall rules include DNS names then:</para> <para>If your firewall rules include DNS names then:</para>

View File

@ -95,12 +95,12 @@
<section id="Shell-Perl"> <section id="Shell-Perl">
<title>Shorewall-shell and Shorewall-perl</title> <title>Shorewall-shell and Shorewall-perl</title>
<para>Shorewall-shell and Shoreall-perl have no configuration files and <para>Shorewall-shell and Shorewall-perl have no configuration files and
all of their released files are installed in a single directory. To all of their released files are installed in a single directory. To
fallback to a prior release of one of these products using the tarballs, fallback to a prior release of one of these products using the tarballs,
simple re-install the older version.</para> simple re-install the older version.</para>
<para>To uninstal these products when they have been installed using the <para>To uninstall these products when they have been installed using the
tarballs:</para> tarballs:</para>
<itemizedlist> <itemizedlist>

View File

@ -37,7 +37,7 @@
<section id="Ipsets"> <section id="Ipsets">
<title>What are Ipsets?</title> <title>What are Ipsets?</title>
<para>Ipsets are an extention to Netfilter/iptables that are currently <para>Ipsets are an extension to Netfilter/iptables that are currently
available in Patch-O-Matic-ng (<ulink available in Patch-O-Matic-ng (<ulink
url="http://www.netfilter.org">http://www.netfilter.org</ulink>). Using url="http://www.netfilter.org">http://www.netfilter.org</ulink>). Using
ipsets requires that you patch your kernel and iptables and that you build ipsets requires that you patch your kernel and iptables and that you build
@ -50,7 +50,7 @@
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>Blacklists. Ipsets provide an effecient way to represent large <para>Blacklists. Ipsets provide an efficient way to represent large
sets of addresses and you can maintain the lists without the need to sets of addresses and you can maintain the lists without the need to
restart or even refresh your Shorewall configuration.</para> restart or even refresh your Shorewall configuration.</para>
</listitem> </listitem>
@ -90,7 +90,7 @@
<listitem> <listitem>
<para>a series of "src" and "dst" options separated by commas and <para>a series of "src" and "dst" options separated by commas and
inclosed in square brackets ([]). These will be passed directly to enclosed in square brackets ([]). These will be passed directly to
iptables in the generated --set clause. See the ipset documentation iptables in the generated --set clause. See the ipset documentation
for details.</para> for details.</para>

View File

@ -363,9 +363,9 @@ CONFIG_IP_NF_ARP_MANGLE=m
(Ubuntu inexplicably includes connmark match support but not CONNTRACK (Ubuntu inexplicably includes connmark match support but not CONNTRACK
target support).<graphic align="center" target support).<graphic align="center"
fileref="images/kernel-2.6.20-2.png" />The next graphic shows the IP fileref="images/kernel-2.6.20-2.png" />The next graphic shows the IP
Netfilter Configuration -- these are the standard Ubuntu settions.<graphic Netfilter Configuration -- these are the standard Ubuntu settings.<graphic
align="center" fileref="images/kernel-2.6.20-3.png" />Here is the align="center" fileref="images/kernel-2.6.20-3.png" />Here is the
corresponding CONFIG file exerpt.<programlisting>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m corresponding CONFIG file excerpt.<programlisting>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_MARK=m

View File

@ -26,7 +26,7 @@
</copyright> </copyright>
<legalnotice> <legalnotice>
<para>Permission is granted to copy, distribute and/or mify this <para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
@ -232,7 +232,7 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
</row> </row>
<row> <row>
<entry>Filrewall 2</entry> <entry>Firewall 2</entry>
<entry>192.168.1.27 in lower cloud</entry> <entry>192.168.1.27 in lower cloud</entry>

View File

@ -48,7 +48,7 @@
<section id="Ping"> <section id="Ping">
<title>'Ping' Management</title> <title>'Ping' Management</title>
<para>In Shorewall , ICMP echo-request's are treated just like any other <para>In Shorewall , ICMP echo-requests are treated just like any other
connection request.</para> connection request.</para>
<para>In order to accept ping requests from zone z1 to zone z2 where the <para>In order to accept ping requests from zone z1 to zone z2 where the
@ -85,7 +85,7 @@ Ping/DROP z1 z2</programlisting>
<example id="Example2"> <example id="Example2">
<title>Silently drop pings from the Internet</title> <title>Silently drop pings from the Internet</title>
<para>To drop ping from the internet, you would need this rule in <para>To drop ping from the Internet, you would need this rule in
<filename>/etc/shorewall/rules</filename>:</para> <filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)

View File

@ -227,7 +227,7 @@ ICQ/ACCEPT <emphasis>&lt;source&gt;</emphasis> net</programlisting>
<title>IMAP</title> <title>IMAP</title>
<caution> <caution>
<para>When accessing your mail from the internet,use <emphasis <para>When accessing your mail from the Internet, use <emphasis
role="bold">only</emphasis> <emphasis role="bold">IMAP over role="bold">only</emphasis> <emphasis role="bold">IMAP over
SSL.</emphasis></para> SSL.</emphasis></para>
</caution> </caution>
@ -281,7 +281,7 @@ LDAPS/ACCEPT <emphasis><emphasis>&lt;source&gt;</emphasis> <emphasis> &
role="bold">severe security risk</emphasis>.</para> role="bold">severe security risk</emphasis>.</para>
<para><emphasis role="bold">DO NOT USE THIS </emphasis>if you don't know <para><emphasis role="bold">DO NOT USE THIS </emphasis>if you don't know
how to deal with the consecuences, you have been warned.</para> how to deal with the consequences, you have been warned.</para>
</caution> </caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
@ -542,7 +542,7 @@ Whois/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&
<section id="X"> <section id="X">
<title>X/XDMCP</title> <title>X/XDMCP</title>
<para>Assume that the Choser and/or X Server are running at <para>Assume that the Chooser and/or X Server are running at
&lt;<emphasis>chooser</emphasis>&gt; and the Display Manager/X &lt;<emphasis>chooser</emphasis>&gt; and the Display Manager/X
applications are running at &lt;<emphasis>apps</emphasis>&gt;.</para> applications are running at &lt;<emphasis>apps</emphasis>&gt;.</para>

View File

@ -163,7 +163,7 @@
classified by the national government as secret, our security doesn't classified by the national government as secret, our security doesn't
stop by putting a fence around our company. Information security is a stop by putting a fence around our company. Information security is a
hot issue. We also make use of checkpoint firewalls, but not all of the hot issue. We also make use of checkpoint firewalls, but not all of the
internet servers are guarded by checkpoint, some of them are Internet servers are guarded by checkpoint, some of them are
running....Shorewall.</emphasis></para> running....Shorewall.</emphasis></para>
</blockquote> </blockquote>
@ -172,7 +172,7 @@
<para><emphasis>thanx for all your efforts you put into shorewall - this <para><emphasis>thanx for all your efforts you put into shorewall - this
product stands out against a lot of commercial stuff i´ve been working product stands out against a lot of commercial stuff i´ve been working
with in terms of flexibillity, quality &amp; support</emphasis></para> with in terms of flexibility, quality &amp; support</emphasis></para>
</blockquote> </blockquote>
<blockquote> <blockquote>
@ -184,7 +184,7 @@
</blockquote> </blockquote>
<blockquote> <blockquote>
<attribution>RP, Guatamala</attribution> <attribution>RP, Guatemala</attribution>
<para><emphasis>My respects... I've just found and installed Shorewall <para><emphasis>My respects... I've just found and installed Shorewall
1.3.3-1 and it is a wonderful piece of software. I've just sent out an 1.3.3-1 and it is a wonderful piece of software. I've just sent out an
@ -193,7 +193,7 @@
<para><emphasis>While I had previously taken the time (maybe 40 hours) <para><emphasis>While I had previously taken the time (maybe 40 hours)
to really understand ipchains, then spent at least an hour per server to really understand ipchains, then spent at least an hour per server
customizing and carefully scrutinizing firewall rules, I've got customizing and carefully scrutinizing firewall rules, I've got
shorewall running on my home firewall, with rulesets and policies that I shorewall running on my home firewall, with rule sets and policies that I
know make sense, in under 20 minutes.</emphasis></para> know make sense, in under 20 minutes.</emphasis></para>
</blockquote> </blockquote>
</section> </section>

View File

@ -169,7 +169,7 @@ esac</programlisting><caution>
ADMINISABSENTMINDED=Yes.</para> ADMINISABSENTMINDED=Yes.</para>
<para>The firewall state when this script is invoked is <para>The firewall state when this script is invoked is
indeterminent. So if you have ADMINISABSENTMINDED=No in <ulink indeterminate. So if you have ADMINISABSENTMINDED=No in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8) and
output on an interface is not allowed by <ulink output on an interface is not allowed by <ulink
url="manpages/shorewall.conf.html">routestopped</ulink>(8) then url="manpages/shorewall.conf.html">routestopped</ulink>(8) then
@ -495,7 +495,7 @@ esac</programlisting><caution>
<para>The 'continue' script has been eliminated because it no longer <para>The 'continue' script has been eliminated because it no longer
make any sense under Shorewall-perl. That script was designed to allow make any sense under Shorewall-perl. That script was designed to allow
you to add special temporary rules during [re]start. Shorewall-perl you to add special temporary rules during [re]start. Shorewall-perl
doesn't need such rules since the ruleset is instantianted atomically by doesn't need such rules since the rule set is instantiated atomically by
table.</para> table.</para>
</section> </section>
</section> </section>

