extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-30 22:45:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.6

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@672 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-21 22:06:18 +00:00
parent 7a02da79e0
commit 07d90b6fe4
89 changed files with 26968 additions and 24173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Lrp/etc/shorewall/hosts
View File

@ -20,7 +20,7 @@
# ZONE - The name of a zone defined in /etc/shorewall/zones # ZONE - The name of a zone defined in /etc/shorewall/zones
# #
# HOST(S) - The name of an interface followed by a colon (":") and # HOST(S) - The name of an interface followed by a colon (":") and
# either: # a comma-separated list whose elements are either:
# #
# a) The IP address of a host # a) The IP address of a host
# b) A subnetwork in the form # b) A subnetwork in the form
@ -33,6 +33,7 @@
# #
# eth1:192.168.1.3 # eth1:192.168.1.3
# eth2:192.168.2.0/24 # eth2:192.168.2.0/24
# eth3:192.168.2.0/24,192.168.3.1
# #
# OPTIONS - A comma-separated list of options. Currently-defined # OPTIONS - A comma-separated list of options. Currently-defined
# options are: # options are:

14
Lrp/etc/shorewall/interfaces
View File

@ -20,6 +20,10 @@
# an alias (e.g., eth0:0) here; see # an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18 # http://www.shorewall.net/FAQ.htm#faq18
# #
# You may specify wildcards here. For example, if you
# want to make an entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
# #
# BROADCAST The broadcast address for the subnetwork to which the # BROADCAST The broadcast address for the subnetwork to which the
@ -89,6 +93,16 @@
# sub-networking as described at: # sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
# #
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.

13
Lrp/etc/shorewall/masq
View File

@ -42,12 +42,15 @@
# will automatically add this address to the # will automatically add this address to the
# INTERFACE named in the first column. # INTERFACE named in the first column.
# #
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # You may also specify a range of up to 256
# the address given in this column is the primary # IP addresses if you want the SNAT address to
# IP address for the interface in the INTERFACE # be assigned from that range in a round-robin
# column. # range by connection. The range is specified by
# <first ip in range>-<last ip in range>.
# #
# This column may not contain a DNS Name. # Example: 206.124.146.177-206.124.146.180
#
# This column may not contain DNS Names.
# #
# Example 1: # Example 1:
# #

18
Lrp/etc/shorewall/rules
View File

@ -107,6 +107,12 @@
# 3. You may not specify both an interface and # 3. You may not specify both an interface and
# an address. # an address.
# #
# Unlike in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the # ":". If omitted, the firewall will not modifiy the
@ -137,7 +143,7 @@
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
# "-" # "-"
# #
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then # If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in # only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below: # this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed. # 1. There are 15 or less ports listed.
@ -154,7 +160,7 @@
# specify an ADDRESS in the next column, then place "-" # specify an ADDRESS in the next column, then place "-"
# in this column. # in this column.
# #
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then # If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in # only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above: # this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed. # 1. There are 15 or less ports listed.
@ -214,6 +220,14 @@
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 # DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 \
# tcp 22
############################################################################## ##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST # PORT PORT(S) DEST

53
Lrp/etc/shorewall/shorewall.conf
View File

@ -144,7 +144,7 @@ BLACKLIST_LOGLEVEL=
# Example: LOGNEWNOTSYN=debug # Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN= LOGNEWNOTSYN=info
# #
# MAC List Log Level # MAC List Log Level
@ -191,6 +191,14 @@ RFC1918_LOG_LEVEL=info
# #
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# SHELL
#
# The firewall script is normally interpreted by /bin/sh. If you wish to change
# the shell used to interpret that script, specify the shell here.
SHOREWALL_SHELL=/bin/sh
# SUBSYSTEM LOCK FILE # SUBSYSTEM LOCK FILE
# #
# Set this to the name of the lock file expected by your init scripts. For # Set this to the name of the lock file expected by your init scripts. For
@ -230,24 +238,6 @@ MODULESDIR=
# #
FW=fw FW=fw
#
# ENABLE NAT SUPPORT
#
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED=Yes
#
# ENABLE MANGLE SUPPORT
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
# and will not initialize the mangle table when starting or stopping
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED=Yes
# #
# ENABLE IP FORWARDING # ENABLE IP FORWARDING
# #
@ -378,26 +368,6 @@ ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes NAT_BEFORE_RULES=Yes
# MULTIPORT support
#
# If your kernel includes the multiport match option
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
# option is enabled by setting it's value to "Yes" or "yes":
#
# 1) If you list more that 15 ports in a comma-seperated list in
# /etc/shorewall/rules, Shorewall will not use the multiport option
# but will generate a separate rule for each element of each port
# list.
# 2) If you include a port range (<low port>:<high port>) in the
# rule, Shorewall will not use the multiport option but will generate
# a separate rule for each element of each port list.
#
# See the /etc/shorewall/rules file for additional information on this option.
#
# if this variable is not set or is set to the empty value, "No" is assumed.
MULTIPORT=No
# DNAT IP ADDRESS DETECTION # DNAT IP ADDRESS DETECTION
# #
# Normally when Shorewall encounters the following rule: # Normally when Shorewall encounters the following rule:
@ -447,7 +417,7 @@ MUTEX_TIMEOUT=60
# #
# NEWNOTSYN # NEWNOTSYN
# #
# If this variable is set to "No" or "no", then When a TCP packet that does # If this variable is set to "No" or "no", then when a TCP packet that does
# not have the SYN flag set and the ACK and RST flags clear then unless the # not have the SYN flag set and the ACK and RST flags clear then unless the
# packet is part of an established connection, it will be dropped by the # packet is part of an established connection, it will be dropped by the
# firewall # firewall
@ -458,6 +428,9 @@ MUTEX_TIMEOUT=60
# Users with a High-availability setup with two firewall's and one acting # Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes. # also need to select NEWNOTSYN=Yes.
#
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
NEWNOTSYN=No NEWNOTSYN=No

72
Lrp/sbin/shorewall
View File

@ -82,6 +82,22 @@
# be automatically reinstated the # be automatically reinstated the
# next time that Shorewall starts. # next time that Shorewall starts.
# #
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
#
# Displays information about the network
# defined by the argument[s]
#
# shorewall iprange <address>-<address> Decomposes a range of IP addresses into
# a list of network/host addresses.
#
# Fatal Error
#
fatal_error() # $@ = Message
{
echo " $@" >&2
exit 2
}
# Display a chain if it exists # Display a chain if it exists
# #
@ -138,6 +154,13 @@ get_config() {
[ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
exit 2
fi
fi
} }
# #
@ -521,6 +544,8 @@ usage() # $1 = exit status
echo " reject <address> ..." echo " reject <address> ..."
echo " allow <address> ..." echo " allow <address> ..."
echo " save" echo " save"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
echo " iprange <address>-<address>"
exit $1 exit $1
} }
@ -653,11 +678,13 @@ esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
exec $FIREWALL $debugging $nolock $1 get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
;; ;;
add|delete) add|delete)
[ $# -ne 3 ] && usage 1 [ $# -ne 3 ] && usage 1
exec $FIREWALL $debugging $nolock $1 $2 $3 get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
;; ;;
show|list) show|list)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
@ -860,7 +887,48 @@ case "$1" in
fi fi
mutex_off mutex_off
;; ;;
ipcalc)
if [ $# -eq 2 ]; then
address=${2%/*}
vlsm=${2#*/}
elif [ $# -eq 3 ]; then
address=$2
vlsm=`ip_vlsm $3`
else
usage 1
fi
[ -z "$vlsm" ] && exit 2
[ "x$address" = "x$vlsm" ] && usage 2
[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
address=$address/$vlsm
echo " CIDR=$address"
temp=`ip_netmask $address`; echo " NETMASK=`encodeaddr $temp`"
temp=`ip_network $address`; echo " NETWORK=$temp"
temp=`broadcastaddress $address`; echo " BROADCAST=$temp"
;;
iprange)
case $2 in
*.*.*.*-*.*.*.*)
ip_range $2
;;
*) *)
usage 1 usage 1
;; ;;
esac esac
;;
call)
#
# Undocumented way to call functions in /usr/share/shorewall/functions directly
#
shift;
$@
;;
*)
usage 1
;;
esac

372
Lrp/usr/share/shorewall/firewall
View File

@ -233,8 +233,7 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
run_iptables -N $1 run_iptables -N $1
if [ $2 = yes ]; then if [ $2 = yes ]; then
state="ESTABLISHED,RELATED" run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -A $1 -m state --state $state -j ACCEPT
[ -z "$NEWNOTSYN" ] && \ [ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi fi
@ -495,10 +494,17 @@ first_chains() #$1 = interface
# #
find_hosts() # $1 = host zone find_hosts() # $1 = host zone
{ {
local hosts local hosts interface address addresses
while read z hosts options; do while read z hosts options; do
[ "x`expand $z`" = "x$1" ] && expandv hosts && echo `separate_list $hosts` if [ "x`expand $z`" = "x$1" ]; then
expandv hosts
interface=${hosts%:*}
addresses=${hosts#*:}
for address in `separate_list $addresses`; do
echo $interface:$address
done
fi
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
} }
@ -608,7 +614,7 @@ validate_interfaces_file() {
for option in $options; do for option in $options; do
case $option in case $option in
dhcp|norfc1918|tcpflags) dhcp|norfc1918|tcpflags|newnotsyn)
;; ;;
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-) routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
;; ;;
@ -636,18 +642,20 @@ validate_hosts_file() {
r="$z $hosts $options" r="$z $hosts $options"
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\"" validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
for host in `separate_list $hosts`; do interface=${hosts%:*}
interface=${host%:*}
list_search $interface $all_interfaces || \ list_search $interface $all_interfaces || \
startup_error "Unknown interface ($interface) in record \"$r\"" startup_error "Unknown interface ($interface) in record \"$r\""
hosts=${hosts#*:}
for host in `separate_list $hosts`; do
for option in `separate_list $options`; do for option in `separate_list $options`; do
case $option in case $option in
maclist|-) maclist|-)
;; ;;
routeback) routeback)
eval ${z}_routeback=\"$host \$${z}_routeback\" eval ${z}_routeback=\"$interface:$host \$${z}_routeback\"
;; ;;
*) *)
error_message "Warning: Invalid option ($option) in record \"$r\"" error_message "Warning: Invalid option ($option) in record \"$r\""
@ -689,7 +697,7 @@ validate_policy()
[ $1 = $2 ] || \ [ $1 = $2 ] || \
[ $1 = all ] || \ [ $1 = all ] || \
[ $2 = all ] || \ [ $2 = all ] || \
echo " Policy for $1 to $2 is $policy" echo " Policy for $1 to $2 is $policy using chain $chain"
} }
all_policy_chains= all_policy_chains=
@ -832,6 +840,15 @@ find_interface_address() # $1 = interface
echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//' echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
} }
#
# Find interface addresses--returns the set of addresses assigned to the passed
# device
#
find_interface_addresses() # $1 = interface
{
ip addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
}
# #
# Find interfaces that have the passed option specified # Find interfaces that have the passed option specified
# #
@ -848,10 +865,18 @@ find_interfaces_by_option() # $1 = option
# #
find_hosts_by_option() # $1 = option find_hosts_by_option() # $1 = option
{ {
local ignore hosts interface address addresses options
while read ignore hosts options; do while read ignore hosts options; do
expandv options expandv options
list_search $1 `separate_list $options` && \ if list_search $1 `separate_list $options`; then
echo `expand $hosts` expandv hosts
interface=${hosts%:*}
addresses=${hosts#*:}
for address in `separate_list $addresses`; do
echo $interface:$address
done
fi
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
for interface in $all_interfaces; do for interface in $all_interfaces; do
@ -1685,14 +1710,16 @@ check_config() {
disclaimer() { disclaimer() {
echo echo
echo "WARNING: THE 'check' COMMAND IS TOTALLY UNSUPPORTED AND PROBLEM" echo "Notice: The 'check' command is unsupported and problem"
echo " REPORTS COMPLAINING ABOUT ERRORS THAT IT DIDN'T CATCH" echo " reports complaining about errors that it didn't catch"
echo " WILL NOT BE ACCEPTED" echo " will not be accepted"
echo echo
} }
disclaimer disclaimer
report_capabilities
echo "Verifying Configuration..." echo "Verifying Configuration..."
verify_os_version verify_os_version
@ -1839,7 +1866,11 @@ add_nat_rule() {
if [ -n "$serv" ]; then if [ -n "$serv" ]; then
servport="${servport:+:$servport}" servport="${servport:+:$servport}"
target1="DNAT --to-destination ${serv}${servport}" serv1=
for srv in `separate_list $serv`; do
serv1="$serv1 --to-destination ${srv}${servport}"
done
target1="DNAT $serv1"
else else
target1="REDIRECT --to-port $servport" target1="REDIRECT --to-port $servport"
fi fi
@ -1856,7 +1887,10 @@ add_nat_rule() {
chain=nonat${nonat_seq} chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1)) nonat_seq=$(($nonat_seq + 1))
createnatchain $chain createnatchain $chain
run_iptables -t nat -A OUTPUT $cli $proto $multiport $sports $dports -j $chain
for adr in `separate_list $addr`; do
run_iptables2 -t nat -A OUTPUT $cli $proto $multiport $sports $dports -d $adr -j $chain
done
for adr in $excludedests; do for adr in $excludedests; do
addnatrule $chain -d $adr -j RETURN addnatrule $chain -d $adr -j RETURN
@ -1866,11 +1900,15 @@ add_nat_rule() {
log_rule $loglevel $chain $logtarget -t nat log_rule $loglevel $chain $logtarget -t nat
fi fi
addnatrule $chain -j $target1 addnatrule $chain $proto -j $target1 # Protocol is necessary for port redirection
else else
for adr in `separate_list $addr`; do for adr in `separate_list $addr`; do
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \ if [ -n "$loglevel" ]; then
$multiport $dports -j $target1 log_rule $loglevel $OUTPUT $logtarget -t nat \
`fix_bang $proto $cli $sports -d $adr $multiport $dports`
fi
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr $multiport $dports -j $target1
done done
fi fi
else else
@ -1880,13 +1918,15 @@ add_nat_rule() {
chain=nonat${nonat_seq} chain=nonat${nonat_seq}
nonat_seq=$(($nonat_seq + 1)) nonat_seq=$(($nonat_seq + 1))
createnatchain $chain createnatchain $chain
addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -j $chain
for adr in `separate_list $addr`; do
addnatrule `dnat_chain $source` $cli $proto $multiport $sports $dports -d $adr -j $chain
done
for z in $excludezones; do for z in $excludezones; do
eval hosts=\$${z}_hosts eval hosts=\$${z}_hosts
for host in $hosts; do for host in $hosts; do
for adr in `separate_list $addr`; do addnatrule $chain -s ${host#*:} -j RETURN
addnatrule $chain -s ${host#*:} -d $adr -j RETURN
done
done done
done done
@ -1894,13 +1934,11 @@ add_nat_rule() {
addnatrule $chain -d $adr -j RETURN addnatrule $chain -d $adr -j RETURN
done done
for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr` log_rule $loglevel $chain $logtarget -t nat
fi fi
addnatrule $chain -d $adr -j $target1 addnatrule $chain $proto -j $target1 # Protocol is necessary for port redirection
done
else else
for adr in `separate_list $addr`; do for adr in `separate_list $addr`; do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
@ -1943,6 +1981,8 @@ add_nat_rule() {
done done
fi fi
fi fi
[ "x$addr" = "x0.0.0.0/0" ] && addr=
} }
# #
@ -2015,9 +2055,12 @@ add_a_rule()
servport=$serverport servport=$serverport
multiport= multiport=
[ x$port = x- ] && port=
[ x$cport = x- ] && cport=
case $proto in case $proto in
tcp|udp|TCP|UDP|6|17) tcp|udp|TCP|UDP|6|17)
if [ -n "$port" -a "x${port}" != "x-" ]; then if [ -n "$port" ]; then
dports="--dport" dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption" multiport="$multioption"
@ -2026,7 +2069,7 @@ add_a_rule()
dports="$dports $port" dports="$dports $port"
fi fi
if [ -n "$cport" -a "x${cport}" != "x-" ]; then if [ -n "$cport" ]; then
sports="--sport" sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption" multiport="$multioption"
@ -2036,18 +2079,17 @@ add_a_rule()
fi fi
;; ;;
icmp|ICMP|1) icmp|ICMP|1)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && dports="--icmp-type $port"
dports="--icmp-type $port"
state= state=
;; ;;
all|ALL) all|ALL)
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && \
fatal_error "Port number not allowed with \"all\"; rule: \"$rule\"" fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
proto= proto=
;; ;;
*) *)
state= state=
[ -n "$port" ] && [ "x${port}" != "x-" ] && \ [ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
;; ;;
esac esac
@ -2098,15 +2140,39 @@ add_a_rule()
fi fi
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
serv="${serv:+-d $serv}" if [ -n "$serv" ]; then
for serv1 in `separate_list $serv`; do
for srv in `ip_range $serv1`; do
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
for adr in `separate_list $addr`; do
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \ log_rule $loglevel $chain $logtarget -m conntrack --ctorigdst $adr \
`fix_bang $proto $sports $multiport $state $cli $serv $dports` `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \ run_iptables2 -A $chain $proto $multiport $state $cli $sports \
$serv $dports -j $target -d $srv $dports -m conntrack --ctorigdst $adr -j $target
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \
`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
-d $srv $dports -j $target
fi
done
done
else
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule $loglevel $chain $logtarget \
`fix_bang $proto $sports $multiport $state $cli $dports`
fi
run_iptables2 -A $chain $proto $multiport $state $cli $sports \
$dports -j $target
fi
fi fi
fi fi
else else
@ -2218,11 +2284,11 @@ process_rule() # $1 = target
fatal_error "Empty source zone or qualifier: rule \"$rule\"" fatal_error "Empty source zone or qualifier: rule \"$rule\""
fi fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then if [ "$clientzone" = "${clientzone%!*}" ]; then
excludezones= excludezones=
else else
excludezones="${clientzone#*\!}" excludezones="${clientzone#*!}"
clientzone="${clientzone%\!*}" clientzone="${clientzone%!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
fatal_error "Exclude list only allowed with DNAT or REDIRECT" fatal_error "Exclude list only allowed with DNAT or REDIRECT"
@ -2293,6 +2359,45 @@ process_rule() # $1 = target
# Generate Netfilter rule(s) # Generate Netfilter rule(s)
case $logtarget in
DNAT*)
if [ -n "$MULTIPORT" -a \
"$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
`list_count $ports` -le 15 -a \
`list_count $cports` -le 15 ]
then
#
# MULTIPORT is enabled, there are no port ranges in the rule and less than
# 16 ports are listed - use multiport match.
#
multioption="-m multiport"
for client in `separate_list ${clients:=-}`; do
#
# add_a_rule() modifies these so we must set their values each time
#
server=${servers:=-}
port=${ports:=-}
cport=${cports:=-}
add_a_rule
done
else
#
# MULTIPORT is disabled or the rule isn't compatible with multiport match
#
multioption=
for client in `separate_list ${clients:=-}`; do
for port in `separate_list ${ports:=-}`; do
for cport in `separate_list ${cports:=-}`; do
server=${servers:=-}
add_a_rule
done
done
done
fi
;;
*)
if [ -n "$MULTIPORT" -a \ if [ -n "$MULTIPORT" -a \
"$ports" = "${ports%:*}" -a \ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \ "$cports" = "${cports%:*}" -a \
@ -2329,6 +2434,8 @@ process_rule() # $1 = target
done done
done done
fi fi
;;
esac
# #
# Report Result # Report Result
# #
@ -2360,7 +2467,7 @@ process_rules() # $1 = name of rules file
while read xtarget xclients xservers xprotocol xports xcports xaddress; do while read xtarget xclients xservers xprotocol xports xcports xaddress; do
case "${xtarget%:*}" in case "${xtarget%:*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE) ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
expandv xclients xservers xprotocol xports xcports xaddress expandv xclients xservers xprotocol xports xcports xaddress
if [ "x$xclients" = xall ]; then if [ "x$xclients" = xall ]; then
@ -2382,7 +2489,7 @@ process_rules() # $1 = name of rules file
;; ;;
*) *)
rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`" rule="`echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress`"
fatal_error "Invalid Target in rule \"$rule\"" fatal_error "Invalid Action in rule \"$rule\""
;; ;;
esac esac
@ -2582,24 +2689,19 @@ loadmodule() # $1 = module name, $2 - * arguments
{ {
local modulename=$1 local modulename=$1
local modulefile local modulefile
local suffix
if [ -z "`lsmod | grep $modulename`" ]; then if [ -z "`lsmod | grep $modulename`" ]; then
shift shift
modulefile=$MODULESDIR/${modulename}.o
for suffix in o gz ko ; do
modulefile=$MODULESDIR/${modulename}.${suffix}
if [ -f $modulefile ]; then if [ -f $modulefile ]; then
insmod $modulefile $* insmod $modulefile $*
return return
fi fi
# done
# If the modules directory contains compressed modules then we'll
# assume that insmod can load them
#
modulefile=${modulefile}.gz
if [ -f $modulefile ]; then
insmod $modulefile $*
fi
fi fi
} }
@ -2900,8 +3002,16 @@ setup_masq()
esac esac
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
list_search $address $aliases_to_add || \ for addr in `ip_range $address` ; do
aliases_to_add="$aliases_to_add $address $fullinterface" if ! list_search $addr $aliases_to_add; then
aliases_to_add="$aliases_to_add $addr $fullinterface"
case $fullinterface in
*:*)
fullinterface=${fullinterface%:*}:$((${fullinterface#*:} + 1 ))
;;
esac
fi
done
fi fi
destination=$destnet destination=$destnet
@ -3118,7 +3228,7 @@ verify_os_version() {
osversion=`uname -r` osversion=`uname -r`
case $osversion in case $osversion in
2.4.*|2.5.*) 2.4.*|2.5.*|2.6.*)
;; ;;
*) *)
startup_error "Shorewall version $version does not work with kernel version $osversion" startup_error "Shorewall version $version does not work with kernel version $osversion"
@ -3134,35 +3244,30 @@ verify_os_version() {
# #
add_ip_aliases() add_ip_aliases()
{ {
local external local addresses external interface inet cidr rest val
local interface
local primary
do_one() address_details()
{ {
# #
# Folks feel uneasy if they don't see all of the same # Folks feel uneasy if they don't see all of the same
# decoration on these IP addresses that they see when their # decoration on these IP addresses that they see when their
# distro's net config tool adds them. In an attempt to reduce # distro's net config tool adds them. In an attempt to reduce
# the anxiety level, we have the following code which sets # the anxiety level, we have the following code which sets
# the VLSM and BRD from the primary address # the VLSM and BRD from an existing address in the same subnet
# #
# Get all of the lines that contain inet addresses with broadcast # Get all of the lines that contain inet addresses
# #
val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
if in_subnet $external $cidr; then
if [ -n "$val" ] ; then echo "/${cidr#*/} brd `broadcastaddress $cidr`"
# break
# Hack off the leading 'inet <ip addr>' (actually cut off the
# "/" as well but add it back in).
#
val="/${val#*/}"
#
# Now get the VLSM, "brd" and the broadcast address
#
val=${val%% scope*}
fi fi
done
}
do_one()
{
val=`address_details`
run_ip addr add ${external}${val} dev $interface $label run_ip addr add ${external}${val} dev $interface $label
echo "$external $interface" >> ${STATEDIR}/nat echo "$external $interface" >> ${STATEDIR}/nat
[ -n "$label" ] && label="with $label" [ -n "$label" ] && label="with $label"
@ -3182,9 +3287,9 @@ add_ip_aliases()
label="label $interface:$label" label="label $interface:$label"
fi fi
primary=`find_interface_address $interface`
shift;shift shift;shift
[ "x${primary}" = "x${external}" ] || do_one
list_search $external `find_interface_addresses $interface` || do_one
done done
} }
@ -3207,10 +3312,46 @@ load_kernel_modules() {
# Verify that the 'ip' program is installed # Verify that the 'ip' program is installed
verify_ip() { verify_ip() {
qt which ip ||\ qt ip link ls ||\
startup_error "Shorewall $version requires the iproute package ('ip' utility)" startup_error "Shorewall $version requires the iproute package ('ip' utility)"
} }
#
# Determine which optional facilities are supported by iptables/netfilter
#
determine_capabilities() {
qt iptables -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt iptables -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH=
MULTIPORT=
if qt iptables -N fooX1234 ; then
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt iptables -F fooX1234
qt iptables -X fooX1234
fi
}
report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
{
local setting=
[ "x$1" = "xYes" ] && { setting="Available"; shift; } || setting="Not available"
echo " " $@: $setting
}
report_capabilities() {
echo "Shorewall has detected the following iptables/netfilter capabilities:"
report_capability $NAT_ENABLED "NAT"
report_capability $MANGLE_ENABLED "Packet Mangling"
report_capability $MULTIPORT "Multi-port Match"
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
}
# #
# Perform Initialization # Perform Initialization
# - Delete all old rules # - Delete all old rules
@ -3221,6 +3362,8 @@ verify_ip() {
# #
initialize_netfilter () { initialize_netfilter () {
report_capabilities
echo "Determining Zones..." echo "Determining Zones..."
determine_zones determine_zones
@ -3307,7 +3450,16 @@ initialize_netfilter () {
if [ -z "$NEWNOTSYN" ]; then if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no createchain newnotsyn no
for interface in `find_interfaces_by_option newnotsyn`; do
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A newnotsyn -i $interface -p tcp --tcp-flags FIN FIN -j ACCEPT
run_iptables -A newnotsyn -i $interface -j RETURN
done
run_user_exit newnotsyn run_user_exit newnotsyn
if [ -n "$LOGNEWNOTSYN" ]; then if [ -n "$LOGNEWNOTSYN" ]; then
log_rule $LOGNEWNOTSYN newnotsyn DROP log_rule $LOGNEWNOTSYN newnotsyn DROP
fi fi
@ -3334,7 +3486,7 @@ initialize_netfilter () {
done < /var/lib/shorewall/save done < /var/lib/shorewall/save
fi fi
echo "Creating input Chains..." echo "Creating Interface Chains..."
for interface in $all_interfaces; do for interface in $all_interfaces; do
createchain `forward_chain $interface` no createchain `forward_chain $interface` no
@ -3369,6 +3521,7 @@ build_common_chain() {
if [ -n "$NEWNOTSYN" ]; then if [ -n "$NEWNOTSYN" ]; then
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
run_iptables -A common -p tcp --tcp-flags FIN FIN -j ACCEPT
fi fi
# #
# BROADCASTS # BROADCASTS
@ -3462,13 +3615,17 @@ add_common_rules() {
# #
# DHCP # DHCP
# #
interfaces=`find_interfaces_by_option dhcp`
if [ -n "$interfaces" ]; then
echo "Adding rules for DHCP" echo "Adding rules for DHCP"
for interface in `find_interfaces_by_option dhcp`; do for interface in $interfaces; do
run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT run_iptables -A `input_chain $interface` -p udp --dport 67:68 -j ACCEPT
run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT run_iptables -A OUTPUT -o $interface -p udp --dport 67:68 -j ACCEPT
done done
fi
# #
# RFC 1918 # RFC 1918
# #
@ -3487,11 +3644,12 @@ add_common_rules() {
run_iptables -A logdrop -j DROP run_iptables -A logdrop -j DROP
if [ -n "$MANGLE_ENABLED" ]; then if [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ]; then
# #
# Mangling is enabled -- create a chain in the mangle table to # Mangling is enabled but conntrack match isn't available --
# filter RFC1918 destination addresses. This must be done in the # create a chain in the mangle table to filter RFC1918 destination
# mangle table before we apply any DNAT rules in the nat table # addresses. This must be done in the mangle table before we apply
# any DNAT rules in the nat table
# #
# Also add a chain to log and drop any RFC1918 packets that we find # Also add a chain to log and drop any RFC1918 packets that we find
# #
@ -3511,11 +3669,17 @@ add_common_rules() {
esac esac
run_iptables2 -A rfc1918 -s $subnet -j $target run_iptables2 -A rfc1918 -s $subnet -j $target
if [ -n "$CONNTRACK_MATCH" ]; then
# #
# If packet mangling is enabled, trap packets with an # We have connection tracking match -- match on the original destination
# RFC1918 destination #
run_iptables2 -A rfc1918 -m conntrack --ctorigdst $subnet -j $target
elif [ -n "$MANGLE_ENABLED" ]; then
#
# No connection tracking match but we have mangling -- add a rule to
# the mangle table
# #
if [ -n "$MANGLE_ENABLED" ]; then
run_iptables2 -t mangle -A man1918 -d $subnet -j $target run_iptables2 -t mangle -A man1918 -d $subnet -j $target
fi fi
done < $TMP_DIR/rfc1918 done < $TMP_DIR/rfc1918
@ -3525,7 +3689,7 @@ add_common_rules() {
run_iptables -A $chain -m state --state NEW -j rfc1918 run_iptables -A $chain -m state --state NEW -j rfc1918
done done
[ -n "$MANGLE_ENABLED" ] && \ [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918 run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
done done
@ -4366,6 +4530,7 @@ added_param_value_no() # $1 = Parameter Name, $2 = Parameter value
# Initialize this program # Initialize this program
# #
do_initialize() { do_initialize() {
# Run all utility programs using the C locale # Run all utility programs using the C locale
# #
# Thanks to Vincent Planchenault for this tip # # Thanks to Vincent Planchenault for this tip #
@ -4388,8 +4553,6 @@ do_initialize() {
LOGRATE= LOGRATE=
LOGBURST= LOGBURST=
LOGPARMS= LOGPARMS=
NAT_ENABLED=
MANGLE_ENABLED=
ADD_IP_ALIASES= ADD_IP_ALIASES=
ADD_SNAT_ALIASES= ADD_SNAT_ALIASES=
TC_ENABLED= TC_ENABLED=
@ -4399,7 +4562,6 @@ do_initialize() {
CLAMPMSS= CLAMPMSS=
ROUTE_FILTER= ROUTE_FILTER=
NAT_BEFORE_RULES= NAT_BEFORE_RULES=
MULTIPORT=
DETECT_DNAT_IPADDRS= DETECT_DNAT_IPADDRS=
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
NEWNOTSYN= NEWNOTSYN=
@ -4433,6 +4595,7 @@ do_initialize() {
FUNCTIONS=$SHARED_DIR/functions FUNCTIONS=$SHARED_DIR/functions
if [ -f $FUNCTIONS ]; then if [ -f $FUNCTIONS ]; then
echo "Loading $FUNCTIONS..."
. $FUNCTIONS . $FUNCTIONS
else else
startup_error "$FUNCTIONS does not exist!" startup_error "$FUNCTIONS does not exist!"
@ -4463,8 +4626,6 @@ do_initialize() {
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`" ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
[ -n "$ALLOWRELATED" ] || \ [ -n "$ALLOWRELATED" ] || \
startup_error "ALLOWRELATED=No is not supported" startup_error "ALLOWRELATED=No is not supported"
NAT_ENABLED="`added_param_value_yes NAT_ENABLED $NAT_ENABLED`"
MANGLE_ENABLED="`added_param_value_yes MANGLE_ENABLED $MANGLE_ENABLED`"
ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`" ADD_IP_ALIASES="`added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES`"
TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`" TC_ENABLED="`added_param_value_yes TC_ENABLED $TC_ENABLED`"
@ -4496,7 +4657,6 @@ do_initialize() {
ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES` ADD_SNAT_ALIASES=`added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES`
ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER` ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER`
NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES` NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES`
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
[ -n "$FORWARDPING" ] && \ [ -n "$FORWARDPING" ] && \
@ -4567,6 +4727,19 @@ do_initialize() {
# #
strip_file interfaces strip_file interfaces
strip_file hosts strip_file hosts
#
# Determine the capabilities of the installed iptables/netfilter
#
determine_capabilities
#
# Check out the user's shell
#
[ -n "$SHOREWALL_SHELL" ] || SHOREWALL_SHELL=/bin/sh
temp=`decodeaddr 192.168.1.1`
if [ `encodeaddr $temp` != 192.168.1.1 ]; then
startup_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi
} }
# #
@ -4719,6 +4892,15 @@ case "$command" in
my_mutex_off my_mutex_off
;; ;;
call)
#
# Undocumented way to call functions in /usr/share/shorewall/firewall directly
#
shift;
do_initialize
EMPTY=
$@
;;
*) *)
usage usage
;; ;;