View File

@ -50,7 +50,7 @@
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>The packet is part of an established connecection. While the <para>The packet is part of an established connection. While the
packet can be logged using LOG rules in the ESTABLISHED section of packet can be logged using LOG rules in the ESTABLISHED section of
<ulink <ulink
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink>, that
@ -100,7 +100,7 @@
<title>Where the Traffic is Logged and How to Change the <title>Where the Traffic is Logged and How to Change the
Destination</title> Destination</title>
<para>By default, Shorewall directs NetFilter to log using syslog (8). <para>By default, Shorewall directs Netfilter to log using syslog (8).
Syslog classifies log messages by a <emphasis>facility</emphasis> and a Syslog classifies log messages by a <emphasis>facility</emphasis> and a
<emphasis>priority</emphasis> (using the notation <emphasis>priority</emphasis> (using the notation
<emphasis>facility.priority</emphasis>).</para> <emphasis>facility.priority</emphasis>).</para>
@ -111,7 +111,7 @@
<para>Throughout the Shorewall documentation, I will use the term <para>Throughout the Shorewall documentation, I will use the term
<emphasis>level</emphasis> rather than <emphasis>priority </emphasis>since <emphasis>level</emphasis> rather than <emphasis>priority </emphasis>since
<emphasis>level</emphasis> is the term used by NetFilter. The syslog <emphasis>level</emphasis> is the term used by Netfilter. The syslog
documentation uses the term <emphasis>priority</emphasis>.</para> documentation uses the term <emphasis>priority</emphasis>.</para>
<section id="Levels"> <section id="Levels">
@ -150,7 +150,7 @@
</simplelist> </simplelist>
<para>For most Shorewall logging, a level of 6 (info) is appropriate. <para>For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by NetFilter and are logged using Shorewall log messages are generated by Netfilter and are logged using
the <emphasis>kern</emphasis> facility and the level that you specify. the <emphasis>kern</emphasis> facility and the level that you specify.
If you are unsure of the level to choose, 6 (info) is a safe bet. You If you are unsure of the level to choose, 6 (info) is a safe bet. You
may specify levels by name or by number.</para> may specify levels by name or by number.</para>
@ -180,14 +180,14 @@
<listitem> <listitem>
<para>All kernel.info messages will go to that destination and not <para>All kernel.info messages will go to that destination and not
just those from NetFilter.</para> just those from Netfilter.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>Beginning with Shorewall version 1.3.12, if your kernel has ULOG <para>Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also target support (and most vendor-supplied kernels do), you may also
specify a log level of ULOG (must be all caps). When ULOG is used, specify a log level of ULOG (must be all caps). When ULOG is used,
Shorewall will direct netfilter to log the related messages via the ULOG Shorewall will direct Netfilter to log the related messages via the ULOG
target which will send them to a process called <quote>ulogd</quote>. target which will send them to a process called <quote>ulogd</quote>.
The ulogd program is included in most distributions and is also The ulogd program is included in most distributions and is also
available from <ulink available from <ulink
@ -276,7 +276,7 @@ ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080 </programlis
<para><ulink <para><ulink
url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;amp;m=106040714910563&amp;amp;w=2">Here</ulink> url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;amp;m=106040714910563&amp;amp;w=2">Here</ulink>
is a post describing configuring syslog-ng to work with Shorewall. Recent is a post describing configuring syslog-ng to work with Shorewall. Recent
<trademark>SuSE</trademark> releases come preconfigured with syslog-ng <trademark>SUSE</trademark> releases come preconfigured with syslog-ng
with Netfilter messages (including Shorewall's) are written to with Netfilter messages (including Shorewall's) are written to
<filename>/var/log/firewall</filename>.</para> <filename>/var/log/firewall</filename>.</para>
</section> </section>

View File

@ -45,7 +45,7 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>A <emphasis role="bold">Linux</emphasis> kernel that supports <para>A <emphasis role="bold">Linux</emphasis> kernel that supports
netfilter (No, it won't work on BSD or Solaris). I've tested with Netfilter (No, it won't work on BSD or Solaris). I've tested with
2.4.2 - 2.6.16. Check <ulink url="kernel.htm">here</ulink> for kernel 2.4.2 - 2.6.16. Check <ulink url="kernel.htm">here</ulink> for kernel
configuration information.</para> configuration information.</para>
</listitem> </listitem>

View File

@ -109,14 +109,14 @@
class="directory">/etc/shorewall</filename> directory is empty. This class="directory">/etc/shorewall</filename> directory is empty. This
is intentional. The released configuration file skeletons may be found is intentional. The released configuration file skeletons may be found
on your system in the directory <filename on your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>. class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Simply copy the files you need from that directory to <filename Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the class="directory">/etc/shorewall</filename> and modify the
copies.</para> copies.</para>
<para>Note that you must copy <filename <para>Note that you must copy <filename
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename> class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall/default-config/modules to <filename and /usr/share/doc/shorewall-common/default-config/modules to <filename
class="directory">/etc/shorewall</filename> even if you do not modify class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para> those files.</para>
</warning></para> </warning></para>
@ -192,7 +192,7 @@ dmz ipv4</programlisting>
assigned to the firewall zone, Shorewall attaches absolutely no meaning to assigned to the firewall zone, Shorewall attaches absolutely no meaning to
zone names. Zones are entirely what YOU make of them. That means that you zone names. Zones are entirely what YOU make of them. That means that you
should not expect Shorewall to do something special <quote>because this is should not expect Shorewall to do something special <quote>because this is
the internet zone</quote> or <quote>because that is the the Internet zone</quote> or <quote>because that is the
DMZ</quote>.</para> DMZ</quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
@ -286,11 +286,11 @@ all all REJECT info</programlisting>
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>allow all connection requests from your local network to the <para>allow all connection requests from your local network to the
internet</para> Internet</para>
</listitem> </listitem>
<listitem> <listitem>
<para>drop (ignore) all connection requests from the internet to your <para>drop (ignore) all connection requests from the Internet to your
firewall or local network and log a message at the info level (<ulink firewall or local network and log a message at the info level (<ulink
url="shorewall_logging.html">here is a description of log url="shorewall_logging.html">here is a description of log
levels</ulink>).</para> levels</ulink>).</para>
@ -322,7 +322,7 @@ all all REJECT info</programlisting>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used <para>The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used
to isolate your internet-accessible servers from your local systems so to isolate your Internet-accessible servers from your local systems so
that if one of those servers is compromised, you still have the that if one of those servers is compromised, you still have the
firewall between the compromised system and your local systems.</para> firewall between the compromised system and your local systems.</para>
</listitem> </listitem>
@ -508,7 +508,7 @@ loc eth2 detect</programlisting>
Class C address 192.0.2.14, the network number is hex C00002 and the Class C address 192.0.2.14, the network number is hex C00002 and the
host number is hex 0E.</para> host number is hex 0E.</para>
<para>As the internet grew, it became clear that such a gross <para>As the Internet grew, it became clear that such a gross
partitioning of the 32-bit address space was going to be very limiting partitioning of the 32-bit address space was going to be very limiting
(early on, large corporations and universities were assigned their own (early on, large corporations and universities were assigned their own
class A network!). After some false starts, the current technique of class A network!). After some false starts, the current technique of
@ -1067,7 +1067,7 @@ Destination Gateway Genmask Flgs MSS Win irtt Iface
<para>One more thing needs to be emphasized -- all outgoing packet are <para>One more thing needs to be emphasized -- all outgoing packet are
sent using the routing table and reply packets are not a special case. sent using the routing table and reply packets are not a special case.
There seems to be a common mis-conception whereby people think that There seems to be a common misconception whereby people think that
request packets are like salmon and contain a genetic code that is request packets are like salmon and contain a genetic code that is
magically transferred to reply packets so that the replies follow the magically transferred to reply packets so that the replies follow the
reverse route taken by the request. That isn't the case; the replies may reverse route taken by the request. That isn't the case; the replies may
@ -1132,7 +1132,7 @@ tcpdump: listening on eth2
<para>The leading question marks are a result of my having specified the <para>The leading question marks are a result of my having specified the
<quote>n</quote> option (Windows <quote>arp</quote> doesn't allow that <quote>n</quote> option (Windows <quote>arp</quote> doesn't allow that
option) which causes the <quote>arp</quote> program to forego IP-&gt;DNS option) which causes the <quote>arp</quote> program to forgo IP-&gt;DNS
name translation. Had I not given that option, the question marks would name translation. Had I not given that option, the question marks would
have been replaced with the FQDN corresponding to each IP address. have been replaced with the FQDN corresponding to each IP address.
Notice that the last entry in the table records the information we saw Notice that the last entry in the table records the information we saw
@ -1167,7 +1167,7 @@ tcpdump: listening on eth2
somewhat unfortunate because it leads people to the erroneous conclusion somewhat unfortunate because it leads people to the erroneous conclusion
that traffic destined for one of these addresses can't be sent through a that traffic destined for one of these addresses can't be sent through a
router. This is definitely not true; private routers (including your router. This is definitely not true; private routers (including your
Shorewall-based firewall) can forward RFC 1918 addresed traffic just Shorewall-based firewall) can forward RFC 1918 addressed traffic just
fine.</para> fine.</para>
<para>When selecting addresses from these ranges, there's a couple of <para>When selecting addresses from these ranges, there's a couple of
@ -1349,7 +1349,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