181
Lrp/usr/share/shorewall/functions
View File

@ -83,29 +83,23 @@ find_display() # $1 = zone, $2 = name of the zone file
[ "x$1" = "x$z" ] && echo $display [ "x$1" = "x$z" ] && echo $display
done done
} }
#
# This function assumes that the TMP_DIR variable is set and that
# its value named an existing directory.
#
determine_zones() determine_zones()
{ {
local zonefile=`find_file zones` local zonefile=`find_file zones`
multi_display=Multi-zone multi_display=Multi-zone
strip_file zones $zonefile
if [ -f $zonefile ]; then zones=`find_zones $TMP_DIR/zones`
zones=`find_zones $zonefile`
zones=`echo $zones` # Remove extra trash zones=`echo $zones` # Remove extra trash
for zone in $zones; do for zone in $zones; do
dsply=`find_display $zone $zonefile` dsply=`find_display $zone $TMP_DIR/zones`
eval ${zone}_display=\$dsply eval ${zone}_display=\$dsply
done done
else
zones="net local dmz gw"
net_display=Net
local_display=Local
dmz_display=DMZ
gw_display=Gateway
fi
} }
# #
@ -225,3 +219,164 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
> $TMP_DIR/$1 > $TMP_DIR/$1
fi fi
} }
#
# Note: The following set of IP address manipulation functions have anomalous
# behavior when the shell only supports 32-bit signed arithmatic and
# the IP address is 128.0.0.0 or 128.0.0.1.
#
#
# So that emacs doesn't get lost, we use $LEFTSHIFT rather than <<
#
LEFTSHIFT='<<'
#
# Convert an IP address in dot quad format to an integer
#
decodeaddr() {
local x
local temp=0
local ifs=$IFS
IFS=.
for x in $1; do
temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
done
echo $temp
IFS=$ifs
}
#
# convert an integer to dot quad format
#
encodeaddr() {
addr=$1
local x
local y=$(($addr & 255))
for x in 1 2 3 ; do
addr=$(($addr >> 8))
y=$(($addr & 255)).$y
done
echo $y
}
#
# Enumerate the members of an IP range -- When using a shell supporting only
# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
#
ip_range() {
local first last l x y z vlsm
case $1 in
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
esac
first=`decodeaddr ${1%-*}`
last=`decodeaddr ${1#*-}`
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
fi
l=$(( $last + 1 ))
while [ $first -le $last ]; do
vlsm=
x=31
y=2
z=1
while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
vlsm=/$x
x=$(( $x - 1 ))
z=$y
y=$(( $y * 2 ))
done
echo `encodeaddr $first`$vlsm
first=$(($first + $z))
done
}
#
# Netmask from CIDR
#
ip_netmask() {
local vlsm=${1#*/}
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
}
#
# Network address from CIDR
#
ip_network() {
local decodedaddr=`decodeaddr ${1%/*}`
local netmask=`ip_netmask $1`
echo `encodeaddr $(($decodedaddr & $netmask))`
}
#
# The following hack is supplied to compensate for the fact that many of
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
#
# Note: 2147483647 = 0x7fffffff
ip_broadcast() {
local x=$(( ${1#*/} - 1 ))
[ $x -eq -1 ] && echo -1 || echo $(( 2147483647 >> $x ))
}
#
# Calculate broadcast address from CIDR
#
broadcastaddress() {
local decodedaddr=`decodeaddr ${1%/*}`
local netmask=`ip_netmask $1`
local broadcast=`ip_broadcast $1`
echo `encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))`
}
#
# Test for subnet membership
#
in_subnet() # $1 = IP address, $2 = CIDR network
{
local netmask=`ip_netmask $2`
test $(( `decodeaddr $1` & $netmask)) -eq $(( `decodeaddr ${2%/*}` & $netmask ))
}
#
# Netmask to VLSM
#
ip_vlsm() {
local mask=`decodeaddr $1`
local vlsm=0
local x=$(( 128 $LEFTSHIFT 24 ))
while [ $(( $x & $mask )) -ne 0 ]; do
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask...
vlsm=$(($vlsm + 1))
done
if [ $(( $mask & 2147483647)) -ne 0 ]; then
echo "Invalid net mask: $1" >&2
else
echo $vlsm
fi
}

2
Lrp/usr/share/shorewall/version
View File

@ -1 +1 @@
1.4.5 1.4.6

2
Lrp/var/lib/lrpkg/shorwall.version
View File

@ -1 +1 @@
1.4.5 1.4.6

58
STABLE/changelog.txt
View File

@ -1,15 +1,53 @@
Changes since 1.4.4b Changes since 1.4.5
1) The command "shorewall debug try <directory>" now correctly traces 1) Worked around RH7.3 "service" anomaly.
the attempt.
2) The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now 2) Implemented 'newnotsyn' interface option.
contain a list of addresses. If the list begins with "!' then the
rule will take effect only if the original destination address in
the connection request does not match any of the addresses listed.
3) Enhanced processing of the zones file to allow the INCLUDE 3) Document range in masq ADDRESS column and suppress ADD_SNAT_ALIASES
directive. behavior in that case.
4) Fix processing of the routestopped file's second column. 4) Enable ADD_SNAT_ALIASES=Yes for SNAT ranges.
5) Allow Shorewall to add aliases to other than the first subnet on an
interface.
6) Add support for load-balancing.
7) Toned down the disclaimer for the 'check' command.
8) Implemented support for the Connection Tracking Match extension in
iptables 1.2.8/Kernel 2.4.21.
9) Removed the NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
parameters and replaced them with code that detects these
capabilities.
10) Added the SHOREWALL_SHELL configuraiton parameter.
11) Fixed capability reporting (thanks to Simon Matter).
12) Correct the implementation of destination IP list in DNAT[-] rules.
13) Check for shells whose arithmetic support is broken.
14) Moved IP Address manipulation functions to
/usr/share/shorewall/functions.
15. Added ipcalc command.
16. Fixed handling of destination DNS names containing a "-"
17. Make ip_range() smarter.
18. Added /sbin/shorewall iprange command.
19. Fixed handling of excluded zone processing in DNAT and REDIRECT
rules (re-added the protocol to the rule). Fixed parsing of exclude
zones.
20. Display policy chain along with policy in 'check' command.
21. Support Linux 2.6 compressed modules.
22. Don't display DHCP message when there are no DHCP interface.

21
STABLE/documentation/6to4.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -29,15 +29,15 @@
</h3> </h3>
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall <h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall
only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6 security only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6
measures.</h3> security measures.</h3>
<p>6to4 tunneling with Shorewall can be used to connect your IPv6 network <p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure</p> to another IPv6 network over an IPv4 infrastructure</p>
<p>More information on Linux and IPv6 can be found in the <a <p>More information on Linux and IPv6 can be found in the <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>. Details href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
on how to setup a 6to4 tunnels are described in the section <a Details on how to setup a 6to4 tunnels are described in the section <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels</a>.</p> of 6to4 tunnels</a>.</p>
@ -56,11 +56,11 @@ utility for network interface and routing configuration.</p>
<p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy, <p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
/etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There /etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
is no need to declare a zone to represent the remote IPv6 network. This remote is no need to declare a zone to represent the remote IPv6 network. This
network is not visible on IPv4 interfaces and to iptables. All that is visible remote network is not visible on IPv4 interfaces and to iptables. All that
on the IPv4 level is an IPv4 stream which contains IPv6 traffic. Separate is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
IPv6 interfaces and ip6tables rules need to be defined to handle this traffic. Separate IPv6 interfaces and ip6tables rules need to be defined to handle
</p> this traffic. </p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p> <p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
@ -139,5 +139,6 @@ other using IPv6.</p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

2356
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

16
STABLE/documentation/ECN.html
View File

@ -2,14 +2,17 @@
<html> <html>
<head> <head>
<title>Shorewall and ECN</title> <title>Shorewall and ECN</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td <td
@ -22,9 +25,9 @@
</table> </table>
<br> <br>
Explicit Congestion Notification (ECN) is described in RFC 3168 and is a Explicit Congestion Notification (ECN) is described in RFC 3168 and is a
proposed internet standard. Unfortunately, not all sites support ECN and proposed internet standard. Unfortunately, not all sites support ECN and when
when a TCP connection offering ECN is sent to sites that don't support it, a TCP connection offering ECN is sent to sites that don't support it, the
the result is often that the connection request is ignored.<br> result is often that the connection request is ignored.<br>
<br> <br>
To allow ECN to be used, Shorewall allows you to enable ECN on your Linux To allow ECN to be used, Shorewall allows you to enable ECN on your Linux
systems then disable it in your firewall when the destination matches a list systems then disable it in your firewall when the destination matches a list
@ -32,12 +35,14 @@ that you create (the /etc/shorewall/ecn file).<br>
<br> <br>
You enable ECN by<br> You enable ECN by<br>
<br> <br>
<blockquote> <blockquote>
<pre><b><font color="#009900">echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn</font></b></pre> <pre><b><font color="#009900">echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn</font></b></pre>
</blockquote> </blockquote>
You must arrange for that command to be executed at system boot. Most distributions You must arrange for that command to be executed at system boot. Most distributions
have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf.<br> have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf.<br>
<br> <br>
<blockquote> <blockquote>
<pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre> <pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre>
</blockquote> </blockquote>
@ -55,6 +60,7 @@ tcp connections to 192.0.2.0/24:<br>
<br> <br>
In /etc/shorewall/ecn:<br> In /etc/shorewall/ecn:<br>
<br> <br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
@ -70,6 +76,7 @@ In /etc/shorewall/ecn:<br>
<td valign="top">192.0.2.0/24<br> <td valign="top">192.0.2.0/24<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
@ -79,5 +86,6 @@ In /etc/shorewall/ecn:<br>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

784
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

5
STABLE/documentation/Forum.html
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -26,8 +26,10 @@
</table> </table>
<h3><font color="#ff6633"></font></h3> <h3><font color="#ff6633"></font></h3>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please <h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="support.htm">Shorewall Support Guide</a>.</h1> read the <a href="support.htm">Shorewall Support Guide</a>.</h1>
<p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support <p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a><br> Forum</a><br>
</p> </p>
@ -38,5 +40,6 @@ Forum</a><br>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a></p> size="2">2003 Thomas M. Eastep.</font></a></p>
<br> <br>
<br>
</body> </body>
</html> </html>

487
STABLE/documentation/GnuCopyright.htm
View File

@ -1,282 +1,341 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title> <title>Copyright</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h2 align="center"><font color="#FFFFFF">GNU Free Documentation License</font></h2> <h2 align="center"><font color="#ffffff">GNU Free Documentation License</font></h2>
</td> </td>
</tr> </tr>
</tbody>
</table> </table>
<p>Version 1.1, March 2000 </p> <p>Version 1.1, March 2000 </p>
<pre>Copyright (C) 2000 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA <pre>Copyright (C) 2000 Free Software Foundation, Inc.<br>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA<br>Everyone is permitted to copy and distribute verbatim copies<br>of this license document, but changing it is not allowed.<br></pre>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
</pre>
<p><strong>0. PREAMBLE</strong> </p> <p><strong>0. PREAMBLE</strong> </p>
<p>The purpose of this License is to make a manual, textbook, or other written <p>The purpose of this License is to make a manual, textbook, or other written
document &quot;free&quot; in the sense of freedom: to assure everyone the effective document "free" in the sense of freedom: to assure everyone the effective
freedom to copy and redistribute it, with or without modifying it, either freedom to copy and redistribute it, with or without modifying it, either
commercially or noncommercially. Secondarily, this License preserves for the commercially or noncommercially. Secondarily, this License preserves for
author and publisher a way to get credit for their work, while not being the author and publisher a way to get credit for their work, while not being
considered responsible for modifications made by others. </p> considered responsible for modifications made by others. </p>
<p>This License is a kind of &quot;copyleft&quot;, which means that derivative works of
the document must themselves be free in the same sense. It complements the GNU <p>This License is a kind of "copyleft", which means that derivative works
General Public License, which is a copyleft license designed for free software. of the document must themselves be free in the same sense. It complements
</p> the GNU General Public License, which is a copyleft license designed for
<p>We have designed this License in order to use it for manuals for free free software. </p>
software, because free software needs free documentation: a free program should
come with manuals providing the same freedoms that the software does. But this <p>We have designed this License in order to use it for manuals for free software,
License is not limited to software manuals; it can be used for any textual work, because free software needs free documentation: a free program should come
regardless of subject matter or whether it is published as a printed book. We with manuals providing the same freedoms that the software does. But this
recommend this License principally for works whose purpose is instruction or License is not limited to software manuals; it can be used for any textual
reference. </p> work, regardless of subject matter or whether it is published as a printed
book. We recommend this License principally for works whose purpose is instruction
or reference. </p>
<p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p> <p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
<p>This License applies to any manual or other work that contains a notice <p>This License applies to any manual or other work that contains a notice
placed by the copyright holder saying it can be distributed under the terms of placed by the copyright holder saying it can be distributed under the terms
this License. The &quot;Document&quot;, below, refers to any such manual or work. Any of this License. The "Document", below, refers to any such manual or work.
member of the public is a licensee, and is addressed as &quot;you&quot;. </p> Any member of the public is a licensee, and is addressed as "you". </p>
<p>A &quot;Modified Version&quot; of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or <p>A "Modified Version" of the Document means any work containing the Document
translated into another language. </p> or a portion of it, either copied verbatim, or with modifications and/or translated
<p>A &quot;Secondary Section&quot; is a named appendix or a front-matter section of the into another language. </p>
Document that deals exclusively with the relationship of the publishers or
authors of the Document to the Document's overall subject (or to related <p>A "Secondary Section" is a named appendix or a front-matter section of
the Document that deals exclusively with the relationship of the publishers
or authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall matters) and contains nothing that could fall directly within that overall
subject. (For example, if the Document is in part a textbook of mathematics, a subject. (For example, if the Document is in part a textbook of mathematics,
Secondary Section may not explain any mathematics.) The relationship could be a a Secondary Section may not explain any mathematics.) The relationship could
matter of historical connection with the subject or with related matters, or of be a matter of historical connection with the subject or with related matters,
legal, commercial, philosophical, ethical or political position regarding them. or of legal, commercial, philosophical, ethical or political position regarding
</p> them. </p>
<p>The &quot;Invariant Sections&quot; are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says that <p>The "Invariant Sections" are certain Secondary Sections whose titles are
the Document is released under this License. </p> designated, as being those of Invariant Sections, in the notice that says
<p>The &quot;Cover Texts&quot; are certain short passages of text that are listed, as that the Document is released under this License. </p>
Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document
is released under this License. </p> <p>The "Cover Texts" are certain short passages of text that are listed,
<p>A &quot;Transparent&quot; copy of the Document means a machine-readable copy, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the
represented in a format whose specification is available to the general public, Document is released under this License. </p>
whose contents can be viewed and edited directly and straightforwardly with
generic text editors or (for images composed of pixels) generic paint programs <p>A "Transparent" copy of the Document means a machine-readable copy, represented
or (for drawings) some widely available drawing editor, and that is suitable for in a format whose specification is available to the general public, whose
input to text formatters or for automatic translation to a variety of formats contents can be viewed and edited directly and straightforwardly with generic
suitable for input to text formatters. A copy made in an otherwise Transparent text editors or (for images composed of pixels) generic paint programs or
file format whose markup has been designed to thwart or discourage subsequent (for drawings) some widely available drawing editor, and that is suitable
modification by readers is not Transparent. A copy that is not &quot;Transparent&quot; is for input to text formatters or for automatic translation to a variety of
called &quot;Opaque&quot;. </p> formats suitable for input to text formatters. A copy made in an otherwise
Transparent file format whose markup has been designed to thwart or discourage
subsequent modification by readers is not Transparent. A copy that is not
"Transparent" is called "Opaque". </p>
<p>Examples of suitable formats for Transparent copies include plain ASCII <p>Examples of suitable formats for Transparent copies include plain ASCII
without markup, Texinfo input format, LaTeX input format, SGML or XML using a without markup, Texinfo input format, LaTeX input format, SGML or XML using
publicly available DTD, and standard-conforming simple HTML designed for human a publicly available DTD, and standard-conforming simple HTML designed for
modification. Opaque formats include PostScript, PDF, proprietary formats that human modification. Opaque formats include PostScript, PDF, proprietary formats
can be read and edited only by proprietary word processors, SGML or XML for that can be read and edited only by proprietary word processors, SGML or
which the DTD and/or processing tools are not generally available, and the XML for which the DTD and/or processing tools are not generally available,
machine-generated HTML produced by some word processors for output purposes and the machine-generated HTML produced by some word processors for output
only. </p> purposes only. </p>
<p>The &quot;Title Page&quot; means, for a printed book, the title page itself, plus such
following pages as are needed to hold, legibly, the material this License <p>The "Title Page" means, for a printed book, the title page itself, plus
requires to appear in the title page. For works in formats which do not have any such following pages as are needed to hold, legibly, the material this License
title page as such, &quot;Title Page&quot; means the text near the most prominent requires to appear in the title page. For works in formats which do not have
appearance of the work's title, preceding the beginning of the body of the text. any title page as such, "Title Page" means the text near the most prominent
</p> appearance of the work's title, preceding the beginning of the body of the
text. </p>
<p><strong>2. VERBATIM COPYING</strong> </p> <p><strong>2. VERBATIM COPYING</strong> </p>
<p>You may copy and distribute the Document in any medium, either commercially <p>You may copy and distribute the Document in any medium, either commercially
or noncommercially, provided that this License, the copyright notices, and the or noncommercially, provided that this License, the copyright notices, and
license notice saying this License applies to the Document are reproduced in all the license notice saying this License applies to the Document are reproduced
copies, and that you add no other conditions whatsoever to those of this in all copies, and that you add no other conditions whatsoever to those of
License. You may not use technical measures to obstruct or control the reading this License. You may not use technical measures to obstruct or control the
or further copying of the copies you make or distribute. However, you may accept reading or further copying of the copies you make or distribute. However,
compensation in exchange for copies. If you distribute a large enough number of you may accept compensation in exchange for copies. If you distribute a large
copies you must also follow the conditions in section 3. </p> enough number of copies you must also follow the conditions in section 3.
<p>You may also lend copies, under the same conditions stated above, and you may </p>
publicly display copies. </p>
<p>You may also lend copies, under the same conditions stated above, and
you may publicly display copies. </p>
<p><strong>3. COPYING IN QUANTITY</strong> </p> <p><strong>3. COPYING IN QUANTITY</strong> </p>
<p>If you publish printed copies of the Document numbering more than 100, and
the Document's license notice requires Cover Texts, you must enclose the copies <p>If you publish printed copies of the Document numbering more than 100,
in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover and the Document's license notice requires Cover Texts, you must enclose
Texts on the front cover, and Back-Cover Texts on the back cover. Both covers the copies in covers that carry, clearly and legibly, all these Cover Texts:
must also clearly and legibly identify you as the publisher of these copies. The Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover.
front cover must present the full title with all words of the title equally Both covers must also clearly and legibly identify you as the publisher of
prominent and visible. You may add other material on the covers in addition. these copies. The front cover must present the full title with all words
Copying with changes limited to the covers, as long as they preserve the title of the title equally prominent and visible. You may add other material on
of the Document and satisfy these conditions, can be treated as verbatim copying the covers in addition. Copying with changes limited to the covers, as long
in other respects. </p> as they preserve the title of the Document and satisfy these conditions,
<p>If the required texts for either cover are too voluminous to fit legibly, you can be treated as verbatim copying in other respects. </p>
should put the first ones listed (as many as fit reasonably) on the actual
<p>If the required texts for either cover are too voluminous to fit legibly,
you should put the first ones listed (as many as fit reasonably) on the actual
cover, and continue the rest onto adjacent pages. </p> cover, and continue the rest onto adjacent pages. </p>
<p>If you publish or distribute Opaque copies of the Document numbering more <p>If you publish or distribute Opaque copies of the Document numbering more
than 100, you must either include a machine-readable Transparent copy along with than 100, you must either include a machine-readable Transparent copy along
each Opaque copy, or state in or with each Opaque copy a publicly-accessible with each Opaque copy, or state in or with each Opaque copy a publicly-accessible
computer-network location containing a complete Transparent copy of the computer-network location containing a complete Transparent copy of the Document,
Document, free of added material, which the general network-using public has free of added material, which the general network-using public has access
access to download anonymously at no charge using public-standard network to download anonymously at no charge using public-standard network protocols.
protocols. If you use the latter option, you must take reasonably prudent steps, If you use the latter option, you must take reasonably prudent steps, when
when you begin distribution of Opaque copies in quantity, to ensure that this you begin distribution of Opaque copies in quantity, to ensure that this Transparent
Transparent copy will remain thus accessible at the stated location until at copy will remain thus accessible at the stated location until at least one
least one year after the last time you distribute an Opaque copy (directly or year after the last time you distribute an Opaque copy (directly or through
through your agents or retailers) of that edition to the public. </p> your agents or retailers) of that edition to the public. </p>
<p>It is requested, but not required, that you contact the authors of the <p>It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give them a Document well before redistributing any large number of copies, to give them
chance to provide you with an updated version of the Document. </p> a chance to provide you with an updated version of the Document. </p>
<p><strong>4. MODIFICATIONS</strong> </p> <p><strong>4. MODIFICATIONS</strong> </p>
<p>You may copy and distribute a Modified Version of the Document under the <p>You may copy and distribute a Modified Version of the Document under the
conditions of sections 2 and 3 above, provided that you release the Modified conditions of sections 2 and 3 above, provided that you release the Modified
Version under precisely this License, with the Modified Version filling the role Version under precisely this License, with the Modified Version filling the
of the Document, thus licensing distribution and modification of the Modified role of the Document, thus licensing distribution and modification of the
Version to whoever possesses a copy of it. In addition, you must do these things Modified Version to whoever possesses a copy of it. In addition, you must
in the Modified Version: </p> do these things in the Modified Version: </p>
<p>&nbsp;</p>
<p> </p>
<ul> <ul>
<li><strong>A.</strong> Use in the Title Page (and on the covers, if any) a <li><strong>A.</strong> Use in the Title Page (and on the covers, if any)
title distinct from that of the Document, and from those of previous versions a title distinct from that of the Document, and from those of previous
(which should, if there were any, be listed in the History section of the versions (which should, if there were any, be listed in the History section
Document). You may use the same title as a previous version if the original of the Document). You may use the same title as a previous version if the
publisher of that version gives permission. </li> original publisher of that version gives permission. </li>
<li><strong>B.</strong> List on the Title Page, as authors, one or more <li><strong>B.</strong> List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in the persons or entities responsible for authorship of the modifications in
Modified Version, together with at least five of the principal authors of the the Modified Version, together with at least five of the principal authors
Document (all of its principal authors, if it has less than five). </li> of the Document (all of its principal authors, if it has less than five).
<li><strong>C.</strong> State on the Title page the name of the publisher of </li>
the Modified Version, as the publisher. </li> <li><strong>C.</strong> State on the Title page the name of the publisher
of the Modified Version, as the publisher. </li>
<li><strong>D.</strong> Preserve all the copyright notices of the Document. <li><strong>D.</strong> Preserve all the copyright notices of the Document.
</li> </li>
<li><strong>E.</strong> Add an appropriate copyright notice for your <li><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. </li> modifications adjacent to the other copyright notices. </li>
<li><strong>F.</strong> Include, immediately after the copyright notices, a <li><strong>F.</strong> Include, immediately after the copyright notices,
license notice giving the public permission to use the Modified Version under a license notice giving the public permission to use the Modified Version
the terms of this License, in the form shown in the Addendum below. </li> under the terms of this License, in the form shown in the Addendum below.
<li><strong>G.</strong> Preserve in that license notice the full lists of </li>
Invariant Sections and required Cover Texts given in the Document's license <li><strong>G.</strong> Preserve in that license notice the full lists
notice. </li> of Invariant Sections and required Cover Texts given in the Document's
license notice. </li>
<li><strong>H.</strong> Include an unaltered copy of this License. </li> <li><strong>H.</strong> Include an unaltered copy of this License. </li>
<li><strong>I.</strong> Preserve the section entitled &quot;History&quot;, and its <li><strong>I.</strong> Preserve the section entitled "History", and its
title, and add to it an item stating at least the title, year, new authors, title, and add to it an item stating at least the title, year, new authors,
and publisher of the Modified Version as given on the Title Page. If there is and publisher of the Modified Version as given on the Title Page. If there
no section entitled &quot;History&quot; in the Document, create one stating the title, is no section entitled "History" in the Document, create one stating the
year, authors, and publisher of the Document as given on its Title Page, then title, year, authors, and publisher of the Document as given on its Title
add an item describing the Modified Version as stated in the previous Page, then add an item describing the Modified Version as stated in the
sentence. </li> previous sentence. </li>
<li><strong>J.</strong> Preserve the network location, if any, given in the <li><strong>J.</strong> Preserve the network location, if any, given in
Document for public access to a Transparent copy of the Document, and likewise the Document for public access to a Transparent copy of the Document, and
the network locations given in the Document for previous versions it was based likewise the network locations given in the Document for previous versions
on. These may be placed in the &quot;History&quot; section. You may omit a network it was based on. These may be placed in the "History" section. You may
location for a work that was published at least four years before the Document omit a network location for a work that was published at least four years
itself, or if the original publisher of the version it refers to gives before the Document itself, or if the original publisher of the version
permission. </li> it refers to gives permission. </li>
<li><strong>K.</strong> In any section entitled &quot;Acknowledgements&quot; or <li><strong>K.</strong> In any section entitled "Acknowledgements" or
&quot;Dedications&quot;, preserve the section's title, and preserve in the section all "Dedications", preserve the section's title, and preserve in the section
the substance and tone of each of the contributor acknowledgements and/or all the substance and tone of each of the contributor acknowledgements
dedications given therein. </li> and/or dedications given therein. </li>
<li><strong>L.</strong> Preserve all the Invariant Sections of the Document, <li><strong>L.</strong> Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the equivalent unaltered in their text and in their titles. Section numbers or the equivalent
are not considered part of the section titles. </li> are not considered part of the section titles. </li>
<li><strong>M.</strong> Delete any section entitled &quot;Endorsements&quot;. Such a <li><strong>M.</strong> Delete any section entitled "Endorsements". Such
section may not be included in the Modified Version. </li> a section may not be included in the Modified Version. </li>
<li><strong>N.</strong> Do not retitle any existing section as &quot;Endorsements&quot; <li><strong>N.</strong> Do not retitle any existing section as "Endorsements"
or to conflict in title with any Invariant Section. </li> or to conflict in title with any Invariant Section. </li>
</ul> </ul>
<p>If the Modified Version includes new front-matter sections or appendices that
qualify as Secondary Sections and contain no material copied from the Document, <p>If the Modified Version includes new front-matter sections or appendices
you may at your option designate some or all of these sections as invariant. To that qualify as Secondary Sections and contain no material copied from the
do this, add their titles to the list of Invariant Sections in the Modified Document, you may at your option designate some or all of these sections
Version's license notice. These titles must be distinct from any other section as invariant. To do this, add their titles to the list of Invariant Sections
titles. </p> in the Modified Version's license notice. These titles must be distinct from
<p>You may add a section entitled &quot;Endorsements&quot;, provided it contains nothing any other section titles. </p>
<p>You may add a section entitled "Endorsements", provided it contains nothing
but endorsements of your Modified Version by various parties--for example, but endorsements of your Modified Version by various parties--for example,
statements of peer review or that the text has been approved by an organization statements of peer review or that the text has been approved by an organization
as the authoritative definition of a standard. </p> as the authoritative definition of a standard. </p>
<p>You may add a passage of up to five words as a Front-Cover Text, and a <p>You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover passage of up to 25 words as a Back-Cover Text, to the end of the list of
Texts in the Modified Version. Only one passage of Front-Cover Text and one of Cover Texts in the Modified Version. Only one passage of Front-Cover Text
Back-Cover Text may be added by (or through arrangements made by) any one and one of Back-Cover Text may be added by (or through arrangements made
entity. If the Document already includes a cover text for the same cover, by) any one entity. If the Document already includes a cover text for the
previously added by you or by arrangement made by the same entity you are acting same cover, previously added by you or by arrangement made by the same entity
on behalf of, you may not add another; but you may replace the old one, on you are acting on behalf of, you may not add another; but you may replace
explicit permission from the previous publisher that added the old one. </p> the old one, on explicit permission from the previous publisher that added
<p>The author(s) and publisher(s) of the Document do not by this License give the old one. </p>
permission to use their names for publicity for or to assert or imply
<p>The author(s) and publisher(s) of the Document do not by this License
give permission to use their names for publicity for or to assert or imply
endorsement of any Modified Version. </p> endorsement of any Modified Version. </p>
<p><strong>5. COMBINING DOCUMENTS</strong> </p> <p><strong>5. COMBINING DOCUMENTS</strong> </p>
<p>You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified versions, <p>You may combine the Document with other documents released under this License,
provided that you include in the combination all of the Invariant Sections of under the terms defined in section 4 above for modified versions, provided
all of the original documents, unmodified, and list them all as Invariant that you include in the combination all of the Invariant Sections of all
Sections of your combined work in its license notice. </p> of the original documents, unmodified, and list them all as Invariant Sections
of your combined work in its license notice. </p>
<p>The combined work need only contain one copy of this License, and multiple <p>The combined work need only contain one copy of this License, and multiple
identical Invariant Sections may be replaced with a single copy. If there are identical Invariant Sections may be replaced with a single copy. If there
multiple Invariant Sections with the same name but different contents, make the are multiple Invariant Sections with the same name but different contents,
title of each such section unique by adding at the end of it, in parentheses, make the title of each such section unique by adding at the end of it, in
the name of the original author or publisher of that section if known, or else a parentheses, the name of the original author or publisher of that section
unique number. Make the same adjustment to the section titles in the list of if known, or else a unique number. Make the same adjustment to the section
Invariant Sections in the license notice of the combined work. </p> titles in the list of Invariant Sections in the license notice of the combined
<p>In the combination, you must combine any sections entitled &quot;History&quot; in the work. </p>
various original documents, forming one section entitled &quot;History&quot;; likewise
combine any sections entitled &quot;Acknowledgements&quot;, and any sections entitled <p>In the combination, you must combine any sections entitled "History" in
&quot;Dedications&quot;. You must delete all sections entitled &quot;Endorsements.&quot; </p> the various original documents, forming one section entitled "History"; likewise
combine any sections entitled "Acknowledgements", and any sections entitled
"Dedications". You must delete all sections entitled "Endorsements." </p>
<p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p> <p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
<p>You may make a collection consisting of the Document and other documents <p>You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this License released under this License, and replace the individual copies of this License
in the various documents with a single copy that is included in the collection, in the various documents with a single copy that is included in the collection,
provided that you follow the rules of this License for verbatim copying of each provided that you follow the rules of this License for verbatim copying of
of the documents in all other respects. </p> each of the documents in all other respects. </p>
<p>You may extract a single document from such a collection, and distribute it
individually under this License, provided you insert a copy of this License into <p>You may extract a single document from such a collection, and distribute
the extracted document, and follow this License in all other respects regarding it individually under this License, provided you insert a copy of this License
verbatim copying of that document. </p> into the extracted document, and follow this License in all other respects
regarding verbatim copying of that document. </p>
<p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p> <p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
<p>A compilation of the Document or its derivatives with other separate and <p>A compilation of the Document or its derivatives with other separate and
independent documents or works, in or on a volume of a storage or distribution independent documents or works, in or on a volume of a storage or distribution
medium, does not as a whole count as a Modified Version of the Document, medium, does not as a whole count as a Modified Version of the Document, provided
provided no compilation copyright is claimed for the compilation. Such a no compilation copyright is claimed for the compilation. Such a compilation
compilation is called an &quot;aggregate&quot;, and this License does not apply to the is called an "aggregate", and this License does not apply to the other self-contained
other self-contained works thus compiled with the Document, on account of their works thus compiled with the Document, on account of their being thus compiled,
being thus compiled, if they are not themselves derivative works of the if they are not themselves derivative works of the Document. </p>
Document. </p>
<p>If the Cover Text requirement of section 3 is applicable to these copies of <p>If the Cover Text requirement of section 3 is applicable to these copies
the Document, then if the Document is less than one quarter of the entire of the Document, then if the Document is less than one quarter of the entire
aggregate, the Document's Cover Texts may be placed on covers that surround only aggregate, the Document's Cover Texts may be placed on covers that surround
the Document within the aggregate. Otherwise they must appear on covers around only the Document within the aggregate. Otherwise they must appear on covers
the whole aggregate. </p> around the whole aggregate. </p>
<p><strong>8. TRANSLATION</strong> </p> <p><strong>8. TRANSLATION</strong> </p>
<p>Translation is considered a kind of modification, so you may distribute <p>Translation is considered a kind of modification, so you may distribute
translations of the Document under the terms of section 4. Replacing Invariant translations of the Document under the terms of section 4. Replacing Invariant
Sections with translations requires special permission from their copyright Sections with translations requires special permission from their copyright
holders, but you may include translations of some or all Invariant Sections in holders, but you may include translations of some or all Invariant Sections
addition to the original versions of these Invariant Sections. You may include a in addition to the original versions of these Invariant Sections. You may
translation of this License provided that you also include the original English include a translation of this License provided that you also include the
version of this License. In case of a disagreement between the translation and original English version of this License. In case of a disagreement between
the original English version of this License, the original English version will the translation and the original English version of this License, the original
prevail. </p> English version will prevail. </p>
<p><strong>9. TERMINATION</strong> </p> <p><strong>9. TERMINATION</strong> </p>
<p>You may not copy, modify, sublicense, or distribute the Document except as
expressly provided for under this License. Any other attempt to copy, modify, <p>You may not copy, modify, sublicense, or distribute the Document except
sublicense or distribute the Document is void, and will automatically terminate as expressly provided for under this License. Any other attempt to copy,
your rights under this License. However, parties who have received copies, or modify, sublicense or distribute the Document is void, and will automatically
rights, from you under this License will not have their licenses terminated so terminate your rights under this License. However, parties who have received
long as such parties remain in full compliance. </p> copies, or rights, from you under this License will not have their licenses
terminated so long as such parties remain in full compliance. </p>
<p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p> <p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
<p>The Free Software Foundation may publish new, revised versions of the GNU
Free Documentation License from time to time. Such new versions will be similar
in spirit to the present version, but may differ in detail to address new
problems or concerns. See http://www.gnu.org/copyleft/. </p>
<p>Each version of the License is given a distinguishing version number. If the
Document specifies that a particular numbered version of this License &quot;or any
later version&quot; applies to it, you have the option of following the terms and
conditions either of that specified version or of any later version that has
been published (not as a draft) by the Free Software Foundation. If the Document
does not specify a version number of this License, you may choose any version
ever published (not as a draft) by the Free Software Foundation. </p>
<p align="left">&nbsp;</p>
<p>The Free Software Foundation may publish new, revised versions of the
GNU Free Documentation License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns. See http://www.gnu.org/copyleft/. </p>
<p>Each version of the License is given a distinguishing version number.
If the Document specifies that a particular numbered version of this License
"or any later version" applies to it, you have the option of following the
terms and conditions either of that specified version or of any later version
that has been published (not as a draft) by the Free Software Foundation.
If the Document does not specify a version number of this License, you may
choose any version ever published (not as a draft) by the Free Software Foundation.
</p>
<p align="left"> </p>
<br>
</body> </body>
</html> </html>

17
STABLE/documentation/IPIP.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -86,8 +86,8 @@ it in /etc/shorewall/zones on both systems as follows.</p>
</table> </table>
</blockquote> </blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> <p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
zone. In /etc/shorewall/interfaces:</p> In /etc/shorewall/interfaces:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -205,8 +205,8 @@ zone. In /etc/shorewall/interfaces:</p>
are secured so that root can execute them. </p> are secured so that root can execute them. </p>
<p align="left"> You will need to allow traffic between the "vpn" zone and <p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all the "loc" zone on both systems -- if you simply want to admit all traffic
traffic in both directions, you can use the policy file:</p> in both directions, you can use the policy file:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -234,9 +234,9 @@ traffic in both directions, you can use the policy file:</p>
</table> </table>
</blockquote> </blockquote>
<p>On both systems, restart Shorewall and run the modified tunnel script <p>On both systems, restart Shorewall and run the modified tunnel script with
with the "start" argument on each system. The systems in the two masqueraded the "start" argument on each system. The systems in the two masqueraded subnetworks
subnetworks can now talk to each other</p> can now talk to each other</p>
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
@ -244,5 +244,6 @@ subnetworks can now talk to each other</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
<br> <br>
<br>
</body> </body>
</html> </html>