<para>With SNAT, an internal LAN segment is configured using RFC 1918 <para>With SNAT, an internal LAN segment is configured using RFC 1918
addresses. When a host <emphasis role="bold">A</emphasis> on this addresses. When a host <emphasis role="bold">A</emphasis> on this
internal segment initiates a connection to host <emphasis internal segment initiates a connection to host <emphasis
role="bold">B</emphasis> on the internet, the firewall/router rewrites role="bold">B</emphasis> on the Internet, the firewall/router rewrites
the IP header in the request to use one of your public IP addresses as the IP header in the request to use one of your public IP addresses as
the source address. When <emphasis role="bold">B</emphasis> responds the source address. When <emphasis role="bold">B</emphasis> responds
and the response is received by the firewall, the firewall changes the and the response is received by the firewall, the firewall changes the
@ -1359,7 +1359,7 @@ Destination Gateway Genmask Flags MSS Window irtt Iface
<para>Let's suppose that you decide to use SNAT on your local zone and <para>Let's suppose that you decide to use SNAT on your local zone and
use public address 192.0.2.176 as both your firewall's external IP use public address 192.0.2.176 as both your firewall's external IP
address and the source IP address of internet requests sent from that address and the source IP address of Internet requests sent from that
zone.</para> zone.</para>
<graphic align="center" fileref="images/dmz5.png" /> <graphic align="center" fileref="images/dmz5.png" />
@ -1396,16 +1396,16 @@ eth0 192.168.201.0/29 192.0.2.176</programlisting>
<section id="dnat"> <section id="dnat">
<title>DNAT</title> <title>DNAT</title>
<para>When SNAT is used, it is impossible for hosts on the internet to <para>When SNAT is used, it is impossible for hosts on the Internet to
initiate a connection to one of the internal systems since those initiate a connection to one of the internal systems since those
systems do not have a public IP address. DNAT provides a way to allow systems do not have a public IP address. DNAT provides a way to allow
selected connections from the internet.</para> selected connections from the Internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>Suppose that your daughter wants to run a web server on her <para>Suppose that your daughter wants to run a web server on her
system <quote>Local 3</quote>. You could allow connections to the system <quote>Local 3</quote>. You could allow connections to the
internet to her server by adding the following entry in Internet to her server by adding the following entry in
<filename><ulink <filename><ulink
url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para> url="manpages/shorewall-rules.html">/etc/shorewall/rules</ulink></filename>:</para>
@ -1489,12 +1489,12 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink> url="ProxyARP.htm"><filename>/etc/shorewall/proxyarp</filename></ulink>
file.</para> file.</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTANT <programlisting>#ADDRESS INTERFACE EXTERNAL HAVE ROUTE PERSISTENT
192.0.2.177 eth2 eth0 No 192.0.2.177 eth2 eth0 No
192.0.2.178 eth2 eth0 No</programlisting> 192.0.2.178 eth2 eth0 No</programlisting>
<para>Because the HAVE ROUTE column contains No, Shorewall will add <para>Because the HAVE ROUTE column contains No, Shorewall will add
host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The ethernet host routes thru eth2 to 192.0.2.177 and 192.0.2.178. The Ethernet
interfaces on DMZ 1 and DMZ 2 should be configured to have the IP interfaces on DMZ 1 and DMZ 2 should be configured to have the IP
addresses shown but should have the same default gateway as the addresses shown but should have the same default gateway as the
firewall itself -- namely 192.0.2.254. In other words, they should be firewall itself -- namely 192.0.2.254. In other words, they should be
@ -1511,7 +1511,7 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
their routers with a long ARP cache timeout. If you move a system from their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it parallel to your firewall to behind your firewall with Proxy ARP, it
will probably be HOURS before that system can communicate with the will probably be HOURS before that system can communicate with the
internet. There are a couple of things that you can try:</para> Internet. There are a couple of things that you can try:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -1630,7 +1630,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
their routers with a long ARP cache timeout. If you move a system from their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with one-to-one NAT, parallel to your firewall to behind your firewall with one-to-one NAT,
it will probably be HOURS before that system can communicate with the it will probably be HOURS before that system can communicate with the
internet. There are a couple of things that you can try:</para> Internet. There are a couple of things that you can try:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -1711,7 +1711,7 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>With the default policies described earlier in this document, your <para>With the default policies described earlier in this document, your
local systems (Local 1-3) can access any server on the internet and the local systems (Local 1-3) can access any server on the Internet and the
DMZ can't access any other host (including the firewall). With the DMZ can't access any other host (including the firewall). With the
exception of DNAT rules which cause address translation and allow the exception of DNAT rules which cause address translation and allow the
translated connection request to pass through the firewall, the way to translated connection request to pass through the firewall, the way to
@ -1929,7 +1929,7 @@ options {
max-transfer-time-in 60; max-transfer-time-in 60;
allow-transfer { allow-transfer {
// Servers allowed to request zone tranfers // Servers allowed to request zone transfers
&lt;secondary NS IP&gt;; }; &lt;secondary NS IP&gt;; };
}; };
@ -2078,7 +2078,7 @@ view "external" {
<para>Here are the files in <filename <para>Here are the files in <filename
class="directory">/var/named</filename> (those not shown are usually class="directory">/var/named</filename> (those not shown are usually
included in your bind disbribution).</para> included in your bind distribution).</para>
<para><filename>db.192.0.2.176</filename> - This is the reverse zone for <para><filename>db.192.0.2.176</filename> - This is the reverse zone for
the firewall's external interface</para> the firewall's external interface</para>
@ -2101,7 +2101,7 @@ view "external" {
@ 604800 IN NS &lt;name of secondary ns&gt;. @ 604800 IN NS &lt;name of secondary ns&gt;.
; ;
; ############################################################ ; ############################################################
; Iverse Address Arpa Records (PTR's) ; Inverse Address Arpa Records (PTR's)
; ############################################################ ; ############################################################
176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.</programlisting> 176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.</programlisting>
@ -2125,7 +2125,7 @@ view "external" {
@ 604800 IN NS &lt;name of secondary ns&gt;. @ 604800 IN NS &lt;name of secondary ns&gt;.
; ;
; ############################################################ ; ############################################################
; Iverse Address Arpa Records (PTR's) ; Inverse Address Arpa Records (PTR's)
; ############################################################ ; ############################################################
177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.</programlisting> 177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.</programlisting>
@ -2150,7 +2150,7 @@ view "external" {
@ 604800 IN NS &lt;name of secondary ns&gt;. @ 604800 IN NS &lt;name of secondary ns&gt;.
; ;
; ############################################################ ; ############################################################
; Iverse Address Arpa Records (PTR's) ; Inverse Address Arpa Records (PTR's)
; ############################################################ ; ############################################################
178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.</programlisting> 178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.</programlisting>
@ -2175,7 +2175,7 @@ view "external" {
@ 604800 IN NS &lt;name of secondary ns&gt;. @ 604800 IN NS &lt;name of secondary ns&gt;.
; ;
; ############################################################ ; ############################################################
; Iverse Address Arpa Records (PTR's) ; Inverse Address Arpa Records (PTR's)
; ############################################################ ; ############################################################
179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.</programlisting> 179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.</programlisting>
@ -2198,7 +2198,7 @@ view "external" {
@ 604800 IN NS ns1.foobar.net. @ 604800 IN NS ns1.foobar.net.
; ############################################################ ; ############################################################
; Iverse Address Arpa Records (PTR's) ; Inverse Address Arpa Records (PTR's)
; ############################################################ ; ############################################################
1 86400 IN PTR localhost.foobar.net.</programlisting> 1 86400 IN PTR localhost.foobar.net.</programlisting>
@ -2221,7 +2221,7 @@ view "external" {
; ############################################################ ; ############################################################
@ 604800 IN NS ns1.foobar.net. @ 604800 IN NS ns1.foobar.net.
; ############################################################ ; ############################################################
; Iverse Address Arpa Records (PTR's) ; Inverse Address Arpa Records (PTR's)
; ############################################################ ; ############################################################
1 86400 IN PTR gateway.foobar.net. 1 86400 IN PTR gateway.foobar.net.
2 86400 IN PTR winken.foobar.net. 2 86400 IN PTR winken.foobar.net.
@ -2248,7 +2248,7 @@ view "external" {
@ 604800 IN NS ns1.foobar.net. @ 604800 IN NS ns1.foobar.net.
; ############################################################ ; ############################################################
; Iverse Address Arpa Records (PTR's) ; Inverse Address Arpa Records (PTR's)
; ############################################################ ; ############################################################
1 86400 IN PTR dmz.foobar.net.</programlisting> 1 86400 IN PTR dmz.foobar.net.</programlisting>
@ -2416,7 +2416,7 @@ foobar.net. 86400 IN A 192.0.2.177
firewall when it is stopped.</para> firewall when it is stopped.</para>
<caution> <caution>
<para>If you are connected to your firewall from the internet, do not <para>If you are connected to your firewall from the Internet, do not
issue a <quote>shorewall stop</quote> command unless you have added an issue a <quote>shorewall stop</quote> command unless you have added an
entry for the IP address that you are connected from to <filename><ulink entry for the IP address that you are connected from to <filename><ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>. url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink></filename>.