54
STABLE/documentation/IPSEC.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -34,9 +34,9 @@
FreeS/Wan on the same system unless you are prepared to suffer the consequences. FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column rather than to the interface that you specify in the INTERFACE column of
of /etc/shorewall/proxyarp. I haven't had the time to debug this problem /etc/shorewall/proxyarp. I haven't had the time to debug this problem so
so I can't say if it is a bug in the Kernel or in FreeS/Wan. </p> I can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following <p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p> (I haven't tried it):</p>
@ -115,9 +115,9 @@ so I can't say if it is a bug in the Kernel or in FreeS/Wan.
</blockquote> </blockquote>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway <p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
specify a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
GATEWAY address should specify the external address of the NAT gateway.<br> address should specify the external address of the NAT gateway.<br>
</p> </p>
<p align="left">You need to define a zone for the remote subnet or include <p align="left">You need to define a zone for the remote subnet or include
@ -195,14 +195,14 @@ created a zone called "vpn" to represent the remote subnet.</p>
</table> </table>
</blockquote> </blockquote>
<p align="left"> Once you have these entries in place, restart Shorewall (type <p align="left"> Once you have these entries in place, restart Shorewall
shorewall restart); you are now ready to configure the tunnel in <a (type shorewall restart); you are now ready to configure the tunnel in <a
href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p> href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p>
<h2><a name="VPNHub"></a>VPN Hub</h2> <h2><a name="VPNHub"></a>VPN Hub</h2>
Shorewall can be used in a VPN Hub environment where multiple remote networks Shorewall can be used in a VPN Hub environment where multiple remote networks
are connected to a gateway running Shorewall. This environment is shown in are connected to a gateway running Shorewall. This environment is shown
this diatram.<br> in this diatram.<br>
<div align="center"><img src="images/ThreeNets.png" <div align="center"><img src="images/ThreeNets.png"
alt="(Three networks linked with IPSEC)" width="750" height="781"> alt="(Three networks linked with IPSEC)" width="750" height="781">
@ -287,8 +287,8 @@ networks.<br>
<p align="left"></p> <p align="left"></p>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway <p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
specify a tunnel type of <i>ipsecnat</i> rather than <i>ipsec<br> a tunnel type of <i>ipsecnat</i> rather than <i>ipsec<br>
</i> and the GATEWAY address should specify the external address of the </i> and the GATEWAY address should specify the external address of the
NAT gateway.<br> NAT gateway.<br>
</p> </p>
@ -427,10 +427,11 @@ have the following in /etc/shorewall/interfaces:</p>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<p align="left">On systems A, you will need to allow traffic between the "vpn1"
zone and the "loc" zone as well as between "vpn2" and the "loc" zone <p align="left">On systems A, you will need to allow traffic between the
-- if you simply want to admit all traffic in both directions, you "vpn1" zone and the "loc" zone as well as between "vpn2" and the
can use the following policy file entries on all three gateways:</p> "loc" zone -- if you simply want to admit all traffic in both directions,
you can use the following policy file entries on all three gateways:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -477,10 +478,11 @@ can use the following policy file entries on all three gateways:</p>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left">On systems B and C, you will need to allow traffic between <p align="left">On systems B and C, you will need to allow traffic between
the "vpn" zone and the "loc" zone -- if you simply want to admit all the "vpn" zone and the "loc" zone -- if you simply want to admit
traffic in both directions, you can use the following policy file entries all traffic in both directions, you can use the following policy file
on all three gateways:</p> entries on all three gateways:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -515,6 +517,7 @@ the tunnels in <a href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a>
Note that to allow traffic between the networks attached to systems B and Note that to allow traffic between the networks attached to systems B and
C, it is necessary to simply add two additional entries to the /etc/shorewall/policy C, it is necessary to simply add two additional entries to the /etc/shorewall/policy
file on system A.<br> file on system A.<br>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -547,9 +550,9 @@ file on system A.<br>
<h2><font color="#660066"><a name="RoadWarrior"></a> </font>Mobile System <h2><font color="#660066"><a name="RoadWarrior"></a> </font>Mobile System
(Road Warrior)</h2> (Road Warrior)</h2>
<p>Suppose that you have a laptop system (B) that you take with you when you <p>Suppose that you have a laptop system (B) that you take with you when
travel and you want to be able to establish a secure connection back to your you travel and you want to be able to establish a secure connection back
local network.</p> to your local network.</p>
<p align="center"><strong><font face="Century Gothic, Arial, Helvetica"> <p align="center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.png" width="677" height="426"> <img src="images/Mobile.png" width="677" height="426">
@ -707,8 +710,8 @@ comes down. For example, when 134.28.54.2 connects for the vpn2 zone the
</blockquote> </blockquote>
<h3>Limitations of Dynamic Zones</h3> <h3>Limitations of Dynamic Zones</h3>
If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added If you include a dynamic zone in the exclude list of a DNAT rule, the
hosts are not excluded from the rule.<br> dynamically-added hosts are not excluded from the rule.<br>
<br> <br>
Example with dyn=dynamic zone:<br> Example with dyn=dynamic zone:<br>
<br> <br>
@ -763,5 +766,6 @@ rule.
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br>
</body> </body>
</html> </html>

83
STABLE/documentation/Install.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -30,8 +30,8 @@
href="upgrade_issues.htm">Upgrade Issues<br> href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p> </a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge you to <div align="left"><b>Before attempting installation, I strongly urge you
read and print a copy of the <a to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br> for the configuration that most closely matches your own.</b><br>
</div> </div>
@ -48,11 +48,11 @@ read and print a copy of the <a
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p> <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a <p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to shell prompt, type "/sbin/iptables --version"), you must upgrade to version
version 1.2.4 either from the <a 1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
before attempting to start Shorewall.</b></p> attempting to start Shorewall.</b></p>
<ul> <ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br> <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
@ -76,11 +76,11 @@ before attempting to start Shorewall.</b></p>
</li> </li>
<li>Edit the <a href="#Config_Files"> configuration files</a> <li>Edit the <a href="#Config_Files"> configuration files</a>
to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
<u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. <u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE
clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li> A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
@ -99,8 +99,8 @@ the directory name as in "shorewall-1.1.10").</li>
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then <li>If you are using <a href="http://www.suse.com">SuSe</a>
type "./install.sh /etc/init.d"</li> then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your <li>For other distributions, determine where your
@ -109,22 +109,22 @@ the directory name as in "shorewall-1.1.10").</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> <li>Edit the <a href="#Config_Files"> configuration files</a>
to match your configuration.</li> to match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to <li>If the install script was unable to configure Shorewall
be started automatically at boot, see <a to be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li> href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul> </ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file disk, simply replace the "shorwall.lrp" file on the image with the file
that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart that you downloaded. See the <a href="two-interface.htm">two-interface
Guide</a> for information about further steps required.</p> QuickStart Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p> and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
or and you have entries in the /etc/shorewall/hosts file then please check and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the 1.2 rule forms that are no longer supported under 1.4 (you must use the
@ -149,26 +149,26 @@ or and you have entries in the /etc/shorewall/hosts file then please check
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh This may be worked around by using the --nodeps option of rpm (rpm
--nodeps &lt;shorewall rpm&gt;). </p> -Uvh --nodeps &lt;shorewall rpm&gt;). </p>
</li> </li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct and the new Shorewall version (type "shorewall check") and correct as
as necessary.</li> necessary.</li>
<li>Restart the firewall (shorewall restart).</li> <li>Restart the firewall (shorewall restart).</li>
</ul> </ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and <p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
are upgrading to a new version using the tarball:</p> and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
you have entries in the /etc/shorewall/hosts file then please check your and you have entries in the /etc/shorewall/hosts file then please check
/etc/shorewall/interfaces file to be sure that it contains an entry for your /etc/shorewall/interfaces file to be sure that it contains an entry
each interface mentioned in the hosts file.  Also, there are certain 1.2 for each interface mentioned in the hosts file.  Also, there are certain
rule forms that are no longer supported under 1.4 (you must use the new 1.2 rule forms that are no longer supported under 1.4 (you must use the
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
details. </p> for details. </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -181,28 +181,28 @@ the directory name as in "shorewall-3.0.1").</li>
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then <li>If you are using<a href="http://www.suse.com"> SuSe</a>
type "./install.sh /etc/init.d"</li> then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your <li>For other distributions, determine where your
distribution installs init scripts and type "./install.sh distribution installs init scripts and type "./install.sh
&lt;init script directory&gt;</li> &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct and the new Shorewall version (type "shorewall check") and correct as
as necessary.</li> necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li> <li>Restart the firewall by typing "shorewall restart"</li>
</ul> </ul>
<a name="LRP_Upgrade"></a>If you already have a running Bering <a name="LRP_Upgrade"></a>If you already have a running
installation and wish to upgrade to a later version of Shorewall:<br> Bering installation and wish to upgrade to a later version of Shorewall:<br>
<br> <br>
    <b>UNDER CONSTRUCTION...</b><br>     <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3> <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match <p>You will need to edit some or all of the configuration files to match your
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p> QuickStart Guides</a> contain all of the information you need.</p>
<ul> <ul>
@ -216,5 +216,6 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br>
</body> </body>
</html> </html>

32
STABLE/documentation/MAC_Validation.html
View File

@ -12,7 +12,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -47,8 +47,8 @@ MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate <li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li> with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a> </b>variables in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC verification. and determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
@ -64,35 +64,37 @@ not logged.<br>
<li>INTERFACE - The name of an ethernet interface on the Shorewall <li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li> system.</li>
<li>MAC - The MAC address of a device on the ethernet segment <li>MAC - The MAC address of a device on the ethernet segment
connected by INTERFACE. It is not necessary to use the Shorewall MAC format connected by INTERFACE. It is not necessary to use the Shorewall MAC
in this column although you may use that format if you so choose.</li> format in this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses <li>IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.</li> for the device whose MAC is listed in the MAC column.</li>
</ul> </ul>
<h3>Example 1: Here are my files:</h3> <h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a> for
details about my setup):</h3>
<b>/etc/shorewall/shorewall.conf:<br> <b>/etc/shorewall/shorewall.conf:<br>
</b> </b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre> <pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br> <b>/etc/shorewall/interfaces:</b><br>
<blockquote> <blockquote>
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>wap eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre> <pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>WiFi eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
</blockquote> </blockquote>
<b>/etc/shorewall/maclist:</b><br> <b>/etc/shorewall/maclist:</b><br>
<blockquote> <blockquote>
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre> <pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
</blockquote> </blockquote>
As shown above, I use MAC Verification on my wireless zone.<br> As shown above, I use MAC Verification on my wireless zone.<br>
<br> <br>
<b>Note: </b>The WET11 is a somewhat curious device; when forwarding DHCP <b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like
traffic, it uses the MAC address of the host (TIPPER) but for other forwarded a wireless router with DHCP relay. When forwarding DHCP traffic, it uses the
traffic it uses it's own MAC address. Consequently, I don't assign the WET11 MAC address of the host (TIPPER) but for other forwarded traffic it uses it's
a fixed IP address in /etc/shorewall/maclist.<br> own MAC address. Consequently, I list the IP addresses of both devices in
/etc/shorewall/maclist.<br>
<h3>Example 2: Router in Local Zone</h3> <h3>Example 2: Router in Wireless Zone</h3>
Suppose now that I add a second wireless segment to my wireless Suppose now that I add a second wireless segment to my wireless
zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15 zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.3.253. Hosts in the second segment have IP addresses and IP address 192.168.3.253. Hosts in the second segment have IP addresses
@ -106,7 +108,7 @@ all traffic being sent to my firewall from the 192.168.4.0/24 segment
will be forwarded by the router so that traffic's MAC address will be will be forwarded by the router so that traffic's MAC address will be
that of the router (00:06:43:45:C6:15) and not that of the host sending that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic. the traffic.
<p><font size="2"> Updated 6/10/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
@ -116,5 +118,7 @@ the traffic.
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

42
STABLE/documentation/NAT.htm
View File

@ -12,39 +12,40 @@
</head> </head>
<body> <body>
<blockquote>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Static NAT</font></h1> <h1 align="center"><font color="#ffffff">Static Nat</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
<br>
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward <p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the NAT. Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p> <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<blockquote> </blockquote>
<p>Static NAT is a way to make systems behind a firewall and configured <p>Static NAT is a way to make systems behind a firewall and configured
with private IP addresses (those reserved for private use in RFC1918) with private IP addresses (those reserved for private use in RFC1918)
appear to have public IP addresses. Before you try to use this technique, appear to have public IP addresses. Before you try to use this technique,
I strongly recommend that you read the <a I strongly recommend that you read the <a
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p> href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<blockquote> </blockquote>
<p>The following figure represents a static NAT environment.</p> <p>The following figure represents a static NAT environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/staticnat.png" <p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397"> width="435" height="397">
</strong></p> </strong></p>
<blockquote> </blockquote> <blockquote> </blockquote>
</blockquote>
<p align="left">Static NAT can be used to make the systems with the 10.1.1.* <p align="left">Static NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume addresses appear to be on the upper (130.252.100.*) subnet. If we assume
that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
@ -91,27 +92,28 @@ the INTERFACE column should undergo NAT. If you leave this column empty,
<p>Note 2: Shorewall will automatically add the external address to the <p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
you set it to "Yes" or "yes" then you must NOT configure your own alias(es). if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
<b>RESTRICTION: </b>Shorewall can only add external addresses to an interface <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6 can only add
that is configured with a single subnetwork -- if your external interface external addresses to an interface that is configured with a single subnetwork
has addresses in more than one subnetwork, Shorewall can only add addresses -- if your external interface has addresses in more than one subnetwork,
to the first one.</p> Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column <p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
determine whether packets originating on the firewall itself and destined determine whether packets originating on the firewall itself and destined
for the EXTERNAL address are redirected to the internal ADDRESS. If this for the EXTERNAL address are redirected to the internal ADDRESS. If
column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains this column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN
"Yes" or "yes") then such packets are redirected; otherwise, such packets also contains "Yes" or "yes") then such packets are redirected; otherwise,
are not redirected. The LOCAL column was added in version 1.1.8.</p> such packets are not redirected. The LOCAL column was added in version
</blockquote> 1.1.8.</p>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="2">Last updated 4/11/2003 - </font><font size="2"> <a <p><font size="2">Last updated 7/6/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> <br>
<br>
</body> </body>
</html> </html>

2812
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

11
STABLE/documentation/OPENVPN.html
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -78,8 +78,8 @@ the GPL</a>. OpenVPN can be downloaded from <a
</table> </table>
</blockquote> </blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> <p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
zone. In /etc/shorewall/interfaces:</p> In /etc/shorewall/interfaces:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -235,8 +235,8 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
</blockquote> </blockquote>
<p align="left">You will need to allow traffic between the "vpn" zone and <p align="left">You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all the "loc" zone on both systems -- if you simply want to admit all traffic
traffic in both directions, you can use the policy file:</p> in both directions, you can use the policy file:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -279,5 +279,6 @@ traffic in both directions, you can use the policy file:</p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

54
STABLE/documentation/PPTP.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -27,9 +27,10 @@
</tbody> </tbody>
</table> </table>
<h4>NOTE: I am no longer attempting to maintain MPPE patches for current <h4>NOTE: I am no longer attempting to maintain MPPE patches for current Linux
Linux kernel's and pppd. I recommend that you refer to the following URLs kernel's and pppd. I recommend that you refer to the following URLs for information
for information about installing MPPE into your kernel and pppd.</h4> about installing MPPE into your kernel and pppd.</h4>
<h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client project <h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client project
</a>has a nice GUI for configuring and managing VPN connections where your </a>has a nice GUI for configuring and managing VPN connections where your
Linux system is the PPTP client. This is what I currently use. I am no longer Linux system is the PPTP client. This is what I currently use. I am no longer
@ -40,10 +41,12 @@ below).</h4>
(Everything you need to run a PPTP client).<br> (Everything you need to run a PPTP client).<br>
    <a href="http://www.poptop.org">http://www.poptop.org</a> (The 'kernelmod'     <a href="http://www.poptop.org">http://www.poptop.org</a> (The 'kernelmod'
package can be used to quickly install MPPE into your kernel without rebooting).<br> package can be used to quickly install MPPE into your kernel without rebooting).<br>
<h4>I am leaving the instructions for building MPPE-enabled kernels and pppd <h4>I am leaving the instructions for building MPPE-enabled kernels and pppd
in the text below for those who may wish to obtain the relevant current patches in the text below for those who may wish to obtain the relevant current patches
and "roll their own".<br> and "roll their own".<br>
</h4> </h4>
<hr width="100%" size="2"> <hr width="100%" size="2">
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p> <p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
@ -56,12 +59,11 @@ and "roll their own".<br>
</ul> </ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your <h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2>
Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server on your <p>I will try to give you an idea of how to set up a PPTP server on your firewall
firewall system. This isn't a detailed HOWTO but rather an example of how system. This isn't a detailed HOWTO but rather an example of how I have set
I have set up a working PPTP server on my own firewall.</p> up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p> <p>The steps involved are:</p>
@ -146,8 +148,8 @@ the ppp-2.4.1 directory.</p>
<h3><a name="Samba"></a>Configuring Samba</h3> <h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS server <p>You will need a WINS server (Samba configured to run as a WINS server is
is fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
is:</p> is:</p>
<blockquote> <blockquote>
@ -205,8 +207,8 @@ with the 'require-mppe.diff' patch mentioned above.</li>
<p>I am the only user who connects to the server but I may connect either <p>I am the only user who connects to the server but I may connect either
with or without a domain being specified. The system I connect from is my with or without a domain being specified. The system I connect from is my
laptop so I give it the same IP address when tunneled in at it has when I laptop so I give it the same IP address when tunneled in at it has when
use its wireless LAN card around the house.</p> I use its wireless LAN card around the house.</p>
<p>You will also want the following in /etc/modules.conf:</p> <p>You will also want the following in /etc/modules.conf:</p>
@ -440,8 +442,8 @@ the remote hosts look like they are part of the local subnetwork.</li>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10 and <p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10
later)<br> and later)<br>
</b></p> </b></p>
<blockquote> <blockquote>
@ -515,8 +517,8 @@ ppp interface, you probably want:</p>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind <h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
your Firewall</h2> your Firewall</h2>
<p>If you have a single external IP address, add the following to your <p>If you have a single external IP address, add the following to your /etc/shorewall/rules
/etc/shorewall/rules file:</p> file:</p>
<font face="Century Gothic, Arial, Helvetica"> </font> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -611,16 +613,15 @@ you will need to follow the instructions at <a
loadmodule ip_nat_pptp </p> loadmodule ip_nat_pptp </p>
</blockquote> </blockquote>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your <h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2>
Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a <p align="left">The PPTP GNU/Linux client is available at <a
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.    href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.   
Rather than use the configuration script that comes with the client, I built Rather than use the configuration script that comes with the client, I
my own. I also build my own kernel <a href="#PatchKernel">as described above</a> built my own. I also build my own kernel <a href="#PatchKernel">as described
rather than using the mppe package that is available with the client. My above</a> rather than using the mppe package that is available with the
/etc/ppp/options file is mostly unchanged from what came with the client (see client. My /etc/ppp/options file is mostly unchanged from what came with
below).</p> the client (see below).</p>
<p>The key elements of this setup are as follows: </p> <p>The key elements of this setup are as follows: </p>
@ -770,8 +771,8 @@ below).</p>
<br> <br>
</blockquote> </blockquote>
<p>I use the combination of interface and hosts file to define the 'cpq' <p>I use the combination of interface and hosts file to define the 'cpq' zone
zone because I also run a PPTP server on my firewall (see above). Using this because I also run a PPTP server on my firewall (see above). Using this
technique allows me to distinguish clients of my own PPTP server from arbitrary technique allows me to distinguish clients of my own PPTP server from arbitrary
hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients
and Compaq doesn't use that RFC1918 Class C subnet. </p> and Compaq doesn't use that RFC1918 Class C subnet. </p>
@ -923,5 +924,6 @@ ECN yet and reject the initial TCP connection request if I enable ECN :-(
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

28
STABLE/documentation/ProxyARP.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -92,24 +92,25 @@ rather than behind it.<br>
(130.252.100.18 and 130.252.100.19 in the above example)  to the external (130.252.100.18 and 130.252.100.19 in the above example)  to the external
interface (eth0 in this example) of the firewall.</b></font><br> interface (eth0 in this example) of the firewall.</b></font><br>
</p> </p>
<div align="left"> </div> <div align="left"> </div>
<div align="left"> <div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure <p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will parallel to your firewall to behind your firewall with Proxy ARP, it
probably be HOURS before that system can communicate with the internet. will probably be HOURS before that system can communicate with the internet.
There are a couple of things that you can try:<br> There are a couple of things that you can try:<br>
</p> </p>
<ol> <ol>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated, <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
Vol 1</i> reveals that a <br> Illustrated, Vol 1</i> reveals that a <br>
<br> <br>
"gratuitous" ARP packet should cause the ISP's router to refresh their "gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
MAC address for its own IP; in addition to ensuring that the IP address isn't MAC address for its own IP; in addition to ensuring that the IP address
a duplicate...<br> isn't a duplicate...<br>
<br> <br>
"if the host sending the gratuitous ARP has just changed its hardware "if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its address..., this packet causes any other host...that has an entry in its
@ -124,9 +125,9 @@ iputils package include "arping", whose "-U" flag does just that:<br>
proxied IP&gt;</i></b></font><br> proxied IP&gt;</i></b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>     <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
<br> <br>
Stevens goes on to mention that not all systems respond correctly to gratuitous Stevens goes on to mention that not all systems respond correctly to
ARPs, but googling for "arping -U" seems to support the idea that it works gratuitous ARPs, but googling for "arping -U" seems to support the idea
most of the time.<br> that it works most of the time.<br>
<br> <br>
To use arping with Proxy ARP in the above example, you would have to:<br> To use arping with Proxy ARP in the above example, you would have to:<br>
<br> <br>
@ -174,9 +175,9 @@ dev eth0<br>
<p align="left">Notice that the source MAC address in the echo request is <p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words, the was the MAC address of the system on the lower left. In other words,
gateway's ARP cache still associates 130.252.100.19 with the NIC in that the gateway's ARP cache still associates 130.252.100.19 with the NIC
system rather than with the firewall's eth0.</p> in that system rather than with the firewall's eth0.</p>
</div> </div>
<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a <p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
@ -186,5 +187,6 @@ dev eth0<br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

3
STABLE/documentation/SeattleInTheSpring.html
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -48,5 +48,6 @@
size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

12
STABLE/documentation/Shorewall_CA_html.html
View File

@ -12,11 +12,10 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority <h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
(CA) Certificate</font></h1> (CA) Certificate</font></h1>
</td> </td>
@ -72,8 +71,8 @@ so that it will accept any certificate signed by me. <br>
<li>If you install my CA certificate then you assume that I am trustworthy <li>If you install my CA certificate then you assume that I am trustworthy
and that Shorewall running on your firewall won't redirect HTTPS requests and that Shorewall running on your firewall won't redirect HTTPS requests
intented to go to your bank's server to one of my systems that will present intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of your your browser with a bogus certificate claiming that my server is that of
bank.</li> your bank.</li>
<li>If you only accept my server's certificate when prompted then the <li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://mail.shorewall.net, most that you have to loose is that when you connect to https://mail.shorewall.net,
the server you are connecting to might not be mine.</li> the server you are connecting to might not be mine.</li>
@ -85,8 +84,9 @@ won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas M.
M. Eastep.</font></a></font></p> Eastep.</font></a></font></p>
<br>
<br> <br>
<br> <br>
<br> <br>

7
STABLE/documentation/Shorewall_CVS_Access.html
View File

@ -12,7 +12,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -27,8 +27,8 @@
<br> <br>
Lots of people try to download the entire Shorewall website for off-line Lots of people try to download the entire Shorewall website for off-line
browsing, including the CVS portion. In addition to being an enormous volume browsing, including the CVS portion. In addition to being an enormous volume
of data (HTML versions of all versions of all Shorewall files), all of of data (HTML versions of all versions of all Shorewall files), all of the
the pages in Shorewall CVS access are cgi-generated which places a tremendous pages in Shorewall CVS access are cgi-generated which places a tremendous
load on my little server. I have therefore resorted to making CVS access load on my little server. I have therefore resorted to making CVS access
password controlled. When you are asked to log in, enter "Shorewall" (NOTE password controlled. When you are asked to log in, enter "Shorewall" (NOTE
THE CAPITALIZATION!!!!!) for both the user name and the password.<br> THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
@ -52,5 +52,6 @@ the pages in Shorewall CVS access are cgi-generated which places a tremendous
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

121
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -11,20 +11,23 @@
<body> <body>
<table cellpadding="0" cellspacing="0" border="0" width="100%" <table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td valign="middle" width="33%" bgcolor="#400169"><a <td valign="middle" width="33%" bgcolor="#3366ff"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif" href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> alt="" width="88" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
<td valign="middle" height="90" align="center" width="34%"><font <td valign="middle" height="90" align="center"
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br> width="34%">
<h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
<h1> </h1>
</td> </td>
<td valign="middle" height="90" width="33%" align="right"><a <td valign="middle" height="90" width="33%"
href="http://www.squid-cache.org/"><img src="images/cache_now.gif" align="right"><a href="http://www.squid-cache.org/"><img
alt="" width="100" height="31" hspace="4"> src="images/cache_now.gif" alt="" width="100" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
</tr> </tr>
@ -36,7 +39,7 @@
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br> href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<a href="#DMZ"></a><br> <br>
<img border="0" src="images/j0213519.gif" width="60" <img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle"> height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
@ -49,28 +52,31 @@ to run as a transparent proxy as described at <a
<b><br> <b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" </b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files &nbsp;&nbsp;&nbsp; </b>The following instructions mention the
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those files /etc/shorewall/start and /etc/shorewall/init -- if you don't have
files, siimply create them.<br> those files, siimply create them.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" <b><img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
or in the local zone, that zone must be defined ONLY by its interface -- zone or in the local zone, that zone must be defined ONLY by its interface
no /etc/shorewall/hosts file entries. That is because the packets being -- no /etc/shorewall/hosts file entries. That is because the packets
routed to the Squid server still have their original destination IP addresses.<br> being routed to the Squid server still have their original destination
IP addresses.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" <b><img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on
Squid server.<br> your Squid server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" <b><img src="images/BD21298_3.gif" alt="" width="13"
height="13"> height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in </b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
your /etc/shorewall/conf file<br> than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br> &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br> color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br> <br>
@ -79,20 +85,20 @@ your /etc/shorewall/conf file<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li> on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in <li><a href="Shorewall_Squid_Usage.html#Local">Squid running
the local network</a></li> in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running
the DMZ</a></li> in the DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT You want to redirect all local www connection requests EXCEPT
those to your own those to your
http server (206.124.146.177) own http server (206.124.146.177)
to a Squid transparent to a Squid
proxy running on the firewall and listening on port 3128. Squid transparent proxy running on the firewall and listening on
will of course require access to remote web servers.<br> port 3128. Squid will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
@ -142,22 +148,25 @@ the DMZ</a></li>
or networks from being redirected. For example, you might also want requests or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br> must add a manual rule in /etc/shorewall/start:<br>
<blockquote> <blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre> <pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote> </blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar &nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br> rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2> <h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a You want to redirect all local www connection requests
Squid transparent to a Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on port proxy running in your local zone at 192.168.1.3 and listening on
3128. Your local interface is eth1. There may also be a web server running port 3128. Your local interface is eth1. There may also be a web server
on 192.168.1.3. It is assumed that web access is already enabled from the running on 192.168.1.3. It is assumed that web access is already enabled
local zone to the internet.<br> from the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping other aspects of your gateway including but not limited to traffic
and route redirection. For that reason, <b>I don't recommend it</b>.<br> shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
</p> </p>
<ul> <ul>
@ -250,8 +259,8 @@ please upgrade to Shorewall 1.4.2 or later.<br>
</table> </table>
</li> </li>
<br> <br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the <li>Alternativfely, if you are running Shorewall 1.4.0 you can have
following policy in place of the above rule:<br> the following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
@ -294,8 +303,8 @@ following policy in place of the above rule:<br>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.168.1.3, arrange for the following command to be executed <li>On 192.168.1.3, arrange for the following command to
after networking has come up<br> be executed after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre> <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li> </li>
@ -303,22 +312,23 @@ following policy in place of the above rule:<br>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command
above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address
You want to run both a web server and Squid on that system. Your DMZ interface 192.0.2.177. You want to run both a web server and Squid on that system.
is eth1 and your local interface is eth2.<br> Your DMZ interface is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
@ -392,7 +402,8 @@ following policy in place of the above rule:<br>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br> C) Run Shorewall 1.3.14 or later and add the following entry in
/etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
@ -499,8 +510,8 @@ following policy in place of the above rule:<br>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the <li>On 192.0.2.177 (your Web/Squid server), arrange for
following command to be executed after networking has come up<br> the following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre> <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li> </li>
@ -508,23 +519,25 @@ following command to be executed after networking has come up<br>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command
above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 5/29/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 7/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy; <a href="copyright.htm"><font size="2">Copyright</font>
<font size="2">2003 Thomas M. Eastep.</font></a><br> &copy; <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br> <br>
<br> <br>
</body> </body>

108
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

@ -12,10 +12,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1> <h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td> </td>
</tr> </tr>
@ -28,15 +29,15 @@
The traditional net-tools contain a program called <i>ifconfig</i> The traditional net-tools contain a program called <i>ifconfig</i>
which is used to configure network devices. ifconfig introduced the concept which is used to configure network devices. ifconfig introduced the concept
of <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces of <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
have names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and have names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0)
ifconfig treats them more or less like real interfaces.<br> and ifconfig treats them more or less like real interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i> The ifconfig utility is being gradually phased out in favor of the
utility which is part of the <i>iproute </i>package. The ip utility does <i>ip</i> utility which is part of the <i>iproute </i>package. The ip utility
not use the concept of aliases or virtual interfaces but rather treats does not use the concept of aliases or virtual interfaces but rather treats
additional addresses on an interface as objects. The ip utility does provide additional addresses on an interface as objects. The ip utility does provide
for interaction with ifconfig in that it allows addresses to be <i>labeled for interaction with ifconfig in that it allows addresses to be <i>labeled
</i>and labels may take the form of ipconfig virtual interfaces.<br> </i>and labels may take the form of ipconfig virtual interfaces.<br>
@ -49,9 +50,9 @@ for interaction with ifconfig in that it allows addresses to be <i>labeled
"eth0:0" is a label for a particular address rather than a device name.<br> "eth0:0" is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre> <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's The iptables program doesn't support virtual interfaces in either
"-i" or "-o" command options; as a consequence, Shorewall does not allow it's "-i" or "-o" command options; as a consequence, Shorewall does not
them to be used in the /etc/shorewall/interfaces file.<br> allow them to be used in the /etc/shorewall/interfaces file.<br>
<br> <br>
<h2>So how do I handle more than one address on an interface?</h2> <h2>So how do I handle more than one address on an interface?</h2>
@ -59,9 +60,9 @@ for interaction with ifconfig in that it allows addresses to be <i>labeled
In the sub-sections that follow, we'll take a look at common scenarios.<br> In the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3> <h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself that If you need to make a rule for traffic to/from the firewall itself
only applies to a particular IP address, simply qualify the $FW zone with that only applies to a particular IP address, simply qualify the $FW zone
the IP address.<br> with the IP address.<br>
<br> <br>
Example (allow SSH from net to eth0:0 above):<br> Example (allow SSH from net to eth0:0 above):<br>
<br> <br>
@ -109,8 +110,8 @@ for interaction with ifconfig in that it allows addresses to be <i>labeled
<h3>DNAT</h3> <h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at from that virtual interface to a web server running in my local zone
192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules at 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
file:<br> file:<br>
<br> <br>
@ -185,11 +186,11 @@ for interaction with ifconfig in that it allows addresses to be <i>labeled
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you Shorewall can create the alias (additional address) for you if you
set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface) with Shorewall 1.3.14, Shorewall can actually create the "label" (virtual
so that you can see the created address using ifconfig. In addition to interface) so that you can see the created address using ifconfig. In
setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface
the INTERFACE column as follows:<br> name in the INTERFACE column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -213,12 +214,46 @@ the INTERFACE column as follows:<br>
</tbody> </tbody>
</table> </table>
<br>
</blockquote> </blockquote>
Shorewall can also set up SNAT to round-robin over a range of IP addresses.
Do do that, you specify a range of IP addresses in the ADDRESS column. If
you specify a label in the INTERFACE column, Shorewall will use that label
for the first address of the range and will increment the label by one for
each subsequent label.<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0:0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178-206.124.146.180<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
The above would create three IP addresses:<br>
<br>
&nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
&nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
&nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
<h3>STATIC NAT</h3> <h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, If you wanted to use static NAT to link eth0:0 with local address
you would have the following in /etc/shorewall/nat:<br> 192.168.1.3, you would have the following in /etc/shorewall/nat:<br>
<br> <br>
<blockquote> <blockquote>
@ -255,10 +290,10 @@ the INTERFACE column as follows:<br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you Shorewall can create the alias (additional address) for you if you
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface) Shorewall 1.3.14, Shorewall can actually create the "label" (virtual
so that you can see the created address using ifconfig. In addition to interface) so that you can see the created address using ifconfig. In
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in addition to setting ADD_IP_ALIASES=Yes, you specify the virtual interface
the INTERFACE column as follows:<br> name in the INTERFACE column as follows:<br>
<br> <br>
<blockquote> <blockquote>
@ -351,8 +386,8 @@ there are cases where you simply want to consider the LAN segment itself
as a zone and allow your firewall/router to route between the two subnetworks.<br> as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br> <br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254
eth1:0 is 192.168.20.254. You want to simply route all requests between and eth1:0 is 192.168.20.254. You want to simply route all requests between
the two subnetworks.<br> the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4> <h4>If you are running Shorewall 1.4.1 or Later</h4>
@ -494,11 +529,11 @@ the two subnetworks.<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
You want to make these subnetworks into separate zones and control the eth1:0 is 192.168.20.254. You want to make these subnetworks into separate
access between them (the users of the systems do not have administrative zones and control the access between them (the users of the systems do
privileges).<br> not have administrative privileges).<br>
<br> <br>
In /etc/shorewall/zones:<br> In /etc/shorewall/zones:<br>
<br> <br>
@ -607,17 +642,12 @@ privileges).<br>
that you want to permit.<br> that you want to permit.<br>
<br> <br>
<p align="left"><font size="2">Last Updated 5/8/2003 A - <a <p align="left"><font size="2">Last Updated 6/22/2003 A - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</p> </p>
<br> <br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

63
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -12,50 +12,54 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base
target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td
height="90"> width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td
bgcolor="#ffffff"> width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li>
href="shorewall_features.htm">Features</a></li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a <li> <a
href="download.htm">Download</a><br> href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a
<a href="Install.htm">Configuration</a><br> href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li> </li>
<li> <a <li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br> href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation <li> <b><a
Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li> <a
href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
@ -70,14 +74,11 @@ Index</a></b></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br> href="http://lists.shorewall.net"> </a><br>
</li> </li>
<li><a href="1.3"
target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a> <li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a <li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li> target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
@ -91,20 +92,28 @@ Site</a></li>
<li><a href="http://shorewall.syachile.cl" <li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li> target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com" <li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a><br> target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net"
target="_top">Argentina</a></li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">Brazil</a><br>
</li> </li>
<li><a <li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br> href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a <li> <a
href="News.htm">News Archive</a></li> href="News.htm">News Archive</a></li>
@ -112,12 +121,9 @@ Site</a></li>
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a <li> <a
href="quotes.htm">Quotes from Users</a></li> href="quotes.htm">Quotes from Users</a></li>
<li>GSLUG Presentation</li>
<ul> <ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul> </ul>
<li> <a <li> <a
@ -126,6 +132,7 @@ Site</a></li>
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>

54
STABLE/documentation/Shorewall_sfindex_frame.htm
View File

@ -12,50 +12,54 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base
target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td
height="90"> width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" <td
bgcolor="#ffffff"> width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a <li> <a
href="download.htm">Download</a><br> href="download.htm">Download</a><br>
</li> </li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a
<a href="Install.htm">Configuration</a><br> href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li> </li>
<li> <a <li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br> href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation <li> <b><a
Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li> <a
href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
@ -71,11 +75,9 @@ Index</a></b></li>
<li><a <li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br> href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li> </li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a <li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall href="shorewall_mirrors.htm">Mirrors</a>
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
@ -91,13 +93,18 @@ Index</a></b></li>
<li><a href="http://shorewall.syachile.cl" <li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li> target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com" <li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a><br> target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net"
target="_top">Argentina</a></li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">Brazil</a><br>
</li> </li>
<li><a <li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br> href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
@ -110,12 +117,9 @@ Index</a></b></li>
href="News.htm">News Archive</a></li> href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li>GSLUG Presentation</li>
<ul> <ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul> </ul>
<li> <a <li> <a

22
STABLE/documentation/VPN.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -37,19 +37,18 @@ is shown in the following diagram:</p>
</p> </p>
<p align="left">A system with an RFC 1918 address needs to access a remote <p align="left">A system with an RFC 1918 address needs to access a remote
network through a remote gateway. For this example, we will assume that network through a remote gateway. For this example, we will assume that the
the local system has IP address 192.168.1.12 and that the remote gateway local system has IP address 192.168.1.12 and that the remote gateway has
has IP address 192.0.2.224.</p> IP address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall requirements <p align="left">If PPTP is being used, there are no firewall requirements
beyond the default loc-&gt;net ACCEPT policy. There is one restriction however: beyond the default loc-&gt;net ACCEPT policy. There is one restriction however:
Only one local system at a time can be connected to a single remote gateway Only one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the 'Patch-o-matic' patches available unless you patch your kernel from the 'Patch-o-matic' patches available at
at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p> <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then only one system may connect to <p align="left">If IPSEC is being used then only one system may connect to
the remote gateway and there are firewall configuration requirements as the remote gateway and there are firewall configuration requirements as follows:</p>
follows:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -89,16 +88,19 @@ follows:</p>
</table> </table>
</blockquote> </blockquote>
<p>If you want to be able to give access to all of your local systems to <p>If you want to be able to give access to all of your local systems to the
the remote network, you should consider running a VPN client on your firewall. remote network, you should consider running a VPN client on your firewall.
As starting points, see <a As starting points, see <a
href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a> href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p> or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<p> </p> <p> </p>
<br> <br>
<br>
</body> </body>
</html> </html>

6
STABLE/documentation/blacklisting_support.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -31,8 +31,7 @@
<h2>Static Blacklisting</h2> <h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration <p>Shorewall static blacklisting support has the following configuration parameters:</p>
parameters:</p>
<ul> <ul>
<li>You specify whether you want packets from blacklisted hosts dropped <li>You specify whether you want packets from blacklisted hosts dropped
@ -95,5 +94,6 @@ Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

104
STABLE/documentation/configuration_file_basics.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -38,10 +38,10 @@ files on a system running Microsoft Windows, you <u>must</u>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set <li>/etc/shorewall/shorewall.conf - used to
several firewall parameters.</li> set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set <li>/etc/shorewall/params - use this file to
shell variables that you will expand in other files.</li> set shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's <li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li> view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall <li>/etc/shorewall/policy - establishes firewall
@ -58,27 +58,29 @@ where to use many-to-one (dynamic) Network Address Translation
to load kernel modules.</li> to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that <li>/etc/shorewall/rules - defines rules that
are exceptions to the overall policies established in /etc/shorewall/policy.</li> are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT
<li>/etc/shorewall/proxyarp - defines use of Proxy rules.</li>
ARP.</li> <li>/etc/shorewall/proxyarp - defines use of
Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 <li>/etc/shorewall/routestopped (Shorewall 1.3.4
and later) - defines hosts accessible when Shorewall is stopped.</li> and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of <li>/etc/shorewall/tcrules - defines marking
packets for later use by traffic control/shaping or policy routing.</li> of packets for later use by traffic control/shaping or policy
routing.</li>
<li>/etc/shorewall/tos - defines rules for setting <li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li> the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE <li>/etc/shorewall/tunnels - defines IPSEC,
and IPIP tunnels with end-points on the firewall system.</li> GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted <li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li> IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the <li>/etc/shorewall/init - commands that you wish to execute at
beginning of a "shorewall start" or "shorewall restart".</li> the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the <li>/etc/shorewall/start - commands that you wish to execute at
completion of a "shorewall start" or "shorewall restart"</li> the completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the <li>/etc/shorewall/stop - commands that you wish to execute at
beginning of a "shorewall stop".</li> the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at <li>/etc/shorewall/stopped - commands that you wish to execute
the completion of a "shorewall stop".</li> at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN <li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br> - RFC 3168) to remote hosts or networks.<br>
</li> </li>
@ -88,8 +90,8 @@ the completion of a "shorewall stop".</li>
<h2><a name="Comments"></a>Comments</h2> <h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at character a pound sign ("#"). You may also place comments
the end of any line, again by delimiting the comment from the at the end of any line, again by delimiting the comment from the
rest of the line with a pound sign.</p> rest of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
@ -177,6 +179,7 @@ INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
<blockquote>    ----- end rules -----<br> <blockquote>    ----- end rules -----<br>
</blockquote> </blockquote>
<h2><a name="dnsnames"></a>Using DNS Names</h2> <h2><a name="dnsnames"></a>Using DNS Names</h2>
<p align="left"> </p> <p align="left"> </p>
@ -191,12 +194,12 @@ start as a result of DNS problems then don't say that you were not forewarn
<p align="left"><b>    -Tom<br> <p align="left"><b>    -Tom<br>
</b></p> </b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall <p align="left">Beginning with Shorewall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS configuration files may be specified as either IP addresses or DNS
Names.<br> Names.<br>
<br> <br>
DNS names in iptables rules aren't nearly as useful as DNS names in iptables rules aren't nearly as useful
they first appear. When a DNS name appears in a rule, the iptables as they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So changes in the DNS-&gt;IP address those addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely relationship that occur after the firewall has started have absolutely
@ -216,8 +219,8 @@ before starting your DNS server then your firewall won't start.<br>
</li> </li>
<li>Factors totally outside your control (your ISP's <li>Factors totally outside your control (your ISP's
router is down for example), can prevent your firewall from starting.</li> router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to <li>You must bring up your network interfaces prior
starting your firewall.<br> to starting your firewall.<br>
</li> </li>
</ul> </ul>
@ -269,10 +272,11 @@ following the "!".</p>
<ul> <ul>
<li>Must not have any embedded white space.<br> <li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br> Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,     norfc1818</li> Invalid: routefilter,     dhcp,    
<li>If you use line continuation to break a comma-separated norfc1818</li>
list, the continuation line(s) must begin in column 1 (or <li>If you use line continuation to break a
there would be embedded white space)</li> comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear <li>Entries in a comma-separated list may appear
in any order.</li> in any order.</li>
@ -292,8 +296,8 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> </p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you omit If you omit the low port number, a value of zero is assumed; if you
the high port number, a value of 65535 is assumed.<br> omit the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2> <h2><a name="Variables"></a>Using Shell Variables</h2>
@ -325,6 +329,7 @@ that you can then use in some of the other configuration files.</p>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre> <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
files.</p> files.</p>
@ -332,8 +337,8 @@ that you can then use in some of the other configuration files.</p>
<p>Media Access Control (MAC) addresses can be used to specify packet <p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this source in several of the configuration files. To use this
feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) feature, your kernel must have MAC Address Match support
included.</p> (CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique <p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
MAC address.<br> MAC address.<br>
@ -369,12 +374,12 @@ the MAC address in the example above would be written "~02-00-08-E3-
<h2><a name="Levels"></a>Shorewall Configurations</h2> <h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall. <p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start The <a href="starting_and_stopping_shorewall.htm">shorewall check,
and restart</a> commands allow you to specify an alternate configuration start and restart</a> commands allow you to specify an alternate
directory and Shorewall will use the files in the alternate directory configuration directory and Shorewall will use the files in the alternate
rather than the corresponding files in /etc/shorewall. The alternate directory rather than the corresponding files in /etc/shorewall. The
directory need not contain a complete configuration; those files not alternate directory need not contain a complete configuration; those
in the alternate directory will be read from /etc/shorewall.</p> files not in the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration <p> This facility permits you to easily create a test or temporary configuration
by:</p> by:</p>
@ -384,24 +389,21 @@ in the alternate directory will be read from /etc/shorewall.</p>
from /etc/shorewall to a separate directory;</li> from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory; <li> modify those files in the separate directory;
and</li> and</li>
<li> specifying the separate directory in a shorewall <li> specifying the separate directory in a
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig shorewall start or shorewall restart command (e.g., <i><b>shorewall
restart</b></i> )</li> -c /etc/testconfig restart</b></i> )</li>
</ol> </ol>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and if an
error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 4/18/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 6/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

3
STABLE/documentation/copyright.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -41,5 +41,6 @@ A copy of the license is included in the section entitled "<a
 </p>  </p>
</blockquote> </blockquote>
<br> <br>
<br>
</body> </body>
</html> </html>