View File

@ -201,7 +201,7 @@
class="directory">/etc/shorewall</filename> directory is empty. This is class="directory">/etc/shorewall</filename> directory is empty. This is
intentional. The released configuration file skeletons may be found on intentional. The released configuration file skeletons may be found on
your system in the directory <filename your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>. class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Simply copy the files you need from that directory to <filename Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the class="directory">/etc/shorewall</filename> and modify the
copies.</para> copies.</para>
@ -262,11 +262,11 @@ net ipv4</programlisting>
<filename><filename>/etc/shorewall/rules</filename></filename> file. If no <filename><filename>/etc/shorewall/rules</filename></filename> file. If no
rule in that file matches the connection request then the first policy in rule in that file matches the connection request then the first policy in
<filename>/etc/shorewall/policy</filename> that matches the request is <filename>/etc/shorewall/policy</filename> that matches the request is
applied. If there is a <ulink url="shorewall_extension_scripts.htm">comon applied. If there is a <ulink url="shorewall_extension_scripts.htm">common
action</ulink> defined for the policy in action</ulink> defined for the policy in
<filename>/etc/shorewall/actions</filename> or <filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is <filename>/usr/share/shorewall/actions.std</filename> then that action is
peformed before the policy is applied. The purpose of the common action is performed before the policy is applied. The purpose of the common action is
two-fold:</para> two-fold:</para>
<itemizedlist> <itemizedlist>
@ -295,11 +295,11 @@ all all REJECT info</programlisting>
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>allow all connection requests from the firewall to the <para>allow all connection requests from the firewall to the
internet</para> Internet</para>
</listitem> </listitem>
<listitem> <listitem>
<para>drop (ignore) all connection requests from the internet to your <para>drop (ignore) all connection requests from the Internet to your
firewall</para> firewall</para>
</listitem> </listitem>
@ -310,9 +310,9 @@ all all REJECT info</programlisting>
</orderedlist> </orderedlist>
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the <para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
last two policies indicates that packets droped or rejected under those last two policies indicates that packets dropped or rejected under those
policies should be <ulink url="shorewall_logging.html">logged at that policies should be <ulink url="shorewall_logging.html">logged at that
leve</ulink>l.</para> level</ulink>.</para>
<para>At this point, edit your <filename>/etc/shorewall/policy</filename> <para>At this point, edit your <filename>/etc/shorewall/policy</filename>
and make any changes that you wish.</para> and make any changes that you wish.</para>
@ -324,7 +324,7 @@ all all REJECT info</programlisting>
<para>The firewall has a single network interface. Where Internet <para>The firewall has a single network interface. Where Internet
connectivity is through a cable or <acronym>DSL</acronym> connectivity is through a cable or <acronym>DSL</acronym>
<quote>Modem</quote>, the <emphasis>External Interface</emphasis> will be <quote>Modem</quote>, the <emphasis>External Interface</emphasis> will be
the ethernet adapter (<filename class="devicefile">eth0</filename>) that the Ethernet adapter (<filename class="devicefile">eth0</filename>) that
is connected to that <quote>Modem</quote> <emphasis is connected to that <quote>Modem</quote> <emphasis
role="underline">unless</emphasis> you connect via role="underline">unless</emphasis> you connect via
<emphasis>Point-to-Point Protocol over Ethernet</emphasis> <emphasis>Point-to-Point Protocol over Ethernet</emphasis>
@ -412,7 +412,7 @@ root@lists:~# </programlisting>
<acronym>ISP</acronym>s are assigning these addresses then using <acronym>ISP</acronym>s are assigning these addresses then using
<emphasis>Network Address Translation</emphasis> <emphasis>- <emphasis>Network Address Translation</emphasis> <emphasis>-
</emphasis><acronym>NAT</acronym>) to rewrite packet headers when </emphasis><acronym>NAT</acronym>) to rewrite packet headers when
forwarding to/from the internet.</para> forwarding to/from the Internet.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -453,7 +453,7 @@ root@lists:~# </programlisting>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><command>shorewall show log</command> (Displays the last 20 <para><command>shorewall show log</command> (Displays the last 20
netfilter log messages)</para> Netfilter log messages)</para>
</listitem> </listitem>
<listitem> <listitem>
@ -476,12 +476,12 @@ root@lists:~# </programlisting>
<para>Most commonly, Netfilter messages are logged to <para>Most commonly, Netfilter messages are logged to
<filename>/var/log/messages</filename>. Recent <filename>/var/log/messages</filename>. Recent
<trademark>SuSE/OpenSuSE</trademark> releases come preconfigured with <trademark>SuSE/OpenSuSE</trademark> releases come preconfigured with
syslog-ng and log netfilter messages to syslog-ng and log Netfilter messages to
<filename>/var/log/firewall</filename>.</para> <filename>/var/log/firewall</filename>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>If you are running a distribution that logs netfilter messages to a <para>If you are running a distribution that logs Netfilter messages to a
log other than <filename>/var/log/messages</filename>, then modify the log other than <filename>/var/log/messages</filename>, then modify the
LOGFILE setting in <filename>/etc/shorewall/shorewall.conf</filename> to LOGFILE setting in <filename>/etc/shorewall/shorewall.conf</filename> to
specify the name of your log.</para> specify the name of your log.</para>
@ -501,7 +501,7 @@ root@lists:~# </programlisting>
in your version of Shorewall using the command <command>ls in your version of Shorewall using the command <command>ls
<filename>/usr/share/shorewall/macro.*</filename></command>.</para> <filename>/usr/share/shorewall/macro.*</filename></command>.</para>
<para>If you wish to enable connections from the internet to your firewall <para>If you wish to enable connections from the Internet to your firewall
and you find an appropriate macro in and you find an appropriate macro in
<filename>/etc/shorewall/macro.*</filename>, the general format of a rule <filename>/etc/shorewall/macro.*</filename>, the general format of a rule
in <filename>/etc/shorewall/rules</filename> is:</para> in <filename>/etc/shorewall/rules</filename> is:</para>
@ -544,9 +544,9 @@ ACCEPT net $FW tcp 143</programlisting></para>
uses, see <ulink url="ports.htm">here</ulink>.</para> uses, see <ulink url="ports.htm">here</ulink>.</para>
<important> <important>
<para>I don't recommend enabling telnet to/from the internet because it <para>I don't recommend enabling telnet to/from the Internet because it
uses clear text (even for login!). If you want shell access to your uses clear text (even for login!). If you want shell access to your
firewall from the internet, use <acronym>SSH</acronym>:</para> firewall from the Internet, use <acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SSH/ACCEPT net $FW </programlisting> SSH/ACCEPT net $FW </programlisting>
@ -594,7 +594,7 @@ SSH/ACCEPT net $FW </programlisting>
<quote><command>shorewall clear</command></quote>.</para> <quote><command>shorewall clear</command></quote>.</para>
<warning> <warning>
<para>If you are connected to your firewall from the internet, do not <para>If you are connected to your firewall from the Internet, do not
issue a <quote><command>shorewall stop</command></quote> command unless issue a <quote><command>shorewall stop</command></quote> command unless
you have added an entry for the IP address that you are connected from you have added an entry for the IP address that you are connected from
to <ulink to <ulink
@ -641,4 +641,4 @@ SSH/ACCEPT net $FW </programlisting>
page</ulink> -- it contains helpful tips about Shorewall features than page</ulink> -- it contains helpful tips about Shorewall features than
make administering your firewall easier.</para> make administering your firewall easier.</para>
</section> </section>
</article> </article>

View File

@ -169,15 +169,15 @@
директория <filename class="directory">/etc/shorewall</filename> директория <filename class="directory">/etc/shorewall</filename>
пуста. Это сделано специально. Поставляемые шаблоны файлов пуста. Это сделано специально. Поставляемые шаблоны файлов
конфигурации Вы найдете на вашей системе в директории <filename конфигурации Вы найдете на вашей системе в директории <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>. class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Просто скопируйте нужные Вам файлы из этой директории в <filename Просто скопируйте нужные Вам файлы из этой директории в <filename
class="directory">/etc/shorewall</filename> и отредактируйте class="directory">/etc/shorewall</filename> и отредактируйте
копии.</para> копии.</para>
<para>Заметьте, что Вы должны скопировать <filename <para>Заметьте, что Вы должны скопировать <filename
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename> class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
и <filename и <filename
class="directory">/usr/share/doc/shorewall/default-config/modules</filename> class="directory">/usr/share/doc/shorewall-common/default-config/modules</filename>
в <filename class="directory">/etc/shorewall</filename> даже если Вы в <filename class="directory">/etc/shorewall</filename> даже если Вы
не будете изменять эти файлы.</para> не будете изменять эти файлы.</para>
</warning><inlinegraphic fileref="images/BD21298_.gif" </warning><inlinegraphic fileref="images/BD21298_.gif"
@ -215,7 +215,7 @@
<listitem> <listitem>
<para>Если же Вы пользовались пакетом .deb, примеры находятся в <para>Если же Вы пользовались пакетом .deb, примеры находятся в
директории <filename директории <filename
class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>.</para> class="directory">/usr/share/doc/shorewall-common/examples/one-interface</filename>.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>

View File

@ -148,7 +148,7 @@
<important> <important>
<para>The <command>shorewall stop</command> command does not remove <para>The <command>shorewall stop</command> command does not remove
all netfilter rules and open your firewall for all traffic to pass. all Netfilter rules and open your firewall for all traffic to pass.
It rather places your firewall in a safe state defined by the It rather places your firewall in a safe state defined by the
contents of your <ulink contents of your <ulink
url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink> url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
@ -179,7 +179,7 @@
<para>Because of the different requirements of distribution packaging <para>Because of the different requirements of distribution packaging
systems, the behavior of <filename>/etc/init.d/shorewall</filename> and systems, the behavior of <filename>/etc/init.d/shorewall</filename> and
<filename>/etc/init.d/shorewall-lite</filename> is not consistent between <filename>/etc/init.d/shorewall-lite</filename> is not consistent between
distributions. As an example, when using the distributon Shorewall distributions. As an example, when using the distribution Shorewall
packages on <trademark>Debian</trademark> and packages on <trademark>Debian</trademark> and
<trademark>Ubuntu</trademark> systems, running <trademark>Ubuntu</trademark> systems, running
<command>/etc/init.d/shorewall stop</command> will actually execute the <command>/etc/init.d/shorewall stop</command> will actually execute the
@ -617,7 +617,7 @@
<section id="State"> <section id="State">
<title>Shorewall State Diagram</title> <title>Shorewall State Diagram</title>
<para>The Shorewall State Diargram is depicted below.</para> <para>The Shorewall State Diagram is depicted below.</para>
<para><graphic align="center" fileref="images/State_Diagram.png" /></para> <para><graphic align="center" fileref="images/State_Diagram.png" /></para>

View File

@ -274,9 +274,9 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
<para>If Shorewall is starting successfully and your problem is that <para>If Shorewall is starting successfully and your problem is that
some set of <emphasis role="bold">connections</emphasis> to/from or some set of <emphasis role="bold">connections</emphasis> to/from or
through your firewall <emphasis role="bold">isn't working</emphasis> through your firewall <emphasis role="bold">isn't working</emphasis>
(examples: local systems can't access the internet, you can't send (examples: local systems can't access the Internet, you can't send
email through the firewall, you can't surf the web from the firewall, email through the firewall, you can't surf the web from the firewall,
connections that you are certain should be rejected are mysterously connections that you are certain should be rejected are mysteriously
accepted, etc.) or <emphasis role="bold">you are having problems with accepted, etc.) or <emphasis role="bold">you are having problems with
traffic shaping</emphasis> then please perform the following six traffic shaping</emphasis> then please perform the following six
steps:</para> steps:</para>
@ -313,7 +313,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
<listitem> <listitem>
<para>Otherwise:</para> <para>Otherwise:</para>
<para>Shorewall is starting successfuly and you have <emphasis <para>Shorewall is starting successfully and you have <emphasis
role="bold">no connection problems</emphasis> and you have <emphasis role="bold">no connection problems</emphasis> and you have <emphasis
role="bold">no traffic shaping problems</emphasis>. Your problem is role="bold">no traffic shaping problems</emphasis>. Your problem is
with performance, logging, etc. Please include the following:</para> with performance, logging, etc. Please include the following:</para>
@ -409,7 +409,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>The author gratefully acknowleges that the above list was <para>The author gratefully acknowledges that the above list was
heavily plagiarized from the excellent LEAF document by <emphasis>Ray heavily plagiarized from the excellent LEAF document by <emphasis>Ray
Olszewski</emphasis> found <ulink Olszewski</emphasis> found <ulink
url="http://leaf-project.org/index.php?module=pagemaster&amp;PAGE_user_op=view_page&amp;PAGE_id=6&amp;MMN_position=21:21">here</ulink>.</para> url="http://leaf-project.org/index.php?module=pagemaster&amp;PAGE_user_op=view_page&amp;PAGE_id=6&amp;MMN_position=21:21">here</ulink>.</para>