21
STABLE/documentation/dhcp.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -31,16 +31,17 @@
<ul> <ul>
<li> <li>
<p align="left">Specify the "dhcp" option on each interface to be <p align="left">Specify the "dhcp" option on each interface to be served
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your file. This will generate rules that will allow DHCP to and from your firewall
firewall system. </p> system. </p>
</li> </li>
<li> <li>
<p align="left">When starting "dhcpd", you need to list those interfaces <p align="left">When starting "dhcpd", you need to list those interfaces
on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd. on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.
</p> </p>
</li> </li>
</ul> </ul>
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2> <h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
@ -53,14 +54,14 @@ on the run line. On a RedHat system, this is done by modifying /etc/sysconfi
system. </p> system. </p>
</li> </li>
<li> <li>
<p align="left">If you know that the dynamic address is always going <p align="left">If you know that the dynamic address is always going to
to be in the same subnet, you can specify the subnet address in the interface's be in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. </p> file. </p>
</li> </li>
<li> <li>
<p align="left">If you don't know the subnet address in advance, you <p align="left">If you don't know the subnet address in advance, you should
should specify "detect" for the interface's subnet address in the <a specify "detect" for the interface's subnet address in the <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
and start Shorewall after the interface has started. </p> and start Shorewall after the interface has started. </p>
</li> </li>
@ -70,6 +71,7 @@ and start Shorewall after the interface has started. </p>
command to be executed when a new dynamic IP address gets assigned to command to be executed when a new dynamic IP address gets assigned to
the interface. Check your DHCP client's documentation. </p> the interface. Check your DHCP client's documentation. </p>
</li> </li>
</ul> </ul>
<p align="left"><font size="2">Last updated 11/03/2002 - <a <p align="left"><font size="2">Last updated 11/03/2002 - <a
@ -78,5 +80,6 @@ the interface. Check your DHCP client's documentation. </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
</body> </body>
</html> </html>

72
STABLE/documentation/download.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -38,7 +38,8 @@ for the configuration that most closely matches your own.<br>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a
href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the <p>The documentation in HTML format is included in the .rpm and in the
@ -52,17 +53,17 @@ for the configuration that most closely matches your own.<br>
<b> Linux PPC</b> or <b> TurboLinux</b> distribution <b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig or init scripts in /etc/init.d and that include chkconfig
insserv). If you find that it works in other cases, let <a or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file <li>If you are running LRP, download the .lrp
(you might also want to download the .tgz so you will have a file (you might also want to download the .tgz so you will
copy of the documentation).</li> have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a
and would like a .deb package, Shorewall is included in both href="http://www.debian.org"><b>Debian</b></a> and would
the <a like a .deb package, Shorewall is included in both the <a
href="http://packages.debian.org/testing/net/shorewall.html">Debian href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable
@ -88,8 +89,9 @@ which can be obtained using the following command:<br>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p> configuration of your firewall, you can enable startup by removing
the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p> <p><b></b></p>
@ -156,6 +158,28 @@ which can be obtained using the following command:<br>
href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br> href="ftp://shorewall.greshko.com/pub/shorewall/" target="_top">Browse</a><br>
</td> </td>
</tr> </tr>
<tr>
<td valign="top">Argentina<br>
</td>
<td valign="top">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td valign="top">Brazil<br>
</td>
<td valign="top">securityopensource.org.br<br>
</td>
<td valign="top"><a
href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Washington State, USA</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
@ -174,13 +198,25 @@ which can be obtained using the following command:<br>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the each at cvs.shorewall.net</a> contains the latest snapshots of the
Shorewall component. There's no guarantee that what you find there each Shorewall component. There's no guarantee that what you
will work at all.<br> find there will work at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 3/24/2003 - <a <p align="left"><b>Shapshots:<br>
</b></p>
<blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been installed
and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 7/15/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -190,5 +226,9 @@ which can be obtained using the following command:<br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

97
STABLE/documentation/errata.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title> <title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
@ -18,7 +19,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -44,9 +45,9 @@
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first <p align="left"> <b>If you are installing Shorewall for the
time and plan to use the .tgz and install.sh script, you can untar first time and plan to use the .tgz and install.sh script, you can
the archive, replace the 'firewall' script in the untarred directory untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
@ -58,9 +59,9 @@ the archive, replace the 'firewall' script in the untarred directory
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
BELOW. For example, do NOT install the 1.3.9a firewall script if For example, do NOT install the 1.3.9a firewall script if you are
you are running 1.3.7c.</font></b><br> running 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
@ -81,17 +82,17 @@ you are running 1.3.7c.</font></b><br>
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a <li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat href="#Debug">Problems with kernels &gt;= 2.4.18 and
iptables</a></b></li> RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with <li><b><a href="#Multiport">Problems
iptables version 1.2.7 and MULTIPORT=Yes</a></b></li> with iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel <li><b><a href="#NAT">Problems with RH Kernel
2.4.18-10 and NAT</a></b></li> 2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and REJECT <li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
(also applies to 2.4.21-RC1) <img src="images/new10.gif" alt="(New)" REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
width="28" height="12" border="0"> alt="(New)" width="28" height="12" border="0">
</a><br> </a><br>
</b></li> </b></li>
@ -109,8 +110,8 @@ iptables</a></b></li>
have an empty second column (HOSTS). This problem may be corrected by installing have an empty second column (HOSTS). This problem may be corrected by installing
<a <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in /usr/share/shorewall/firewall
described above.</li> as described above.</li>
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones <li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
file. This problem may be corrected by installing <a file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
@ -127,8 +128,8 @@ file. This problem may be corrected by installing <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in /usr/share/shorewall/firewall
described above.<br> as described above.<br>
</li> </li>
</ul> </ul>
@ -138,8 +139,8 @@ described above.<br>
<ul> <ul>
<li> If you have zone names that are 5 characters long, you may experience <li> If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule problems starting Shorewall because the --log-prefix in a logging rule is
is too long. Upgrade to Version 1.4.4a to fix this problem..</li> too long. Upgrade to Version 1.4.4a to fix this problem..</li>
</ul> </ul>
@ -148,10 +149,11 @@ is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
<ul> <ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended <li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse (http://www.firewparse.com). to allow integration of Shorewall with Fireparse (http://www.firewparse.com).
Unfortunately, LOGMARKER only solved part of the integration problem. I Unfortunately, LOGMARKER only solved part of the integration problem.
have implimented a new LOGFORMAT variable which will replace LOGMARKER which I have implimented a new LOGFORMAT variable which will replace LOGMARKER
has completely solved this problem and is currently in production with fireparse which has completely solved this problem and is currently in production
here at shorewall.net. The updated files may be found at <a with fireparse here at shorewall.net. The updated files may be found at
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>. target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br> See the 0README.txt file for details.<br>
@ -162,12 +164,12 @@ has completely solved this problem and is currently in production with firepars
<h3>1.4.2</h3> <h3>1.4.2</h3>
<ul> <ul>
<li>When an 'add' or 'delete' command is executed, a temporary directory <li>When an 'add' or 'delete' command is executed, a temporary
created in /tmp is not being removed. This problem may be corrected by directory created in /tmp is not being removed. This problem may be corrected
installing <a by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as target="_top">this firewall script</a> in /usr/share/shorewall/firewall
described above. <br> as described above. <br>
</li> </li>
</ul> </ul>
@ -175,9 +177,9 @@ described above. <br>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3> <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul> <ul>
<li>Some TCP requests are rejected in the 'common' chain with an <li>Some TCP requests are rejected in the 'common' chain with
ICMP port-unreachable response rather than the more appropriate TCP RST an ICMP port-unreachable response rather than the more appropriate TCP
response. This problem is corrected in <a RST response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def" href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br> /etc/shorewall/common.def.<br>
@ -262,8 +264,8 @@ I have also built an <a
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
@ -299,12 +301,12 @@ RedHat iptables</h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible <p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; change to the syntax used to specify multiport match rules;
as a consequence, if you install iptables 1.2.7 you must as a consequence, if you install iptables 1.2.7 you
be running Shorewall 1.3.7a or later or:</p> must be running Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set
in /etc/shorewall/shorewall.conf; MULTIPORT=No in /etc/shorewall/shorewall.conf;
or </li> or </li>
<li>if you <li>if you
are running Shorewall 1.3.6 you may are running Shorewall 1.3.6 you may
@ -327,26 +329,27 @@ or </li>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. The solution is to put "no" in the LOCAL column.
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10 Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
has disabled it. The 2.4.19 kernel contains corrected support has disabled it. The 2.4.19 kernel contains corrected support under
under a new kernel configuraiton option; see <a a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br> <br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT <h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and
(also applies to 2.4.21-RC1)</b></h3> REJECT (also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset" Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset"
is broken. The symptom most commonly seen is that REJECT rules act just like is broken. The symptom most commonly seen is that REJECT rules act just
DROP rules when dealing with TCP. A kernel patch and precompiled modules to like DROP rules when dealing with TCP. A kernel patch and precompiled modules
fix this problem are available at <a to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel" href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br> target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr> <hr>
<p><font size="2"> Last updated 6/13/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2"> Last updated 6/13/2003 - <a href="support.htm">Tom
</p> Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

207
STABLE/documentation/errata_1.htm
View File

@ -1,215 +1,196 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Errata for Version 1</title> <title>Shorewall Errata for Version 1</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Errata for Version 1.1</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata for Version
1.1</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table> </table>
<h3 align="Left"><font color="#660066"><u>To those of you who downloaded the 1.1.13 updated firewall script prior <h3 align="left"><font color="#660066"><u>To those of you who downloaded
to Sept 20, 2001:</u></font></h3> the 1.1.13 updated firewall script prior to Sept 20, 2001:</u></font></h3>
<blockquote> <blockquote>
<p align="left">Prior to 20:00 20 Sept 2001 GMT, the link under 1.1.13
<p align="Left">Prior pointed to a broken version of the firewall script. This has now been corrected.
to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to a broken version I apologize for any confusion this may have caused.</p>
of the firewall script. This has now been corrected. I apologize for any confusion
this may have caused.</p>
</blockquote> </blockquote>
<h3 align="Left">Version 1.1.18</h3> <h3 align="left">Version 1.1.18</h3>
<blockquote> <blockquote>
<p align="left">In the original .lrp, /etc/init.d/shorewall was not
<p align="Left">In the original .lrp, /etc/init.d/shorewall was not
secured for execute access. I have replaced the incorrect .lrp secured for execute access. I have replaced the incorrect .lrp
(shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).</p> (shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).</p>
</blockquote> </blockquote>
<h3 align="Left"><font color="#660066"> <h3 align="left"><font color="#660066"> Version 1.1.17</font></h3>
Version 1.1.17</font></h3>
<blockquote> <blockquote>
<p align="left">In shorewall.conf, ADD_IP_ALIASES was incorrectly
spelled IP_ADD_ALIASAES. There is a corrected version of the
file <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
<p align="Left">In <p align="left">This problem is also corrected in version 1.1.18.</p>
shorewall.conf, ADD_IP_ALIASES was incorrectly spelled
IP_ADD_ALIASAES. There is a corrected version of the file <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
<p align="Left">This
problem is also corrected in version 1.1.18.</p>
</blockquote> </blockquote>
<h3 align="Left"><font color="#660066"> <h3 align="left"><font color="#660066"> Version 1.1.16</font></h3>
Version 1.1.16</font></h3>
<blockquote> <blockquote>
<p align="Left"> <p align="left"> The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly
The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly spelled IP_ADD_ALIASES spelled IP_ADD_ALIASES in the firewall script. To correct this problem,
in the firewall script. To correct this problem, install the <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall"> install the <a
corrected firewall script</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall"> corrected
in the location pointed to by the symbolic link /etc/shorewall/firewall.</p> firewall script</a> in the location pointed to by the symbolic link
/etc/shorewall/firewall.</p>
<p align="Left"> <p align="left"> This problem is also corrected in version 1.1.17.</p>
This problem is also corrected in version 1.1.17.</p>
</blockquote> </blockquote>
<h3 align="Left"><font color="#660066"> <h3 align="left"><font color="#660066"> Version 1.1.14-1.1.15</font></h3>
Version 1.1.14-1.1.15</font></h3>
<blockquote> <blockquote>
<p align="Left"> <p align="left"> There are no corrections for these versions.</p>
There are no corrections for these versions.</p>
</blockquote> </blockquote>
<h3 align="Left"><font color="#660066"> <h3 align="left"><font color="#660066"> Version 1.1.13</font></h3>
Version 1.1.13</font></h3>
<blockquote> <blockquote>
<p align="Left"> <p align="left"> The firewall fails to start if a rule with the following
The firewall fails to start if a rule with the following format is given:</p> format is given:</p>
<p align="Left"> <p align="left"> &lt;disposition&gt;    z1:www.xxx.yyy.zzz    z2   
&lt;disposition&gt;    z1:www.xxx.yyy.zzz    z2    proto    p1,p2,p3</p> proto    p1,p2,p3</p>
<p align="Left"> <p align="left"> To correct this problem, install <a
To correct this problem, install <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall"> this
this corrected firewall script</a> corrected firewall script</a> in the location pointed to by the symbolic
in the location pointed to by the symbolic link /etc/shorewall/firewall. </p> link /etc/shorewall/firewall. </p>
</blockquote> </blockquote>
<h3 align="Left"><font color="#660066"> <h3 align="left"><font color="#660066"> Version 1.1.12</font></h3>
Version 1.1.12</font></h3>
<blockquote> <blockquote>
<p align="Left"> <p align="left"> The LRP version of Shorewall 1.1.12 has the incorrect
The LRP version of Shorewall 1.1.12 has the incorrect /etc/shorewall/functions /etc/shorewall/functions file. This incorrect file results in many error
file. This incorrect file results in many error messages of the form:</p> messages of the form:</p>
<blockquote> <blockquote>
<p align="Left"> <p align="left"> separate_list: not found</p>
separate_list: not found</p>
</blockquote> </blockquote>
<p align="Left"><a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions"> <p align="left"><a
The correct file may be obtained here</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions"> The
. This problem is also corrected in version 1.1.13.</p> correct file may be obtained here</a> . This problem is also corrected
in version 1.1.13.</p>
</blockquote> </blockquote>
<h3 align="Left"><font color="#660066"> <h3 align="left"><font color="#660066"> Version 1.1.11</font></h3>
Version 1.1.11</font></h3>
<blockquote> <blockquote>
<p align="Left"> <p align="left"> There are no known problems with this version.</p>
There are no known problems with this version.</p>
</blockquote> </blockquote>
<h3 align="Left"><font color="#660066"> <h3 align="left"><font color="#660066"> Version 1.1.10</font></h3>
Version 1.1.10</font></h3>
<blockquote> <blockquote>
<p align="Left"> <p align="left"> If the following conditions were met:<br>
If the following conditions were met:<br>
</p> </p>
<ol> <ol>
<li> <li>
<p align="Left"> <p align="left"> A LAN segment attached to the firewall was served
A LAN segment attached to the firewall was served by a DHCP server by a DHCP server running on the firewall.</p>
running on the firewall.</p>
</li> </li>
<li> <li>
<p align="Left"> <p align="left"> There were entries in /etc/shorewall/hosts that referred
There were entries in /etc/shorewall/hosts that referred to the to the interface to that LAN segment.</p>
interface to that LAN segment.</p>
</li> </li>
</ol> </ol>
<p align="Left"> <p align="left"> then up until now it has been necessary to include entries
then up until now it has been necessary to include entries for 0.0.0.0 for 0.0.0.0 and 255.255.255.255 for that interface in /etc/shorewall/hosts.
and 255.255.255.255 for that interface in /etc/shorewall/hosts. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall"> <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall">
This version of the firewall script</a> This version of the firewall script</a> makes those additions unnecessary
makes those additions unnecessary provided that you simply include provided that you simply include "dhcp" in the options for the interface
"dhcp" in the options for the interface in /etc/shorewall/interfaces. in /etc/shorewall/interfaces. Install the script into the location pointed
Install the script into the location pointed to by the symbolic link to by the symbolic link /etc/shorewall/firewall.</p>
/etc/shorewall/firewall.</p>
<p align="Left"> <p align="left"> This problem has also been corrected in version 1.1.11.</p>
This problem has also been corrected in version 1.1.11.</p>
</blockquote> </blockquote>
<h3 align="Left"><font color="#660066"> <h3 align="left"><font color="#660066"> Version 1.1.9</font></h3>
Version 1.1.9</font></h3>
<ul> <ul>
<li>The shorewall "hits" command lists extraneous service names in the final <li>The shorewall "hits" command lists extraneous service names in
report. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall"> the final report. <a
This version of the shorewall script</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall"> This
corrects this problem.<br> version of the shorewall script</a> corrects this problem.<br>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.1.8</h3>
<h3 align="Left">Version 1.1.8</h3>
<ul> <ul>
<li>Under some circumstances, the "dhcp" option on an interface triggers <li>Under some circumstances, the "dhcp" option on an interface triggers
a bug in the firewall script that results in a "chain already exists" a bug in the firewall script that results in a "chain already exists"
error. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall"> error. <a
This version of the firewall script</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall"> This
corrects this problem. Install it into the location pointed to by version of the firewall script</a> corrects this problem. Install
the symbolic link /etc/shorewall/firewall.<br> it into the location pointed to by the symbolic link /etc/shorewall/firewall.<br>
<br> <br>
This problem is also corrected in version 1.1.9.<br> This problem is also corrected in version 1.1.9.<br>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.1.7</h3>
<h3 align="Left">Version 1.1.7</h3>
<ul> <ul>
<li>If the /etc/shorewall/rules template from version 1.1.7 is used, a warning <li>If the /etc/shorewall/rules template from version 1.1.7 is used,
message appears during firewall startup:<br> a warning message appears during firewall startup:<br>
<br> <br>
    Warning: Invalid Target - rule "@ icmp-unreachable packet."     Warning: Invalid Target - rule "@ icmp-unreachable packet."
ignored<br> ignored<br>
<br> <br>
This warning may be eliminated by replacing the "@" in column 1 of This warning may be eliminated by replacing the "@" in column 1 of
line 17 with "#"</li> line 17 with "#"</li>
</ul> </ul>
<blockquote> <blockquote>
<p align="Left"> <p align="left"> This problem is also corrected in version 1.1.8</p>
This problem is also corrected in version 1.1.8</p>
</blockquote> </blockquote>
<p align="left"><font size="2"> <p align="left"><font size="2"> Last updated 12/21/2001 - </font><font
Last updated 12/21/2001 - </font><font size="2"> size="2"> <a href="support.htm">Tom Eastep</a></font> </p>
<a href="support.htm">Tom Eastep</a></font>
</p>
<p align="left"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
</body> </body>
</html> </html>

482
STABLE/documentation/errata_2.htm
View File

@ -2,152 +2,143 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.2 Errata</title> <title>Shorewall 1.2 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" height="90" bgcolor="#400169">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" height="90" bgcolor="#3366ff">
<tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall 1.2 Errata</font></h1> <h1 align="center"><font color="#ffffff">Shorewall 1.2 Errata</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table> </table>
<p align="center"> <p align="center"> <font face="Century Gothic, Arial, Helvetica">
<font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p> <b><u>IMPORTANT</u></b></font></p>
<p align="center"> <p align="center"> <b><u>If you use a Windows system to download a
corrected script, be sure to run the script through <a
<b><u>If you use a Windows system to download a corrected script, be sure to href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
run the script through <a href="http://www.megaloman.com/%7Ehany/software/hd2u/">
dos2unix</a>
after you have moved it to your Linux system.</u></b></p> after you have moved it to your Linux system.</u></b></p>
<p align="center"> <p align="center"> <u><b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, use the 'cp' (or 'scp')
<u><b>When the instructions say to install a corrected firewall script in utility to overwrite the existing file. DO NOT REMOVE OR RENAME THE
/etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the OLD /etc/shorewall/firewall before you do that. /etc/shorewall/firewall
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall is a symbolic link that points to the 'shorewall' file used by your
before you do that. /etc/shorewall/firewall is a symbolic link that points system initialization scripts to start Shorewall during boot and it
to the 'shorewall' file used by your system initialization scripts to is that file that must be overwritten with the corrected script. </b></u></p>
start Shorewall during boot and it is that file that must be overwritten
with the corrected script. </b></u></p>
<ul> <ul>
<li> <li>
<h3 align="left"><font color="#660066"> <a href="errata_1.htm"> Problems
<h3 align="Left"><font color="#660066"> in Version 1.1</a></font></h3>
<a href="errata_1.htm">
Problems in Version 1.1</a></font></h3>
</li> </li>
<li> <li>
<h3 align="left"><a href="#V1.2">Problems in Version 1.2</a></h3>
<h3 align="Left"><a href="#V1.2">Problems in Version 1.2</a></h3>
</li> </li>
<li> <li>
<h3 align="left"><font color="#660066"><a href="#iptables"> Problem
<h3 align="Left"><font color="#660066"><a href="#iptables"> with iptables version 1.2.3</a></font></h3>
Problem with iptables version 1.2.3</a></font></h3>
</li> </li>
<li> <li>
<h3 align="left"><a href="#Debug">Problems with kernel 2.4.18 and
<h3 align="Left"><a href="#Debug">Problems with kernel 2.4.18 and
RedHat iptables</a></h3> RedHat iptables</a></h3>
</li> </li>
</ul> </ul>
<hr> <hr>
<h3 align="left"><a name="V1.2"></a>Problems in Version 1.2</h3>
<h3 align="Left"><a name="V1.2"></a>Problems in Version 1.2</h3> <h3 align="left">Version 1.2.13</h3>
<h3 align="Left">Version 1.2.13</h3>
<ul> <ul>
<li> <li>
<p align="left">Some users have reported problems installing the RPM
<p align="Left">Some users have reported problems installing the RPM
on SuSE 7.3 where rpm reports a conflict with kernel &lt;= 2.2 even on SuSE 7.3 where rpm reports a conflict with kernel &lt;= 2.2 even
though a 2.4 kernel RPM is installed. To get around this problem, use though a 2.4 kernel RPM is installed. To get around this problem,
the --nodeps option to rpm (e.g., &quot;rpm -ivh --nodeps use the --nodeps option to rpm (e.g., "rpm -ivh --nodeps
shorewall-1.2-13.noarch.rpm&quot;).<br> shorewall-1.2-13.noarch.rpm").<br>
<br> <br>
The problem stems from the fact that SuSE does not The problem stems from the fact that SuSE does not include
include a package named &quot;kernel&quot; but rather has a number of packages a package named "kernel" but rather has a number of packages that
that provide the virtual package &quot;kernel&quot;. Since virtual packages have provide the virtual package "kernel". Since virtual packages have
no version associated with them, a conflict results. Since the no version associated with them, a conflict results. Since the
workaround is simple, I don't intend to change the Shorewall package.</p> workaround is simple, I don't intend to change the Shorewall package.</p>
</li> </li>
<li> <li>
<p align="left">Shorewall accepts invalid rules of the form:<br>
<p align="Left">Shorewall accepts invalid rules of the form:<br>
<br> <br>
<font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt; all &lt;port number&gt; - <font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt;
&lt;original ip address&gt;<br> all &lt;port number&gt; - &lt;original ip address&gt;<br>
<br> <br>
</font>The &lt;port number&gt; is ignored with the result that <u>all</u> </font>The &lt;port number&gt; is ignored with the result that
connection requests from the &lt;src&gt; zone whose original destination IP <u>all</u> connection requests from the &lt;src&gt; zone whose
address matches the last column are forwarded to the &lt;dest&gt; zone, IP original destination IP address matches the last column are forwarded
address &lt;ip addr&gt;.&nbsp; to the &lt;dest&gt; zone, IP address &lt;ip addr&gt;. 
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall"> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">
This corrected firewall script</a> correctly generates an error when This corrected firewall script</a> correctly generates an error when
such a rule is encountered.</p> such a rule is encountered.</p>
</li>
</ul>
<h3 align="left">Version 1.2.11</h3>
<ul>
<li>
<p align="left">The 'try' command is broken. </p>
</li>
<li>
<p align="left">The usage text printed by the shorewall utility
doesn't show the optional timeout for the 'try' command. </p>
</li> </li>
</ul> </ul>
<h3 align="Left">Version 1.2.11</h3> <p align="left">Both problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
<ul>
<li>
<p align="Left">The 'try' command is broken.</li>
<li>
<p align="Left">The usage text printed by the shorewall utility
doesn't show the optional timeout for the 'try' command.</li>
</ul>
<p align="Left">Both problems are corrected by
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
this new version of /sbin/shorewall</a>.</p> this new version of /sbin/shorewall</a>.</p>
<h3 align="Left">Sample Configurations:</h3> <h3 align="left">Sample Configurations:</h3>
<ul> <ul>
<li> <li>
<p align="left">There have been several problems with SSH, DNS and
<p align="Left">There have been several problems with SSH, DNS and
ping in the two- and three-interface examples. Before reporting ping in the two- and three-interface examples. Before reporting
problems with these services, please verify that you have the latest problems with these services, please verify that you have the latest
version of the appropriate sample 'rules' file.</li> version of the appropriate sample 'rules' file. </p>
</li>
</ul> </ul>
<h3 align="Left">All Versions through 1.2.10</h3> <h3 align="left">All Versions through 1.2.10</h3>
<ul> <ul>
<li> <li>
<p align="left">The <a href="PPTP.htm#ServerFW">documentation for
<p align="Left">The <a href="PPTP.htm#ServerFW">documentation for
running PoPToP on the firewall system</a> contained an incorrect entry running PoPToP on the firewall system</a> contained an incorrect entry
in the /etc/shorewall/hosts file. The corrected entry (underlined) is in the /etc/shorewall/hosts file. The corrected entry (underlined)
shown here:</li> is shown here: </p>
</li>
</ul> </ul>
<blockquote> <blockquote>
<blockquote> <blockquote>
<table border="2"> <table border="2">
<tbody>
<tr> <tr>
<td><b>ZONE</b></td> <td><b>ZONE</b></td>
<td><b>HOST(S)</b></td> <td><b>HOST(S)</b></td>
@ -161,279 +152,274 @@ dos2unix</a>
<tr> <tr>
<td>loc</td> <td>loc</td>
<td>ppp+:192.168.1.0/24</td> <td>ppp+:192.168.1.0/24</td>
<td>&nbsp;</td> <td> </td>
</tr> </tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
</blockquote> </blockquote>
<h3 align="Left">All Versions through 1.2.8</h3> <h3 align="left">All Versions through 1.2.8</h3>
<ul> <ul>
<li> <li>
<p align="left">The shorewall.conf file and the documentation
<p align="Left">The shorewall.conf file and the documentation
incorrectly refer to a parameter in /etc/shorewall/shorewall.conf incorrectly refer to a parameter in /etc/shorewall/shorewall.conf
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a href="Documentation.htm#Conf">see called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a
the corrected online documentation</a>). Users of the rpm should href="Documentation.htm#Conf">see the corrected online documentation</a>).
change the name (and possibly the value) of this parameter so that Users of the rpm should change the name (and possibly the value)
Shorewall interacts properly with the SysV init scripts. The of this parameter so that Shorewall interacts properly with the
documentation on this web site has been corrected and SysV init scripts. The documentation on this web site has been
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf"> corrected and <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
here's a corrected version of shorewall.conf</a>.</p> here's a corrected version of shorewall.conf</a>.</p>
</li> </li>
<li> <li>
<p align="left">The documentation indicates that a comma-separated
<p align="Left">The documentation indicates that a comma-separated
list of IP/subnet addresses may appear in an entry in the hosts file. list of IP/subnet addresses may appear in an entry in the hosts file.
This is not the case; if you want to specify multiple addresses for a This is not the case; if you want to specify multiple addresses
zone, you need to have a separate entry for each address.</p> for a zone, you need to have a separate entry for each address.</p>
</li> </li>
</ul> </ul>
<h3 align="Left">Version 1.2.7</h3> <h3 align="left">Version 1.2.7</h3>
<p align="Left">Version 1.2.7 is quite broken -- please install 1.2.8</p> <p align="left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
<p>If you have installed and started version 1.2.7 then before trying <p>If you have installed and started version 1.2.7 then before trying
to restart under 1.2.8:</p> to restart under 1.2.8:</p>
<ol> <ol>
<li>Look at your /etc/shorewall/shorewall.conf file and note the directory <li>Look at your /etc/shorewall/shorewall.conf file and note the directory
named in the STATEDIR variable. If that variable is empty, assume named in the STATEDIR variable. If that variable is empty, assume /var/state/shorewall.</li>
/var/state/shorewall.</li>
<li>Remove the file 'lock' in the directory determined in step 1.</li> <li>Remove the file 'lock' in the directory determined in step 1.</li>
</ol> </ol>
<p>You may now restart using 1.2.8.</p> <p>You may now restart using 1.2.8.</p>
<h3 align="Left">Version 1.2.6</h3> <h3 align="left">Version 1.2.6</h3>
<ul> <ul>
<li> <li>
<p align="left">GRE and IPIP tunnels are broken. </p>
<p align="Left">GRE and IPIP tunnels are broken.</li> </li>
<li> <li>
<p align="left">The following rule results in a start error:<br>
<p align="Left">The following rule results in a start error:<br>
<br> <br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;     ACCEPT    z1    z2    icmp </p>
icmp</li> </li>
</ul> </ul>
<p align="Left">To correct the above problems, install <p align="left">To correct the above problems, install <a
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
corrected firewall script</a> in&nbsp; /etc/shorewall/firewall..<h3 align="Left">Version 1.2.5</h3> corrected firewall script</a> in  /etc/shorewall/firewall..</p>
<h3 align="left">Version 1.2.5</h3>
<ul> <ul>
<li> <li>
<p align="left">The new ADDRESS column in /etc/shorewall/masq cannot
<p align="Left">The new ADDRESS column in /etc/shorewall/masq cannot contain a $-variable name. </p>
contain a $-variable name.</li> </li>
<li> <li>
<p align="left">Errors result if $FW appears in the /etc/shorewall/policy
<p align="Left">Errors result if $FW appears in the file. </p>
/etc/shorewall/policy file.</li> </li>
<li> <li>
<p align="left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
<p align="Left">Using Blacklisting without setting BLACKLIST_LOGLEVEL results in an error at start time. </p>
results in an error at start time.</li> </li>
</ul> </ul>
<p align="Left">To correct the above problems, install <p align="left">To correct the above problems, install <a
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.<p align="Left">&nbsp;<ul> corrected firewall script</a> in /etc/shorewall/firewall.</p>
<li> <p align="left"> </p>
<p align="Left">The /sbin/shorewall script produces error messages
saying that 'mygrep' cannot be found.
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
Here is the correct version of /sbin/shorewall.</a></li>
</ul>
<h3 align="Left">Version 1.2.4</h3>
<ul> <ul>
<li><p align="Left">This version will not install &quot;out of the box&quot; without <li>
modification. Before attempting to start the <p align="left">The /sbin/shorewall script produces error messages
firewall, please change the STATEDIR in /etc/shorewall/shorewall.conf to saying that 'mygrep' cannot be found. <a
refer to /var/lib/shorewall. This only applies to fresh installations -- if href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
you are upgrading from a previous version of Shorewall, version 1.2.4 will Here is the correct version of /sbin/shorewall.</a> </p>
work without modification.</li> </li>
</ul> </ul>
<h3 align="Left">Version 1.2.3</h3> <h3 align="left">Version 1.2.4</h3>
<ul> <ul>
<li> <li>
<p align="Left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted <p align="left">This version will not install "out of the box" without
hosts aren't logged. Install <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this modification. Before attempting to start the firewall, please change
corrected firewall script</a> in /etc/shorewall/firewall.</li> the STATEDIR in /etc/shorewall/shorewall.conf to refer to /var/lib/shorewall.
This only applies to fresh installations -- if you are upgrading from
a previous version of Shorewall, version 1.2.4 will work without modification.
</p>
</li>
</ul> </ul>
<h3 align="left">Version 1.2.3</h3>
<ul>
<li>
<p align="left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
hosts aren't logged. Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall. </p>
</li>
</ul>
<blockquote> <blockquote>
<p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p> <p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p>
</blockquote> </blockquote>
<pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre> <pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<blockquote> <blockquote>
<p>to</p> <p>to</p>
</blockquote> </blockquote>
<pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre> <pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<h3 align="Left">Version 1.2.2</h3> <h3 align="left">Version 1.2.2</h3>
<ul> <ul>
<li>The &quot;shorewall status&quot; command hangs after <li>The "shorewall status" command hangs after it displays
it displays the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
a corrected /sbin/shorewall.</a> if&nbsp; you want to simply modify your copy of a corrected /sbin/shorewall.</a> if  you want to simply modify
/sbin/shorewall, then at line 445 change this:</li> your copy of /sbin/shorewall, then at line 445 change this:</li>
</ul> </ul>
<div align="left"> <div align="left">
<pre align="Left"> status)<br> clear</pre>
<pre align="Left"> status)
clear</pre>
</div> </div>
<blockquote> <blockquote>
<p align="left">to this:</p>
<p align="Left">to this:</p>
</blockquote> </blockquote>
<div align="left"> <div align="left">
<pre align="Left"> status)<br> get_config<br> clear</pre>
<pre align="Left"> status)
get_config
clear</pre>
</div> </div>
<ul> <ul>
<li>The &quot;shorewall monitor&quot; command <li>The "shorewall monitor" command doesn't show the icmpdef chain
doesn't show the icmpdef chain - <a href="pub/shorewall/errata/1.2.2/shorewall">this - <a href="pub/shorewall/errata/1.2.2/shorewall">this corrected /sbin/shorewall</a>
corrected /sbin/shorewall</a> fixes that problem as well as the status fixes that problem as well as the status problem described above.</li>
problem described above.</li>
</ul> </ul>
<ul> <ul>
<li>In all 1.2.x versions, the 'CLIENT PORT(S)' <li>In all 1.2.x versions, the 'CLIENT PORT(S)' column in /etc/shorewall/tcrules
column in /etc/shorewall/tcrules is ignored. This is corrected in <a href="/pub/shorewall/errata/1.2.2/firewall">this is ignored. This is corrected in <a
updated firewall script</a>.&nbsp; Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for href="/pub/shorewall/errata/1.2.2/firewall">this updated firewall script</a>. 
Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for
spotting this bug.</li> spotting this bug.</li>
</ul> </ul>
<h3 align="Left">Version 1.2.1</h3> <h3 align="left">Version 1.2.1</h3>
<ul> <ul>
<li>The new <i>logunclean </i>interface option is not <li>The new <i>logunclean </i>interface option is not described
described in the help text in /etc/shorewall/interfaces. An <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated in the help text in /etc/shorewall/interfaces. An <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
interfaces file</a> is available.</li> interfaces file</a> is available.</li>
<li>When REJECT is specified in a TCP rule, Shorewall <li>When REJECT is specified in a TCP rule, Shorewall correctly
correctly replies with a TCP RST packet. Previous versions of the replies with a TCP RST packet. Previous versions of the firewall
firewall script are broken in the case of a REJECT policy, however; in script are broken in the case of a REJECT policy, however; in REJECT
REJECT policy chains, all requests are currently replied to with an policy chains, all requests are currently replied to with an ICMP
ICMP port-unreachable packet. <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This port-unreachable packet. <a
corrected firewall script</a> replies to TCP requests with TCP RST in href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
REJECT policy chains. Place the script in /etc/shorewall/firewall.</li> corrected firewall script</a> replies to TCP requests with TCP
RST in REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
</ul> </ul>
<h3 align="Left">Version 1.2.0</h3> <h3 align="left">Version 1.2.0</h3>
<blockquote> <blockquote>
<p align="left"><b>Note: </b>If you are upgrading from one of the Beta
<p align="Left"><b>Note: </b>If you are upgrading from one of the Beta RPMs to 1.2.0, you must use the "--oldpackage" option to rpm
RPMs to 1.2.0, you must use the &quot;--oldpackage&quot; option to rpm
(e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p> (e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p>
<p align="Left">The tunnel script released in version 1.2.0 contained <p align="left">The tunnel script released in version 1.2.0 contained
errors -- a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected errors -- a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
script</a> is available.</p> script</a> is available.</p>
</blockquote> </blockquote>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
<h3 align="Left"><a name="iptables"></a><font color="#660066"> iptables version 1.2.3</font></h3>
Problem with iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left"> I have built a <a
prevent it from working with Shorewall. Regrettably, href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
RedHat released this buggy iptables in RedHat 7.2.&nbsp;</p> corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> <p align="left"><font face="Century Gothic, Arial, Helvetica"
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat has released
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> an iptables-1.2.4 RPM of their own which you can download from<font
iptables-1.2.4 rpm which you can download here</a>. If face="Century Gothic, Arial, Helvetica" color="#ff6633"> <a
you are currently running RedHat 7.1, you can install either of these RPMs href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> </font>I have installed this RPM on my firewall and it works fine.</p>
<p align="Left"><font face="Century Gothic, Arial, Helvetica" color="#FF6633"><b>Update <p align="left">If you would like to patch iptables 1.2.3 yourself,
11/9/2001: </b></font>RedHat has the patches are available for download. This <a
released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. which corrects a problem with parsing of the --log-level specification
</font>I have installed this RPM while this <a
on my firewall and it works fine.</p> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="Left">If you <p align="left">To install one of the above patches:</p>
would like to patch iptables 1.2.3 yourself, the patches are available
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification while
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="Left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernel 2.4.18 <h3><a name="Debug"></a>Problems with kernel 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18
experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
</pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter 'mangle' table. You can correct the problem by installing
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
&quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
</blockquote> </blockquote>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2"> <p>The RedHat iptables RPM is compiled with debugging enabled but the
Last updated 5/24/2002 - </font><font size="2"> user-space debugging code was not updated to reflect recent changes in
<a href="support.htm">Tom Eastep</a></font> the Netfilter 'mangle' table. You can correct the problem by installing
</font></p> <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2"> Last updated
5/24/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body> </body>
</html> </html>

225
STABLE/documentation/errata_3.html
View File

@ -2,36 +2,28 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title> <title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -39,8 +31,6 @@
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -48,31 +38,26 @@
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
<p align="left"> <b>If you are installing Shorewall for the the archive, replace the 'firewall' script in the untarred directory
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are running a Shorewall version earlier <p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected than 1.3.11, when the instructions say to install a corrected firewall
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
/etc/shorewall/firewall or /var/lib/shorewall/firewall before /etc/shorewall/firewall or /var/lib/shorewall/firewall before
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by are symbolic links that point to the 'shorewall' file used by your
your system initialization scripts to start Shorewall during system initialization scripts to start Shorewall during boot.
boot. It is that file that must be overwritten with the corrected It is that file that must be overwritten with the corrected
script. Beginning with Shorewall 1.3.11, you may rename the existing file script. Beginning with Shorewall 1.3.11, you may rename the existing file
before copying in the new file.</b></p> before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
@ -94,8 +79,7 @@ before copying in the new file.</b></p>
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a <li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables <li><b><a href="#Multiport">Problems with iptables
@ -109,7 +93,6 @@ RedHat iptables</a></b></li>
<hr> <hr>
<h2 align="left"><small></small><a name="V1.3"></a>Problems in Version 1.3</h2> <h2 align="left"><small></small><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.14</h3> <h3>Version 1.3.14</h3>
<ul> <ul>
@ -122,9 +105,10 @@ RedHat iptables</a></b></li>
<ul> <ul>
<li>The documentation for the routestopped file claimed that a comma-separated <li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a single list could appear in the second column while the code only supported a
host or network address.</li> single host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.</li> <li>Log messages produced by 'logunclean' and 'dropunclean' were not
rate-limited.</li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't <li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
support the 'maclist' interface option.</li> support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate limited.</li> <li>Log messages generated by RFC 1918 filtering are not rate limited.</li>
@ -144,8 +128,8 @@ in /etc/shorewall/masq and the default route is through eth1.<br>
<li>The 'shorewall add' command produces an error message referring <li>The 'shorewall add' command produces an error message referring
to 'find_interfaces_by_maclist'.</li> to 'find_interfaces_by_maclist'.</li>
<li>The 'shorewall delete' command can leave behind undeleted rules.</li> <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
<li>The 'shorewall add' command can fail with "iptables: Index of insertion <li>The 'shorewall add' command can fail with "iptables: Index of
too big".<br> insertion too big".<br>
</li> </li>
</ul> </ul>
@ -182,8 +166,8 @@ support, post on the users list and I can provide you with a patched version.<
<ul> <ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file <li>The .lrp was missing the /etc/shorewall/routestopped file
-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects -- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this
this problem.<br> problem.<br>
</li> </li>
</ul> </ul>
@ -234,11 +218,11 @@ a fix.<br>
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases version of the firewall script</a> may help. Please report any cases
where installing this script in /usr/lib/shorewall/firewall solved where installing this script in /usr/lib/shorewall/firewall solved your
your connection problems. Beginning with version 1.3.10, it is safe connection problems. Beginning with version 1.3.10, it is safe to save
to save the old version of /usr/lib/shorewall/firewall before copying the old version of /usr/lib/shorewall/firewall before copying in the
in the new one since /usr/lib/shorewall/firewall is the real script new one since /usr/lib/shorewall/firewall is the real script now and
now and not just a symbolic link to the real script.<br> not just a symbolic link to the real script.<br>
</li> </li>
</ul> </ul>
@ -301,73 +285,58 @@ loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
problems. problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) result in an error
<p>DNAT rules where the source zone is 'fw' ($FW) message. Installing <a
result in an error message. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this as described above corrects this
problem.</p> problem.</p>
<h3>Version 1.3.7a</h3> <h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper rule for FORWARDPING=Yes.
<p>"shorewall refresh" is not creating the proper Consequently, after "shorewall refresh", the firewall will not
rule for FORWARDPING=Yes. Consequently, after forward icmp echo-request (ping) packets. Installing
"shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this as described above corrects this
problem.</p> problem.</p>
<h3>Version &lt;= 1.3.7a</h3> <h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as options on a
<p>If "norfc1918" and "dhcp" are both specified as given interface then RFC 1918 checking is occurring before DHCP
options on a given interface then RFC 1918 checking. This means that if a DHCP client broadcasts using
checking is occurring before DHCP checking. This an RFC 1918 source address, then the firewall will
means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This reject the broadcast (usually logging it). This
has two problems:</p> has two problems:</p>
<ol> <ol>
<li>If the firewall <li>If the firewall
is running a DHCP server, the is running a DHCP server, the client
client won't be able to obtain an IP address won't be able to obtain an IP address lease from
lease from that server.</li> that server.</li>
<li>With this order <li>With this order
of checking, the "dhcp" option of checking, the "dhcp" option
cannot be used as a noise-reduction cannot be used as a noise-reduction measure where there are both
measure where there are both dynamic and static dynamic and static clients on a LAN segment.</li>
clients on a LAN segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be corrects the problem. It must be installed
installed in /var/lib/shorewall as in /var/lib/shorewall as described
described above.</p> above.</p>
<h3>Version 1.3.7</h3> <h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use version 1.3.7a and check
<p>Version 1.3.7 dead on arrival -- please use your version against these md5sums -- if there's a difference, please
version 1.3.7a and check your version against
these md5sums -- if there's a difference, please
download again.</p> download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt; <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
@ -380,15 +349,11 @@ described above.</p>
<ul> <ul>
<li> <li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to an error occurs when the firewall script attempts to
add an SNAT alias. </p> add an SNAT alias. </p>
</li> </li>
<li> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables cause errors during startup when Shorewall is run with iptables
1.2.7. </p> 1.2.7. </p>
@ -398,9 +363,8 @@ described above.</p>
<p align="left">These problems are fixed in <a <p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in this correct firewall script</a> which must be installed in /var/lib/shorewall/
/var/lib/shorewall/ as described above. These problems are also as described above. These problems are also corrected in version 1.3.7.</p>
corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3> <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
@ -445,8 +409,7 @@ described above.</p>
<h3 align="left">Version 1.3.5</h3> <h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <p align="left">REDIRECT rules are broken in this version. Install <a
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version as instructed above. This problem is corrected in version
@ -455,29 +418,29 @@ described above.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3> <h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands <p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy to not verify that the zones named in the /etc/shorewall/policy file
file have been previously defined in the /etc/shorewall/zones have been previously defined in the /etc/shorewall/zones file.
file. The "shorewall check" command does perform this verification The "shorewall check" command does perform this verification so
so it's a good idea to run that command after you have made configuration it's a good idea to run that command after you have made configuration
changes.</p> changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3> <h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after "Activating
"Activating rules..." you see the message: "iptables: No chains/target/match rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include that specifies an interface that you didn't include
in /etc/shorewall/interfaces. To correct this problem, you in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
and later versions produce a clearer error message in and later versions produce a clearer error message in this
this case.</p> case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the <p align="left">Until approximately 2130 GMT on 17 June 2002, the download
download sites contained an incorrect version of the .lrp file. That sites contained an incorrect version of the .lrp file. That file
file can be identified by its size (56284 bytes). The correct can be identified by its size (56284 bytes). The correct version
version has a size of 38126 bytes.</p> has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface <li>The code to detect a duplicate interface
@ -495,8 +458,6 @@ it behaved just like "NAT_BEFORE_RULES=Yes".</li>
<ul> <ul>
<li> <li>
<p align="left">The IANA have just announced the allocation of subnet <p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a 221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
@ -513,10 +474,10 @@ it behaved just like "NAT_BEFORE_RULES=Yes".</li>
(i.e., each packet is sent through the limit chain twice).</li> (i.e., each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy <li>An unnecessary jump to the policy
chain is sometimes generated for a CONTINUE policy.</li> chain is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than <li>When an option is given for more
one interface in /etc/shorewall/interfaces then depending than one interface in /etc/shorewall/interfaces then
on the option, Shorewall may ignore all but the first depending on the option, Shorewall may ignore all but
appearence of the option. For example:<br> the first appearence of the option. For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
@ -567,21 +528,18 @@ The "shorewall version" command will tell you which version
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat prevent it from working with Shorewall. Regrettably,
released this buggy iptables in RedHat 7.2. </p> RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> iptables-1.2.4
iptables-1.2.4 rpm which you can download here</a>. If you are currently rpm which you can download here</a>. If you are currently running
running RedHat 7.1, you can install either of these RPMs RedHat 7.1, you can install either of these RPMs <b><u>before</u>
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can has released an iptables-1.2.4 RPM of their own which you can
@ -590,7 +548,6 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it works
fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
@ -599,71 +556,54 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem the Netfilter 'mangle' table. You can correct the problem by
by installing <a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
<p>If you find that rpm complains about a conflict 2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
with kernel &lt;= 2.2 yet you have a 2.4 kernel option to rpm.</p>
installed, simply use the "--nodeps" option to
rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<h3><a name="Multiport"></a><b>Problems with <p>The iptables 1.2.7 release of iptables has made an incompatible
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must
be running Shorewall 1.3.7a or later or:</p>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
@ -679,8 +619,8 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result /etc/shorewall/nat entries of the following form will
in Shorewall being unable to start:<br> result in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -692,8 +632,8 @@ support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/8/2003 - <p><font size="2"> Last updated 3/8/2003 - <a href="support.htm">Tom Eastep</a></font>
<a href="support.htm">Tom Eastep</a></font> </p> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
@ -711,5 +651,6 @@ kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.s
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