View File

@ -76,7 +76,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para>DMZ connected to a separate ethernet interface. The purpose of a <para>DMZ connected to a separate Ethernet interface. The purpose of a
DMZ is to isolate those servers that are exposed to the Internet from DMZ is to isolate those servers that are exposed to the Internet from
your local systems so that if one of those servers is compromised your local systems so that if one of those servers is compromised
there is still a firewall between the hacked server and your local there is still a firewall between the hacked server and your local
@ -185,7 +185,7 @@
class="directory">/etc/shorewall</filename> directory is empty. This class="directory">/etc/shorewall</filename> directory is empty. This
is intentional. The released configuration file skeletons may be found is intentional. The released configuration file skeletons may be found
on your system in the directory <filename on your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>. class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Simply copy the files you need from that directory to <filename Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the class="directory">/etc/shorewall</filename> and modify the
copies.</para> copies.</para>
@ -286,10 +286,10 @@ dmz ipv4</programlisting>Zone names are defined in
If no rule in that file matches the connection request then the first If no rule in that file matches the connection request then the first
policy in <filename>/etc/shorewall/policy</filename> that matches the policy in <filename>/etc/shorewall/policy</filename> that matches the
request is applied. If there is a <ulink request is applied. If there is a <ulink
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the url="shorewall_extension_scripts.htm">common action</ulink> defined for the
policy in <filename>/etc/shorewall/actions</filename> or policy in <filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is <filename>/usr/share/shorewall/actions.std</filename> then that action is
peformed before the action is applied. The purpose of the common action is performed before the action is applied. The purpose of the common action is
two-fold:</para> two-fold:</para>
<itemizedlist> <itemizedlist>
@ -316,7 +316,7 @@ all all REJECT info</programlisting>
<important> <important>
<para>In the three-interface sample, the line below is included but <para>In the three-interface sample, the line below is included but
commented out. If you want your firewall system to have full access to commented out. If you want your firewall system to have full access to
servers on the internet, uncomment that line.</para> servers on the Internet, uncomment that line.</para>
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT</programlisting> $FW net ACCEPT</programlisting>
@ -327,17 +327,17 @@ $FW net ACCEPT</programlisting>
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>allow all connection requests from your local network to the <para>allow all connection requests from your local network to the
internet</para> Internet</para>
</listitem> </listitem>
<listitem> <listitem>
<para>drop (ignore) all connection requests from the internet to your <para>drop (ignore) all connection requests from the Internet to your
firewall or local network</para> firewall or local network</para>
</listitem> </listitem>
<listitem> <listitem>
<para>optionally accept all connection requests from the firewall to <para>optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</para> the Internet (if you uncomment the additional policy)</para>
</listitem> </listitem>
<listitem> <listitem>
@ -346,9 +346,9 @@ $FW net ACCEPT</programlisting>
</orderedlist> </orderedlist>
<para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the <para>The word <firstterm>info</firstterm> in the LOG LEVEL column for the
DROP and REJECT policies indicates that packets droped or rejected under DROP and REJECT policies indicates that packets dropped or rejected under
those policies should be <ulink url="shorewall_logging.html">logged at those policies should be <ulink url="shorewall_logging.html">logged at
that leve</ulink>l.</para> that level</ulink>.</para>
<para>It is important to note that Shorewall policies (and rules) refer to <para>It is important to note that Shorewall policies (and rules) refer to
<emphasis role="bold">connections</emphasis> and not packet flow. With the <emphasis role="bold">connections</emphasis> and not packet flow. With the
@ -379,7 +379,7 @@ $FW net ACCEPT</programlisting>
<para>The firewall has three network interfaces. Where Internet <para>The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL <quote>Modem</quote>, the External connectivity is through a cable or DSL <quote>Modem</quote>, the External
Interface will be the ethernet adapter that is connected to that Interface will be the Ethernet adapter that is connected to that
<quote>Modem</quote> (e.g., <filename class="devicefile">eth0</filename>) <quote>Modem</quote> (e.g., <filename class="devicefile">eth0</filename>)
unless you connect via <emphasis>Point-to-Point Protocol</emphasis> over unless you connect via <emphasis>Point-to-Point Protocol</emphasis> over
Ethernet (PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis> Ethernet (PPPoE) or <emphasis>Point-to-Point Tunneling Protocol</emphasis>
@ -424,7 +424,7 @@ root@lists:~# </programlisting>
<varname>CLAMPMSS=yes</varname> in <varname>CLAMPMSS=yes</varname> in
<filename>/etc/shorewall/shorewall.conf</filename>.</emphasis></para> <filename>/etc/shorewall/shorewall.conf</filename>.</emphasis></para>
<para>Your Local Interface will be an ethernet adapter (<filename <para>Your Local Interface will be an Ethernet adapter (<filename
class="devicefile">eth0</filename>, <filename class="devicefile">eth0</filename>, <filename
class="devicefile">eth1</filename> or <filename class="devicefile">eth1</filename> or <filename
class="devicefile">eth2</filename>) and will be connected to a hub or class="devicefile">eth2</filename>) and will be connected to a hub or
@ -432,7 +432,7 @@ root@lists:~# </programlisting>
If you have only a single local system, you can connect the firewall If you have only a single local system, you can connect the firewall
directly to the computer using a cross-over cable).</para> directly to the computer using a cross-over cable).</para>
<para>Your DMZ Interface will also be an ethernet adapter (<filename <para>Your DMZ Interface will also be an Ethernet adapter (<filename
class="devicefile">eth0</filename>, <filename class="devicefile">eth0</filename>, <filename
class="devicefile">eth1</filename> or <filename class="devicefile">eth1</filename> or <filename
class="devicefile">eth2</filename>) and will be connected to a hub or class="devicefile">eth2</filename>) and will be connected to a hub or
@ -604,7 +604,7 @@ root@lists:~# </programlisting>
Routing</quote>, Thomas A. Maufer, Prentice-Hall, 1999, ISBN Routing</quote>, Thomas A. Maufer, Prentice-Hall, 1999, ISBN
0-13-975483-0.</para> 0-13-975483-0.</para>
<para>The remainder of this quide will assume that you have configured <para>The remainder of this guide will assume that you have configured
your network as shown here:</para> your network as shown here:</para>
<figure id="Figure3"> <figure id="Figure3">
@ -641,14 +641,14 @@ root@lists:~# </programlisting>
<para>The addresses reserved by RFC 1918 are sometimes referred to as <para>The addresses reserved by RFC 1918 are sometimes referred to as
non-routable because the Internet backbone routers don't forward packets non-routable because the Internet backbone routers don't forward packets
which have an RFC-1918 destination address. When one of your local systems which have an RFC-1918 destination address. When one of your local systems
(let's assume local computer 1) sends a connection request to an internet (let's assume local computer 1) sends a connection request to an Internet
host, the firewall must perform Network Address Translation (NAT). The host, the firewall must perform Network Address Translation (NAT). The
firewall rewrites the source address in the packet to be the address of firewall rewrites the source address in the packet to be the address of
the firewall's external interface; in other words, the firewall makes it the firewall's external interface; in other words, the firewall makes it
look as if the firewall itself is initiating the connection. This is look as if the firewall itself is initiating the connection. This is
necessary so that the destination host will be able to route return necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed accross the internet). address is reserved by RFC 1918 can't be routed across the Internet).
When the firewall receives a return packet, it rewrites the destination When the firewall receives a return packet, it rewrites the destination
address back to 10.10.10.1 and forwards the packet on to local computer address back to 10.10.10.1 and forwards the packet on to local computer
1.</para> 1.</para>
@ -736,7 +736,7 @@ DNAT net dmz:<emphasis>&lt;server local IP address&gt;</emphasis>[:<e
<important> <important>
<para>Be sure to add your rules after the line that reads <emphasis <para>Be sure to add your rules after the line that reads <emphasis
role="bold">SECTON NEW.</emphasis></para> role="bold">SECTION NEW.</emphasis></para>
</important> </important>
<example id="Example1"> <example id="Example1">
@ -975,7 +975,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><command>shorewall show log</command> (Displays the last 20 <para><command>shorewall show log</command> (Displays the last 20
netfilter log messages)</para> Netfilter log messages)</para>
</listitem> </listitem>
<listitem> <listitem>

View File

@ -185,15 +185,15 @@
директория <filename class="directory">/etc/shorewall</filename> директория <filename class="directory">/etc/shorewall</filename>
пуста. Это сделано специально. Поставляемые шаблоны файлов пуста. Это сделано специально. Поставляемые шаблоны файлов
конфигурации Вы найдете на вашей системе в директории <filename конфигурации Вы найдете на вашей системе в директории <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>. class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Просто скопируйте нужные Вам файлы из этой директории в <filename Просто скопируйте нужные Вам файлы из этой директории в <filename
class="directory">/etc/shorewall</filename> и отредактируйте class="directory">/etc/shorewall</filename> и отредактируйте
копии.</para> копии.</para>
<para>Заметьте, что Вы должны скопировать <filename <para>Заметьте, что Вы должны скопировать <filename
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename> class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
и <filename и <filename
class="directory">/usr/share/doc/shorewall/default-config/modules</filename> class="directory">/usr/share/doc/shorewall-common/default-config/modules</filename>
в <filename class="directory">/etc/shorewall</filename> даже если Вы в <filename class="directory">/etc/shorewall</filename> даже если Вы
не будете изменять эти файлы.</para> не будете изменять эти файлы.</para>
</warning><inlinegraphic fileref="images/BD21298_.gif" </warning><inlinegraphic fileref="images/BD21298_.gif"
@ -233,7 +233,7 @@
<listitem> <listitem>
<para>Если же Вы пользовались пакетом .deb, примеры находятся в <para>Если же Вы пользовались пакетом .deb, примеры находятся в
директории<filename директории<filename
class="directory">/usr/share/doc/shorewall/examples/three-interface</filename>.</para> class="directory">/usr/share/doc/shorewall-common/examples/three-interface</filename>.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>

View File

@ -48,7 +48,7 @@
<important> <important>
<para>Traffic shaping is complex and the Shorewall community is not well <para>Traffic shaping is complex and the Shorewall community is not well
equiped to answer traffic shaping questions. So if you are the type of equipped to answer traffic shaping questions. So if you are the type of
person who needs "insert tab A into slot B" instructions for everything person who needs "insert tab A into slot B" instructions for everything
that you do, then please don't try to implement traffic shaping using that you do, then please don't try to implement traffic shaping using
Shorewall. You will just frustrate yourself and we won't be able to help Shorewall. You will just frustrate yourself and we won't be able to help
@ -92,7 +92,7 @@
traffic shaping and control. Before this version, the support was quite traffic shaping and control. Before this version, the support was quite
limited. You were able to use your own tcstart script (and you still are), limited. You were able to use your own tcstart script (and you still are),
but besides the tcrules file it was not possible to define classes or but besides the tcrules file it was not possible to define classes or
queueing discplines inside the Shorewall config files.</para> queuing disciplines inside the Shorewall config files.</para>
<para>The support for traffic shaping and control still does not cover all <para>The support for traffic shaping and control still does not cover all
options available (and especially all algorithms that can be used to queue options available (and especially all algorithms that can be used to queue
@ -108,7 +108,7 @@
<title>Linux traffic shaping and control</title> <title>Linux traffic shaping and control</title>
<para>This section gives a brief introduction of how controlling traffic <para>This section gives a brief introduction of how controlling traffic
with the linux kernel works. Although this might be enough for configuring with the Linux kernel works. Although this might be enough for configuring
it in the Shorewall configuration files, we strongly recommend that you it in the Shorewall configuration files, we strongly recommend that you
take a deeper look into the <ulink url="http://lartc.org/howto/">Linux take a deeper look into the <ulink url="http://lartc.org/howto/">Linux
Advanced Routing and Shaping HOWTO</ulink>. At the time of writing this, Advanced Routing and Shaping HOWTO</ulink>. At the time of writing this,
@ -119,7 +119,7 @@
traffic before it leaves an interface. The standard one is called pfifo traffic before it leaves an interface. The standard one is called pfifo
and is (as the name suggests) of the type First In First out. This means, and is (as the name suggests) of the type First In First out. This means,
that it does not shape anything, if you have a connection that eats up all that it does not shape anything, if you have a connection that eats up all
your bandwidth, this qeueing algorithm will not stop it from doing your bandwidth, this queuing algorithm will not stop it from doing
so.</para> so.</para>
<para>For Shorewall traffic shaping we use two algorithms, one is called <para>For Shorewall traffic shaping we use two algorithms, one is called
@ -127,9 +127,9 @@
is easy to explain: it just tries to track your connections (tcp or udp is easy to explain: it just tries to track your connections (tcp or udp
streams) and balances the traffic between them. This normally works well. streams) and balances the traffic between them. This normally works well.
HTB allows you to define a set of classes, and you can put the traffic you HTB allows you to define a set of classes, and you can put the traffic you
want into these classes. You can define minimum and maximum bandwitdh want into these classes. You can define minimum and maximum bandwidth
settings for those classes and order them hierachically (the less settings for those classes and order them hierarchically (the less
priorized classes only get bandwitdth if the more important have what they prioritized classes only get bandwidth if the more important have what they
need). Shorewall builtin traffic shaping allows you to define these need). Shorewall builtin traffic shaping allows you to define these
classes (and their bandwidth limits), and it uses SFQ inside these classes classes (and their bandwidth limits), and it uses SFQ inside these classes
to make sure, that different data streams are handled equally.</para> to make sure, that different data streams are handled equally.</para>
@ -148,7 +148,7 @@
outgoing interface as fast as possible.</para> outgoing interface as fast as possible.</para>
<para>There is one exception, though. Limiting incoming traffic to a <para>There is one exception, though. Limiting incoming traffic to a
value a bit slower than your actual line speed will avoid queueing on value a bit slower than your actual line speed will avoid queuing on
the other end of that connection. This is mostly useful if you don't the other end of that connection. This is mostly useful if you don't
have access to traffic control on the other side and if this other have access to traffic control on the other side and if this other
side has a faster network connection than you do (the line speed side has a faster network connection than you do (the line speed
@ -160,16 +160,16 @@
has not (but the protocol over UDP might recognize it , if there is has not (but the protocol over UDP might recognize it , if there is
any).</para> any).</para>
<para>The reason why queing is bad in these cases is, that you might <para>The reason why queuing is bad in these cases is, that you might
have packets which need to be priorized over others, e.g. VoIP or ssh. have packets which need to be prioritized over others, e.g. VoIP or ssh.
For this type of connections it is important that packets arrive in a For this type of connections it is important that packets arrive in a
certain amount of time. For others like http downloads, it does not certain amount of time. For others like HTTP downloads, it does not
really matter if it takes a few seconds more.</para> really matter if it takes a few seconds more.</para>
<para>If you have a large queue on the other side and the router there <para>If you have a large queue on the other side and the router there
does not care about QoS or the QoS bits are not set properly, your does not care about QoS or the QoS bits are not set properly, your
important packets will go into the same queue as your less important packets will go into the same queue as your less
timecritical download packets which will result in a large time critical download packets which will result in a large
delay.</para> delay.</para>
</blockquote></para> </blockquote></para>
@ -211,7 +211,7 @@
<para>RATE - The minimum bandwidth this class should get, when the <para>RATE - The minimum bandwidth this class should get, when the
traffic load rises. Classes with a higher priority (lower PRIORITY traffic load rises. Classes with a higher priority (lower PRIORITY
value) are served even if there are others that have a guaranteed value) are served even if there are others that have a guaranteed
bandwith but have a lower priority (higher PRIORITY value).</para> bandwidth but have a lower priority (higher PRIORITY value).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -338,7 +338,7 @@
the facility. Again, please see the links at top of this article.</para> the facility. Again, please see the links at top of this article.</para>
<para>For defining bandwidths (for either devices or classes) please use <para>For defining bandwidths (for either devices or classes) please use
kbit or kbps(for Kilobytes per second) and make sure there is <emphasis kbit or kbps (for Kilobytes per second) and make sure there is <emphasis
role="bold">NO</emphasis> space between the number and the unit (it is role="bold">NO</emphasis> space between the number and the unit (it is
100kbit <emphasis role="bold">not</emphasis> 100 kbit). Using mbit, mbps 100kbit <emphasis role="bold">not</emphasis> 100 kbit). Using mbit, mbps
or a raw number (which means bytes) could be used, but note that only or a raw number (which means bytes) could be used, but note that only
@ -414,7 +414,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para>OUT-BANDWIDTH - Specifiy the outgoing bandwidth of that <para>OUT-BANDWIDTH - Specify the outgoing bandwidth of that
interface. This is the maximum speed your connection can handle. It interface. This is the maximum speed your connection can handle. It
is also the speed you can refer as "full" if you define the tc is also the speed you can refer as "full" if you define the tc
classes. Outgoing traffic above this rate will be dropped.</para> classes. Outgoing traffic above this rate will be dropped.</para>
@ -488,7 +488,7 @@ ppp0 6000kbit 500kbit</programlisting>
<listitem> <listitem>
<para>MARK - The mark value which is an integer in the range 1-255. <para>MARK - The mark value which is an integer in the range 1-255.
You define these marks in the tcrules file, marking the traffic you You define these marks in the tcrules file, marking the traffic you
want to go into the queueing classes defined in here. You can use want to go into the queuing classes defined in here. You can use
the same marks for different Interfaces. You must specify "-' in the same marks for different Interfaces. You must specify "-' in
this column if the device specified in the INTERFACE column has the this column if the device specified in the INTERFACE column has the
<emphasis role="bold">classify</emphasis> option in <emphasis role="bold">classify</emphasis> option in
@ -499,7 +499,7 @@ ppp0 6000kbit 500kbit</programlisting>
<para>RATE - The minimum bandwidth this class should get, when the <para>RATE - The minimum bandwidth this class should get, when the
traffic load rises. Please note that first the classes which equal traffic load rises. Please note that first the classes which equal
or a lesser priority value are served even if there are others that or a lesser priority value are served even if there are others that
have a guaranteed bandwith but a lower priority. <emphasis have a guaranteed bandwidth but a lower priority. <emphasis
role="bold">If the sum of the RATEs for all classes assigned to an role="bold">If the sum of the RATEs for all classes assigned to an
INTERFACE exceed that interfaces's OUT-BANDWIDTH, then the INTERFACE exceed that interfaces's OUT-BANDWIDTH, then the
OUT-BANDWIDTH limit will not be honored.</emphasis></para> OUT-BANDWIDTH limit will not be honored.</emphasis></para>
@ -517,7 +517,7 @@ ppp0 6000kbit 500kbit</programlisting>
<listitem> <listitem>
<para>PRIORITY - you have to define a priority for the class. <para>PRIORITY - you have to define a priority for the class.
packets in a class with a higher priority (=lesser value) are packets in a class with a higher priority (=lesser value) are
handled before less priorized onces. You can just define the mark handled before less prioritized ones. You can just define the mark
value here also, if you are increasing the mark values with lesser value here also, if you are increasing the mark values with lesser
priority.</para> priority.</para>
</listitem> </listitem>
@ -749,7 +749,7 @@ ppp0 6000kbit 500kbit</programlisting>
iprange match support, IP address ranges are also allowed. List iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:192.168.1.0/24). If the MARK column an address (e.g., eth1:192.168.1.0/24). If the MARK column
specificies a classification of the form &lt;major&gt;:&lt;minor&gt; specifies a classification of the form &lt;major&gt;:&lt;minor&gt;
then this column may also contain an interface name.</para> then this column may also contain an interface name.</para>
</listitem> </listitem>
@ -791,7 +791,7 @@ ppp0 6000kbit 500kbit</programlisting>
<para>[!][&lt;user name or number&gt;]:[&lt;group name or <para>[!][&lt;user name or number&gt;]:[&lt;group name or
number&gt;][+&lt;program name&gt;]</para> number&gt;][+&lt;program name&gt;]</para>
<para>The colon is optionnal when specifying only a user.</para> <para>The colon is optional when specifying only a user.</para>
<para>Examples:</para> <para>Examples:</para>
@ -833,7 +833,7 @@ ppp0 6000kbit 500kbit</programlisting>
match.</para> match.</para>
<para>You must have iptables length support for this to work. If you <para>You must have iptables length support for this to work. If you
let it empy or place an "-" here, no length match will be let it empty or place an "-" here, no length match will be
done.</para> done.</para>
<para>Examples: 1024, 64:1500, :100</para> <para>Examples: 1024, 64:1500, :100</para>
@ -861,7 +861,7 @@ ppp0 6000kbit 500kbit</programlisting>
<listitem> <listitem>
<para>HELPER (Optional, added in Shorewall version 4.2.0 Beta 2). <para>HELPER (Optional, added in Shorewall version 4.2.0 Beta 2).
Names one of the Netfiler protocol helper modules such as Names one of the Netfilter protocol helper modules such as
<emphasis>ftp</emphasis>, <emphasis>sip</emphasis>, <emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
<emphasis>amanda</emphasis>, etc.</para> <emphasis>amanda</emphasis>, etc.</para>
</listitem> </listitem>
@ -939,7 +939,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
<para>The last four rules can be translated as:</para> <para>The last four rules can be translated as:</para>
<blockquote> <blockquote>
<para>"If a packet hasn't been classifed (packet mark is 0), copy <para>"If a packet hasn't been classified (packet mark is 0), copy
the connection mark to the packet mark. If the packet mark is set, the connection mark to the packet mark. If the packet mark is set,
we're done. If the packet is P2P, set the packet mark to 4. If the we're done. If the packet is P2P, set the packet mark to 4. If the
packet mark has been set, save it to the connection mark."</para> packet mark has been set, save it to the connection mark."</para>
@ -966,10 +966,10 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
<section id="ppp"> <section id="ppp">
<title>ppp devices</title> <title>ppp devices</title>
<para>If you use ppp/pppoe/pppoa) to connect to your internet provider <para>If you use ppp/pppoe/pppoa) to connect to your Internet provider
and you use traffic shaping you need to restart shorewall traffic and you use traffic shaping you need to restart shorewall traffic
shaping. The reason for this is, that if the ppp connection gets shaping. The reason for this is, that if the ppp connection gets
restarted (and it usally does this at least daily), all restarted (and it usually does this at least daily), all
<quote>tc</quote> filters/qdiscs related to that interface are <quote>tc</quote> filters/qdiscs related to that interface are
deleted.</para> deleted.</para>
@ -994,7 +994,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>. url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/">"http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall/</ulink>.
Please note that they are just examples and need to be adjusted to Please note that they are just examples and need to be adjusted to
work for you. In this example it is assumed that your interface for work for you. In this example it is assumed that your interface for
you internet connection is ppp0 (for DSL), if you use another your Internet connection is ppp0 (for DSL), if you use another
connection type, you have to change it. You also need to change the connection type, you have to change it. You also need to change the
settings in the tcdevices.wondershaper file to reflect your line settings in the tcdevices.wondershaper file to reflect your line
speed. The relevant lines of the config files follow here. Please note speed. The relevant lines of the config files follow here. Please note
@ -1071,7 +1071,7 @@ NOPRIOPORTDST="6662 6663" </programlisting>
<section id="simiple"> <section id="simiple">
<title>A simple setup</title> <title>A simple setup</title>
<para>This is a simple setup for people sharing an internet connection <para>This is a simple setup for people sharing an Internet connection
and using different computers for this. It just basically shapes and using different computers for this. It just basically shapes
between 2 hosts which have the ip addresses 192.168.2.23 and between 2 hosts which have the ip addresses 192.168.2.23 and
192.168.2.42</para> 192.168.2.42</para>
@ -1167,7 +1167,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Traffic being forwarded from the internet</para> <para>Traffic being forwarded from the Internet</para>
</listitem> </listitem>
<listitem> <listitem>
@ -1687,4 +1687,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
<para>At least one Shorewall user has found this tool helpful: <ulink <para>At least one Shorewall user has found this tool helpful: <ulink
url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para> url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
</section> </section>
</article> </article>

View File

@ -140,7 +140,7 @@ gateway:~/test # </programlisting>This information is useful to Shorewall
<para>The end of the compile phase is signaled by a message such as the <para>The end of the compile phase is signaled by a message such as the
following:<programlisting>Shorewall configuration compiled to /var/lib/shorewall/.restart</programlisting>Errors following:<programlisting>Shorewall configuration compiled to /var/lib/shorewall/.restart</programlisting>Errors
occuring past that point are said to occur at occurring past that point are said to occur at
<firstterm>run-time</firstterm> because they occur during the running of <firstterm>run-time</firstterm> because they occur during the running of
the compiled firewall script (/var/lib/shorewall/.restart in the case of the compiled firewall script (/var/lib/shorewall/.restart in the case of
the above message).</para> the above message).</para>

View File

@ -164,7 +164,7 @@
class="directory">/etc/shorewall</filename> directory is empty. This class="directory">/etc/shorewall</filename> directory is empty. This
is intentional. The released configuration file skeletons may be found is intentional. The released configuration file skeletons may be found
on your system in the directory <filename on your system in the directory <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>. class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Simply copy the files you need from that directory to <filename Simply copy the files you need from that directory to <filename
class="directory">/etc/shorewall</filename> and modify the class="directory">/etc/shorewall</filename> and modify the
copies.</para> copies.</para>
@ -269,10 +269,10 @@ loc ipv4</programlisting>Zones are defined in the <ulink
first policy in <filename first policy in <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
that matches the request is applied. If there is a <ulink that matches the request is applied. If there is a <ulink
url="shorewall_extension_scripts.htm">comon action</ulink> defined for the url="shorewall_extension_scripts.htm">common action</ulink> defined for the
policy in <filename>/etc/shorewall/actions</filename> or policy in <filename>/etc/shorewall/actions</filename> or
<filename>/usr/share/shorewall/actions.std</filename> then that action is <filename>/usr/share/shorewall/actions.std</filename> then that action is
peformed before the action is applied. The purpose of the common action is performed before the action is applied. The purpose of the common action is
two-fold:</para> two-fold:</para>
<itemizedlist> <itemizedlist>
@ -296,32 +296,32 @@ loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting>In the two-interface all all REJECT info</programlisting>In the two-interface
sample, the line below is included but commented out. If you want your sample, the line below is included but commented out. If you want your
firewall system to have full access to servers on the internet, uncomment firewall system to have full access to servers on the Internet, uncomment
that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST that line. <programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT</programlisting> The above policy will: $FW net ACCEPT</programlisting> The above policy will:
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Allow all connection requests from your local network to the <para>Allow all connection requests from your local network to the
internet</para> Internet</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Drop (ignore) all connection requests from the internet to <para>Drop (ignore) all connection requests from the Internet to
your firewall or local network</para> your firewall or local network</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Optionally accept all connection requests from the firewall to <para>Optionally accept all connection requests from the firewall to
the internet (if you uncomment the additional policy)</para> the Internet (if you uncomment the additional policy)</para>
</listitem> </listitem>
<listitem> <listitem>
<para>reject all other connection requests.</para> <para>reject all other connection requests.</para>
</listitem> </listitem>
</itemizedlist> The word <firstterm>info</firstterm> in the LOG LEVEL </itemizedlist> The word <firstterm>info</firstterm> in the LOG LEVEL
column for the DROP and REJECT policies indicates that packets droped or column for the DROP and REJECT policies indicates that packets dropped or
rejected under those policies should be <ulink rejected under those policies should be <ulink
url="shorewall_logging.html">logged at that leve</ulink>l.</para> url="shorewall_logging.html">logged at that level</ulink>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -349,7 +349,7 @@ $FW net ACCEPT</programlisting> The above policy will:
<para>The firewall has two network interfaces. Where Internet connectivity <para>The firewall has two network interfaces. Where Internet connectivity
is through a cable or <acronym>DSL</acronym> <quote>Modem</quote>, the is through a cable or <acronym>DSL</acronym> <quote>Modem</quote>, the
<emphasis>External Interface</emphasis> will be the ethernet adapter that <emphasis>External Interface</emphasis> will be the Ethernet adapter that
is connected to that <quote>Modem</quote> (e.g., <filename is connected to that <quote>Modem</quote> (e.g., <filename
class="devicefile">eth0</filename>) unless you connect via class="devicefile">eth0</filename>) unless you connect via
<emphasis>Point-to-Point Protocol</emphasis> over Ethernet <emphasis>Point-to-Point Protocol</emphasis> over Ethernet
@ -395,7 +395,7 @@ root@lists:~# </programlisting>
<varname>CLAMPMSS=yes</varname> in <filename <varname>CLAMPMSS=yes</varname> in <filename
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename></emphasis>.</para> class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename></emphasis>.</para>
<para>Your <emphasis>Internal Interface</emphasis> will be an ethernet <para>Your <emphasis>Internal Interface</emphasis> will be an Ethernet
adapter (<filename class="devicefile">eth1</filename> or <filename adapter (<filename class="devicefile">eth1</filename> or <filename
class="devicefile">eth0</filename>) and will be connected to a hub or class="devicefile">eth0</filename>) and will be connected to a hub or
switch. Your other computers will be connected to the same hub/switch switch. Your other computers will be connected to the same hub/switch
@ -565,7 +565,7 @@ root@lists:~# </programlisting>
(<ulink (<ulink
url="http://www.phptr.com/browse/product.asp?product_id={58D4F6D4-54C5-48BA-8EDD-86EBD7A42AF6}">link</ulink>).</para> url="http://www.phptr.com/browse/product.asp?product_id={58D4F6D4-54C5-48BA-8EDD-86EBD7A42AF6}">link</ulink>).</para>
<para id="Diagram">The remainder of this quide will assume that you have <para id="Diagram">The remainder of this guide will assume that you have
configured your network as shown here: <mediaobject> configured your network as shown here: <mediaobject>
<imageobject> <imageobject>
<imagedata align="center" fileref="images/basics1.png" format="PNG" /> <imagedata align="center" fileref="images/basics1.png" format="PNG" />
@ -588,14 +588,14 @@ root@lists:~# </programlisting>
don't forward packets which have an RFC-1918 destination address. When one don't forward packets which have an RFC-1918 destination address. When one
of your local systems (let's assume computer 1 in the <link of your local systems (let's assume computer 1 in the <link
linkend="Diagram">above diagram</link>) sends a connection request to an linkend="Diagram">above diagram</link>) sends a connection request to an
internet host, the firewall must perform <emphasis>Network Address Internet host, the firewall must perform <emphasis>Network Address
Translation</emphasis> (<acronym>NAT</acronym>). The firewall rewrites the Translation</emphasis> (<acronym>NAT</acronym>). The firewall rewrites the
source address in the packet to be the address of the firewall's external source address in the packet to be the address of the firewall's external
interface; in other words, the firewall makes it appear to the destination interface; in other words, the firewall makes it appear to the destination
internet host as if the firewall itself is initiating the connection. This Internet host as if the firewall itself is initiating the connection. This
is necessary so that the destination host will be able to route return is necessary so that the destination host will be able to route return
packets back to the firewall (remember that packets whose destination packets back to the firewall (remember that packets whose destination
address is reserved by RFC 1918 can't be routed across the internet so the address is reserved by RFC 1918 can't be routed across the Internet so the
remote host can't address its response to computer 1). When the firewall remote host can't address its response to computer 1). When the firewall
receives a return packet, it rewrites the destination address back to receives a return packet, it rewrites the destination address back to
<systemitem class="ipaddress">10.10.10.1</systemitem> and forwards the <systemitem class="ipaddress">10.10.10.1</systemitem> and forwards the
@ -662,7 +662,7 @@ root@lists:~# </programlisting>
<para>One of your goals may be to run one or more servers on your local <para>One of your goals may be to run one or more servers on your local
computers. Because these computers have RFC-1918 addresses, it is not computers. Because these computers have RFC-1918 addresses, it is not
possible for clients on the internet to connect directly to them. It is possible for clients on the Internet to connect directly to them. It is
rather necessary for those clients to address their connection requests to rather necessary for those clients to address their connection requests to
the firewall who rewrites the destination address to the address of your the firewall who rewrites the destination address to the address of your
server and forwards the packet to that server. When your server responds, server and forwards the packet to that server. When your server responds,
@ -682,7 +682,7 @@ root@lists:~# </programlisting>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting><important> DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting><important>
<para>Be sure to add your rules after the line that reads <emphasis <para>Be sure to add your rules after the line that reads <emphasis
role="bold">SECTON NEW.</emphasis></para> role="bold">SECTION NEW.</emphasis></para>
</important><important> </important><important>
<para>The server must have a static IP address. If you assign IP <para>The server must have a static IP address. If you assign IP
addresses to your local system using DHCP, you need to configure your addresses to your local system using DHCP, you need to configure your
@ -822,7 +822,7 @@ DNS/ACCEPT $FW net</programlisting>This rule allows
<acronym>DNS</acronym> access from your firewall and may be removed if you <acronym>DNS</acronym> access from your firewall and may be removed if you
uncommented the line in <filename uncommented the line in <filename
class="directory">/etc/shorewall/</filename><filename>policy</filename> class="directory">/etc/shorewall/</filename><filename>policy</filename>
allowing all connections from the firewall to the internet.</para> allowing all connections from the firewall to the Internet.</para>
<para>In the rule shown above, <quote>DNS/ACCEPT</quote> is an example of <para>In the rule shown above, <quote>DNS/ACCEPT</quote> is an example of
a <emphasis>macro invocation</emphasis>. Shorewall includes a number of a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
@ -863,8 +863,8 @@ Web/ACCEPT loc $FW </programlisting>Those two rules would of
</example> If you don't know what port and protocol a particular </example> If you don't know what port and protocol a particular
application uses, look <ulink url="ports.htm">here</ulink>. <important> application uses, look <ulink url="ports.htm">here</ulink>. <important>
<para>I don't recommend enabling <command>telnet</command> to/from the <para>I don't recommend enabling <command>telnet</command> to/from the
internet because it uses clear text (even for login!). If you want Internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use shell access to your firewall from the Internet, use
<acronym>SSH</acronym>:</para> <acronym>SSH</acronym>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
@ -1022,7 +1022,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
access to/from other hosts, change <filename access to/from other hosts, change <filename
class="directory">/etc/shorewall/</filename><filename>routestopped</filename> class="directory">/etc/shorewall/</filename><filename>routestopped</filename>
accordingly. <warning> accordingly. <warning>
<para>If you are connected to your firewall from the internet, do not <para>If you are connected to your firewall from the Internet, do not
issue a <quote><command>shorewall stop</command></quote> command issue a <quote><command>shorewall stop</command></quote> command
unless you have added an entry for the <acronym>IP</acronym> address unless you have added an entry for the <acronym>IP</acronym> address
that you are connected from to <filename that you are connected from to <filename
@ -1073,11 +1073,11 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
<para>Once you have the two-interface setup working, the next logical step <para>Once you have the two-interface setup working, the next logical step
is to add a Wireless Network. The first step involves adding an additional is to add a Wireless Network. The first step involves adding an additional
network card to your firewall, either a Wireless card or an ethernet card network card to your firewall, either a Wireless card or an Ethernet card
that is connected to a Wireless Access Point.<caution> that is connected to a Wireless Access Point.<caution>
<para>When you add a network card, it won't necessarily be detected as <para>When you add a network card, it won't necessarily be detected as
the next highest ethernet interface. For example, if you have two the next highest Ethernet interface. For example, if you have two
ethernet cards in your system (<filename Ethernet cards in your system (<filename
class="devicefile">eth0</filename> and <filename class="devicefile">eth0</filename> and <filename
class="devicefile">eth1</filename>) and you add a third card that uses class="devicefile">eth1</filename>) and you add a third card that uses
the same driver as one of the other two, that third card won't the same driver as one of the other two, that third card won't
@ -1130,7 +1130,7 @@ loc wlan0 detect maclist</programlisting>
url="MAC_Validation.html">maclist option</ulink> for the wireless url="MAC_Validation.html">maclist option</ulink> for the wireless
segment. By adding entries for computers 3 and 4 in segment. By adding entries for computers 3 and 4 in
<filename>/etc/shorewall/maclist</filename>, you help ensure that your <filename>/etc/shorewall/maclist</filename>, you help ensure that your
neighbors aren't getting a free ride on your internet connection. neighbors aren't getting a free ride on your Internet connection.
Start by omitting that option; when you have everything working, then Start by omitting that option; when you have everything working, then
add the option and configure your add the option and configure your
<filename>/etc/shorewall/maclist</filename> file.</para> <filename>/etc/shorewall/maclist</filename> file.</para>
@ -1139,7 +1139,7 @@ loc wlan0 detect maclist</programlisting>
<listitem> <listitem>
<para>You need to add an entry to the <para>You need to add an entry to the
<filename>/etc/shorewall/masq</filename> file to masquerade traffic <filename>/etc/shorewall/masq</filename> file to masquerade traffic
from the wireless network to the internet. If your internet interface from the wireless network to the Internet. If your Internet interface
is <filename class="devicefile">eth0</filename> and your wireless is <filename class="devicefile">eth0</filename> and your wireless
interface is <filename class="devicefile">wlan0</filename>, the entry interface is <filename class="devicefile">wlan0</filename>, the entry
would be:</para> would be:</para>

View File

@ -173,15 +173,15 @@
директория <filename class="directory">/etc/shorewall</filename> директория <filename class="directory">/etc/shorewall</filename>
пуста. Это сделано специально. Поставляемые шаблоны файлов пуста. Это сделано специально. Поставляемые шаблоны файлов
конфигурации Вы найдете на вашей системе в директории <filename конфигурации Вы найдете на вашей системе в директории <filename
class="directory">/usr/share/doc/shorewall/default-config</filename>. class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
Просто скопируйте нужные Вам файлы из этой директории в <filename Просто скопируйте нужные Вам файлы из этой директории в <filename
class="directory">/etc/shorewall</filename> и отредактируйте class="directory">/etc/shorewall</filename> и отредактируйте
копии.</para> копии.</para>
<para>Заметьте, что Вы должны скопировать <filename <para>Заметьте, что Вы должны скопировать <filename
class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename> class="directory">/usr/share/doc/shorewall-common/default-config/shorewall.conf</filename>
и <filename и <filename
class="directory">/usr/share/doc/shorewall/default-config/modules</filename> class="directory">/usr/share/doc/shorewall=common/default-config/modules</filename>
в <filename class="directory">/etc/shorewall</filename> даже если Вы в <filename class="directory">/etc/shorewall</filename> даже если Вы
не будете изменять эти файлы.</para> не будете изменять эти файлы.</para>
</warning><inlinegraphic fileref="images/BD21298_.gif" </warning><inlinegraphic fileref="images/BD21298_.gif"
@ -221,7 +221,7 @@
<listitem> <listitem>
<para>Если же Вы пользовались пакетом .deb, примеры находятся в <para>Если же Вы пользовались пакетом .deb, примеры находятся в
директории<filename директории<filename
class="directory">/usr/share/doc/shorewall/examples/two-interface</filename>.</para> class="directory">/usr/share/doc/shorewall-common/examples/two-interface</filename>.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -1068,4 +1068,4 @@ eth0 wlan0</programlisting>
Вашем файерволе потребует правил, перечисленных в <ulink Вашем файерволе потребует правил, перечисленных в <ulink
url="samba.htm">документации Shorewall/Samba</ulink>.</para> url="samba.htm">документации Shorewall/Samba</ulink>.</para>
</section> </section>
</article> </article>

View File

@ -167,7 +167,7 @@ shorewall restart</command></programlisting> The RPMs are set up so that if
<para>Insure correct operation. Default actions can also avoid <para>Insure correct operation. Default actions can also avoid
common pitfalls like dropping connection requests on TCP port 113. common pitfalls like dropping connection requests on TCP port 113.
If these connections are dropped (rather than rejected) then you If these connections are dropped (rather than rejected) then you
may encounter problems connecting to internet services that may encounter problems connecting to Internet services that
utilize the AUTH protocol of client authentication.</para> utilize the AUTH protocol of client authentication.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -485,7 +485,7 @@ all all REJECT:MyReject info</programlisting>
<listitem> <listitem>
<para>Beginning with this release, the way in which packet marking in <para>Beginning with this release, the way in which packet marking in
the PREROUTING chain interracts with the 'track' option in the PREROUTING chain interacts with the 'track' option in
/etc/shorewall/providers has changed in two ways:</para> /etc/shorewall/providers has changed in two ways:</para>
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">

View File

@ -42,7 +42,7 @@
</row> </row>
<row rowsep="0" valign="middle"> <row rowsep="0" valign="middle">
<entry align="left">NetFilter Site: <ulink <entry align="left">Netfilter Site: <ulink
url="http://www.netfilter.org/">http://www.netfilter.org/</ulink></entry> url="http://www.netfilter.org/">http://www.netfilter.org/</ulink></entry>
</row> </row>
@ -79,7 +79,7 @@
<row rowsep="0" valign="middle"> <row rowsep="0" valign="middle">
<entry>Debian apt-get sources for Shorewall: <ulink <entry>Debian apt-get sources for Shorewall: <ulink
url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian</ulink></entry> url="http://people.connexer.com/~roberto/debian/"></ulink>http://people.connexer.com/~roberto/debian/</entry>
</row> </row>
<row rowsep="0" valign="middle"> <row rowsep="0" valign="middle">

View File

@ -42,7 +42,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para>The local network uses <acronym>SNAT</acronym> to the internet and <para>The local network uses <acronym>SNAT</acronym> to the Internet and
is comprised of the Class B network <literal>10.10.0.0/16</literal> is comprised of the Class B network <literal>10.10.0.0/16</literal>
(Note: While this example uses an RFC 1918 local network, the technique (Note: While this example uses an RFC 1918 local network, the technique
described here in no way depends on that or on <acronym>SNAT</acronym>. described here in no way depends on that or on <acronym>SNAT</acronym>.
@ -90,7 +90,7 @@ dmz ipv4</programlisting>
<bridgehead renderas="sect4">Interfaces File</bridgehead> <bridgehead renderas="sect4">Interfaces File</bridgehead>
<programlisting>#ZONE INTERFACE BROACAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
net eth0 &lt;whatever&gt; ... net eth0 &lt;whatever&gt; ...
dmz eth1 &lt;whatever&gt; ... dmz eth1 &lt;whatever&gt; ...
- eth2 10.10.255.255</programlisting> - eth2 10.10.255.255</programlisting>