81
STABLE/documentation/fallback.htm
View File

@ -1,74 +1,77 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Fallback and Uninstall</title> <title>Shorewall Fallback and Uninstall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Fallback and Uninstall</font></h1>
<h1 align="center"><font color="#FFFFFF">Fallback and Uninstall</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table> </table>
<p><strong>Shorewall includes <p><strong>Shorewall includes a </strong><a href="#fallback"><strong>fallback
a </strong><a href="#fallback"><strong>fallback script</strong></a><strong> script</strong></a><strong> and an </strong><a href="#uninstall"><strong>uninstall
and an </strong><a href="#uninstall"><strong>uninstall script</strong></a><strong>.</strong></p> script</strong></a><strong>.</strong></p>
<h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall <h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall
using the Fallback Script</h2> using the Fallback Script</h2>
<p>If you install Shorewall and discover that <p>If you install Shorewall and discover that it doesn't work for you, you
it doesn't work for you, you can fall back to your previously can fall back to your previously installed version. To do that:</p>
installed version. To do that:</p>
<ul> <ul>
<li>cd to the distribution directory for the version <li>cd to the distribution directory for the version of Seattle
of Seattle Firewall <u>that you are Firewall <u>that you are currently running </u>(NOT the version
currently running </u>(NOT the version
that you want to fall back to).</li> that you want to fall back to).</li>
<li>Type &quot;./fallback.sh&quot;</li> <li>Type "./fallback.sh"</li>
</ul> </ul>
<h3><strong><u>Warning:</u> The fallback script <h3><strong><u>Warning:</u> The fallback script will replace /etc/shorewall/policy,
will replace /etc/shorewall/policy, /etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat, /etc/shorewall/proxyarp
/etc/shorewall/nat, /etc/shorewall/proxyarp and /etc/shorewall/masq with the version of and /etc/shorewall/masq with the version of these files from before the current
these files from before the current version was installed. Any version was installed. Any changes to any of these files will be lost.</strong></h3>
changes to any of these files will be lost.</strong></h3>
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using <h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using
rpm</h2> rpm</h2>
<p>If your previous version of Shorewall was <p>If your previous version of Shorewall was installed using RPM, you may
installed using RPM, you may fall back to that version by typing fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;" at
&quot;rpm -Uvh --force &lt;old rpm&gt;&quot; at a root shell a root shell prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm"
prompt (Example: &quot;rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm&quot; would fall back to the 3.1-0 would fall back to the 3.1-0 version of Shorewall).</p>
version of Shorewall).</p>
<h2><a name="uninstall"></a>Uninstalling Shorewall</h2> <h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
<p>If you no longer wish to use Shorewall, you <p>If you no longer wish to use Shorewall, you may remove it by:</p>
may remove it by:</p>
<ul> <ul>
<li>cd to the distribution directory for the version <li>cd to the distribution directory for the version of Shorewall
of Shorewall that you have installed.</li> that you have installed.</li>
<li>type &quot;./uninstall.sh&quot;</li> <li>type "./uninstall.sh"</li>
</ul> </ul>
<p>If you installed using an rpm, at a root shell prompt <p>If you installed using an rpm, at a root shell prompt type "rpm -e shorewall".</p>
type &quot;rpm -e shorewall&quot;.</p>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <a
<a href="support.htm">Tom href="support.htm">Tom Eastep</a></font> </p>
Eastep</a></font> </p> <a href="copyright.htm"><font size="2">Copyright</font> © <font
<a href="copyright.htm"><font size="2">Copyright</font> size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html> </body>
</html>

3
STABLE/documentation/gnu_mailman.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -75,5 +75,6 @@ included with Mailman-2.1.
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

75
STABLE/documentation/kernel.htm
View File

@ -1,32 +1,46 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Kernel Configuration</title> <title>Shorewall Kernel Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#FFFFFF">Kernel Configuration</font></h1> <h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table> </table>
<p>For information regarding configuring and building GNU/Linux kernels, see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>For information regarding configuring and building GNU/Linux kernels,
see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>Here's a screen shot of my Network Options Configuration:</p> <p>Here's a screen shot of my Network Options Configuration:</p>
<blockquote>
<p>&nbsp;<img border="0" src="images/netopts.jpg" width="609" height="842"></p>
</blockquote>
<p>While not all of the options that I've selected are required, they should be
sufficient for most applications. Here's an excerpt from the corresponding .config
file (Note: If you are running a kernel older than 2.4.17, be sure to select
CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<blockquote> <blockquote>
<font SIZE="2"> <p> <img border="0" src="images/netopts.jpg" width="609" height="842">
</p>
</blockquote>
<p>While not all of the options that I've selected are required, they should
be sufficient for most applications. Here's an excerpt from the corresponding
.config file (Note: If you are running a kernel older than 2.4.17, be sure
to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<blockquote> <font size="2">
<p>#<br> <p>#<br>
# Networking options<br> # Networking options<br>
#<br> #<br>
@ -55,16 +69,18 @@ CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
# CONFIG_ARPD is not set<br> # CONFIG_ARPD is not set<br>
CONFIG_INET_ECN=y<br> CONFIG_INET_ECN=y<br>
CONFIG_SYN_COOKIES=y</p> CONFIG_SYN_COOKIES=y</p>
</font> </font> </blockquote>
</blockquote>
<p>Here's a screen shot of my Netfilter configuration:</p> <p>Here's a screen shot of my Netfilter configuration:</p>
<blockquote>
<p><img border="0" src="images/menuconfig.jpg" width="609" height="842"></p> <blockquote>
<p><img border="0" src="images/menuconfig.jpg" width="609"
height="842">
</p>
</blockquote> </blockquote>
<p>Here's an excerpt from the corresponding .config file.</p> <p>Here's an excerpt from the corresponding .config file.</p>
<blockquote> <blockquote>
<p><font size="2">#<br> <p><font size="2">#<br>
# IP: Netfilter Configuration<br> # IP: Netfilter Configuration<br>
@ -98,12 +114,15 @@ CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
# CONFIG_IPV6 is not set</font><font face="Courier"><br> # CONFIG_IPV6 is not set</font><font face="Courier"><br>
</font></p> </font></p>
</blockquote> </blockquote>
<p>Note that I have built everything I need into the kernel except for the FTP
connection tracking and NAT modules. I have also run successfully with all of <p>Note that I have built everything I need into the kernel except for the
the options selected above built as modules:</p> FTP connection tracking and NAT modules. I have also run successfully with
all of the options selected above built as modules:</p>
<blockquote> <blockquote>
<p><img border="0" src="images/menuconfig1.jpg" width="609" height="842"></p> <p><img border="0" src="images/menuconfig1.jpg" width="609"
height="842">
</p>
<p><font size="2">#<br> <p><font size="2">#<br>
# IP: Netfilter Configuration<br> # IP: Netfilter Configuration<br>
@ -136,11 +155,11 @@ the options selected above built as modules:</p>
CONFIG_IP_NF_TARGET_TCPMSS=m<br> CONFIG_IP_NF_TARGET_TCPMSS=m<br>
# CONFIG_IPV6 is not set<br> # CONFIG_IPV6 is not set<br>
</font></p> </font></p>
</blockquote> </blockquote>
<p><font size="2">Last updated 3/10/2002 - </font><font size="2"> <p><font size="2">Last updated 3/10/2002 - </font><font size="2"> <a
<a href="support.htm">Tom href="support.htm">Tom Eastep</a></font> </p>
Eastep</a></font> </p> <a href="copyright.htm"><font size="2">Copyright</font> © <font
<a href="copyright.htm"><font size="2">Copyright</font> size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html> </body>
</html>

35
STABLE/documentation/mailing_list.htm
View File

@ -16,7 +16,7 @@
</head> </head>
<body> <body>
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
@ -50,12 +50,14 @@
height="84" alt="(Postfix Logo)"> height="84" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0">
</a> </div> </a> </div>
<br> <br>
<div align="right"><b><font color="#ffffff"><br> <div align="right"><b><font color="#ffffff"><br>
</font></b><br> </font></b><br>
</div> </div>
@ -92,25 +94,18 @@ incoming mail:<br>
</li> </li>
<li>to ensure that the sender address is fully <li>to ensure that the sender address is fully
qualified.</li> qualified.</li>
<li>to verify that the sender's domain has an <li>to verify that the sender's domain has
A or MX record in DNS.</li> an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO <li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li> command is a valid fully-qualified DNS name that resolves.</li>
<li>to ensure that the sending system has a valid PTR record in DNS.</li>
</ol> </ol>
<big><font color="#cc0000"><b>This last point is important. If you run your
own outgoing mail server and it doesn't have a valid DNS PTR record, your
email won't reach the lists unless/until the postmaster notices that your
posts are being rejected. To avoid this problem, you should configure your
MTA to forward posts to shorewall.net through an MTA that <u>does</u> have
a valid PTR record (such as the one at your ISP). </b></font></big><br>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been my blacklist shorewall.net "for continuous abuse" because it has been
policy to allow HTML in list posts!!<br> my policy to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to I think that blocking all HTML is a Draconian way to
control spam and that the ultimate losers here are not the spammers control spam and that the ultimate losers here are not the spammers
@ -156,8 +151,8 @@ This means that HTML-only posts will be bounced by the list server.<br>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden"
value="htdig"> <input type="hidden" name="restrict" name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30"
@ -274,10 +269,10 @@ list may be found at <a
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
a password reminder, or change your subscription options enter a password reminder, or change your subscription options
your subscription email address:". Enter your email address enter your subscription email address:". Enter your email
in the box and click on the "<b>Unsubscribe</b> or edit options" address in the box and click on the "<b>Unsubscribe</b> or edit
button.</p> options" button.</p>
</li> </li>
<li> <li>
@ -294,11 +289,13 @@ emailed to you.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 6/14/2003 - <a <p align="left"><font size="2">Last updated 7/7/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> © <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

91
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

53
STABLE/documentation/ping.html
View File

@ -12,7 +12,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -23,8 +23,11 @@
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall 'Ping' management has evolved over time with the latest change Shorewall 'Ping' management has evolved over time with the latest
coming in Shorewall version 1.4.0. <br> change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to upgrade
since you have a very old version of Shorewall installed (1.2.4 or earlier).<br>
<h2>Shorewall Versions &gt;= 1.4.0</h2> <h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
@ -51,8 +54,8 @@ form:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then With that rule in place, if you want to ignore 'ping' from z1 to z2
you need a rule of the form:<br> then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -90,8 +93,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then With that rule in place, if you want to ignore 'ping' from z1 to z2
you need a rule of the form:<br> then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -111,8 +114,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
There are several aspects to the old Shorewall Ping management:<br> There are several aspects to the old Shorewall Ping management:<br>
<ol> <ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a <li>The <b>noping</b> and <b>filterping </b>interface options in
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a <li>The <b>FORWARDPING</b> option in<a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li> href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
@ -123,8 +126,8 @@ need a rule in /etc/shoreall/rules of the form:<br>
<ol> <ol>
<li>Ping requests addressed to the firewall itself; and</li> <li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here <li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
simple routing.</li> and simple routing.</li>
</ol> </ol>
These cases will be covered separately.<br> These cases will be covered separately.<br>
@ -133,13 +136,13 @@ simple routing.</li>
For ping requests addressed to the firewall, the sequence is as follows:<br> For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol> <ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for <li>If neither <b>noping</b> nor <b>filterping </b>are specified
the interface that receives the ping request then the request will be responded for the interface that receives the ping request then the request will
to with an ICMP echo-reply.</li> be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives <li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li> the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request <li>If <b>filterping </b>is specified for the interface then the
is passed to the rules/policy evaluation.</li> request is passed to the rules/policy evaluation.</li>
</ol> </ol>
@ -155,8 +158,8 @@ the ping request then the request is ignored.</li>
Example 1. Accept pings from the net to the dmz (pings are responded Example 1. Accept pings from the net to the dmz (pings are responded
to with an ICMP echo-reply):<br> to with an ICMP echo-reply):<br>
<br> <br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<br> <br>
Example 2. Drop pings from the net to the firewall<br> Example 2. Drop pings from the net to the firewall<br>
<br> <br>
@ -164,8 +167,8 @@ to with an ICMP echo-reply):<br>
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3> <h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to the If no applicable rule is found, then the policy for the source to
destination is applied.<br> the destination is applied.<br>
<ol> <ol>
<li>If the relevant policy is ACCEPT then the request is responded <li>If the relevant policy is ACCEPT then the request is responded
@ -177,16 +180,12 @@ request is either rejected or simply ignored.</li>
</ol> </ol>
<p><font size="2">Updated 5/4/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 7/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> </p>
<br>
<br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

40
STABLE/documentation/ports.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -54,8 +54,8 @@
<blockquote> <blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want <p>UDP Port 53. If you are configuring a DNS client, you will probably want
to open TCP Port 53 as well.<br> to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will If you are configuring a server, only open TCP Port 53 if you
return long replies to queries or if you need to enable ZONE transfers. In will return long replies to queries or if you need to enable ZONE transfers. In
the latter case, be sure that your server is properly configured.</p> the latter case, be sure that your server is properly configured.</p>
</blockquote> </blockquote>
@ -81,7 +81,7 @@ to open TCP Port 53 as well.<br>
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p> <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
</blockquote> </blockquote>
<p>SMTP</p> <p>SMTP (Email)</p>
<blockquote> <blockquote>
<p> TCP Port 25.</p> <p> TCP Port 25.</p>
@ -89,14 +89,21 @@ to open TCP Port 53 as well.<br>
<p>RealPlayer<br> <p>RealPlayer<br>
</p> </p>
<blockquote> <blockquote>
<p>UDP Port 6790 inbound<br> <p>UDP Port 6790 inbound<br>
</p> </p>
</blockquote> </blockquote>
<p>POP3</p> <p>POP3</p>
<blockquote> <blockquote>
<p>TCP Port 110.</p> <p>TCP Port 110 (Secure = TCP Port 995)<br>
</p>
</blockquote>
<p>IMAP<br>
</p>
<blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
</blockquote> </blockquote>
<p>TELNET</p> <p>TELNET</p>
@ -130,15 +137,15 @@ to open TCP Port 53 as well.<br>
href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p> href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
<p>For a client, you must open outbound TCP port 21 and be sure that your <p>For a client, you must open outbound TCP port 21 and be sure that your
kernel is compiled to support FTP connection tracking. If you build this kernel is compiled to support FTP connection tracking. If you build
support as a module, Shorewall will automatically load the module from this support as a module, Shorewall will automatically load the module
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br> from /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
</p> </p>
<p>If you run an FTP server on a nonstandard port or you need to access <p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules. such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you would For example, if you run an FTP server that listens on port 49 then you
have:<br> would have:<br>
</p> </p>
<blockquote> <blockquote>
@ -192,7 +199,9 @@ starts, then you should include the port list in /etc/modules.conf:<br>
<p>Traceroute</p> <p>Traceroute</p>
<blockquote> <blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p> <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1<br>
ICMP type 8 ('ping')<br>
</p>
</blockquote> </blockquote>
<p>NFS<br> <p>NFS<br>
@ -225,16 +234,9 @@ starts, then you should include the port list in /etc/modules.conf:<br>
<p>Still looking? Try <a <p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p> href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 5/5/2003 - </font><font size="2"> <a <p><font size="2">Last updated 7/16/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

43
STABLE/documentation/quotes.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -26,16 +26,23 @@
</tbody> </tbody>
</table> </table>
<font size="3">"I have fought with IPtables for untold hours. First I
tried the SuSE firewall, which worked for 80% of what I needed. Then gShield,
which also worked for 80%. Then I set out to write my own IPtables parser
in shell and awk, which was a lot of fun but never got me past the "hey,
cool" stage. Then I discovered Shorewall. After about an hour, everything
just worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
<p>"The configuration is intuitive and flexible, and much easier than any <p>"The configuration is intuitive and flexible, and much easier than any
of the other iptables-based firewall programs out there. After sifting through of the other iptables-based firewall programs out there. After sifting through
many other scripts, it is obvious that yours is the most well thought-out many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA</p> and complete one available." -- BC, USA</p>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables <p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br> and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p> </p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was "My case was almost like [the one above]. Well. instead of 'weeks' it
'months' for me, and I think I needed two minutes more:<br> was 'months' for me, and I think I needed two minutes more:<br>
<ul> <ul>
<li>One to see that I had no Internet access from the firewall itself.</li> <li>One to see that I had no Internet access from the firewall itself.</li>
@ -48,8 +55,8 @@ enough to uncomment a line in /etc/shorewall/policy.<br>
and well documented thing for something as huge as iptables." -- JV, Spain. and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without <p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate any problems. Your documentation is great and I really appreciate your
your network configuration info. That really helped me out alot. THANKS!!!" network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p> -- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall <p>"[Shorewall is a] great, great project. I've used/tested may firewall
@ -57,29 +64,29 @@ your network configuration info. That really helped me out alot. THANKS!!
</p> </p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone <p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and useful so relentless in developing a secure, state of the art, safe and
product as the Shorewall firewall package for no cost or obligation useful product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </p> involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest <p>"one time more to report, that your great shorewall in the latest release
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now 1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines
have 7 machines up and running with shorewall on several versions - up and running with shorewall on several versions - starting with 1.2.2
starting with 1.2.2 up to the new 1.2.9 and I never have encountered up to the new 1.2.9 and I never have encountered any problems!" -- SM,
any problems!" -- SM, Germany</p> Germany</p>
<p>"You have the best support of any other package I've ever used." <p>"You have the best support of any other package I've ever used."
-- SE, US </p> -- SE, US </p>
<p>"Because our company has information which has been classified by the <p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use around our company. Information security is a hot issue. We also make
of checkpoint firewalls, but not all of the internet servers are guarded use of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p> by request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands <p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of out against a lot of commercial stuff i´ve been working with in terms
flexibillity, quality &amp; support" -- RM, Austria</p> of flexibillity, quality &amp; support" -- RM, Austria</p>
<p>"I have never seen such a complete firewall package that is so easy to <p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and configure. I searched the Debian package system for firewall scripts and
@ -96,7 +103,7 @@ by request, Europe</p>
<br> <br>
 </p>  </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 3/18/2003 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003
- <a href="support.htm">Tom Eastep</a> </font> - <a href="support.htm">Tom Eastep</a> </font>
</p> </p>
@ -105,5 +112,7 @@ by request, Europe</p>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

64
STABLE/documentation/samba.htm
View File

@ -1,41 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Samba</title> <title>Samba</title>
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#FFFFFF">Samba</font></h1> <h1 align="center"><font color="#ffffff">Samba</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</table> </table>
<p>If you wish to run Samba on your firewall and access shares between the <p>If you wish to run Samba on your firewall and access shares between the
firewall and local hosts, you need the following rules:</p> firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4> <h4>/etc/shorewall/rules:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse"> <blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr> <tr>
<font face="Century Gothic, Arial, Helvetica">
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> <td><b> PROTO</b></td>
PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</font>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
@ -43,8 +53,8 @@ firewall and local hosts, you need the following rules:</p>
<td>loc</td> <td>loc</td>
<td>udp</td> <td>udp</td>
<td>137:139</td> <td>137:139</td>
<td>&nbsp;</td> <td> </td>
<td>&nbsp;</td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
@ -52,8 +62,8 @@ firewall and local hosts, you need the following rules:</p>
<td>loc</td> <td>loc</td>
<td>tcp</td> <td>tcp</td>
<td>137,139</td> <td>137,139</td>
<td>&nbsp;</td> <td> </td>
<td>&nbsp;</td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
@ -62,7 +72,7 @@ firewall and local hosts, you need the following rules:</p>
<td>udp</td> <td>udp</td>
<td>1024:</td> <td>1024:</td>
<td>137</td> <td>137</td>
<td>&nbsp;</td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
@ -70,8 +80,8 @@ firewall and local hosts, you need the following rules:</p>
<td>fw</td> <td>fw</td>
<td>udp</td> <td>udp</td>
<td>137:139</td> <td>137:139</td>
<td>&nbsp;</td> <td> </td>
<td>&nbsp;</td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
@ -79,8 +89,8 @@ firewall and local hosts, you need the following rules:</p>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>137,139</td> <td>137,139</td>
<td>&nbsp;</td> <td> </td>
<td>&nbsp;</td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
@ -89,10 +99,16 @@ firewall and local hosts, you need the following rules:</p>
<td>udp</td> <td>udp</td>
<td>1024:</td> <td>1024:</td>
<td>137</td> <td>137</td>
<td>&nbsp;</td> <td> </td>
</tr> </tr>
</tbody>
</table> </table>
</blockquote> </blockquote>
<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm"> <p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font></body></html> <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

648
STABLE/documentation/seattlefirewall_index.htm
View File

@ -3,50 +3,70 @@
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4"
<table cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td width="33%" height="90" valign="middle" <td width="33%" height="90"
align="left"><a href="http://www.cityofshoreline.com"><img valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4" src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0"> border="0">
</a></td> </a></td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center"
bgcolor="#3366ff">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
<div align="center">
<img
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
</div>
</td> </td>
<td valign="middle"> <td valign="middle" width="33%">
<h1 align="center"><a href="http://www.shorewall.net" <h1 align="center"><a href="http://www.shorewall.net"
target="_top"><img border="0" src="images/shorewall.jpg" width="119" target="_top"><img border="0" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4"> height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<div align="center"> </div>
<center> <center>
<div align="center"> </div>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
@ -56,13 +76,20 @@
<td width="90%"> <td width="90%">
<div align="center">
<br>
</div>
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a <p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function that can be used on a dedicated firewall system, a multi-function
@ -71,29 +98,35 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in the This program is distributed
hope that it will be useful, but WITHOUT in the hope that it will be useful,
ANY WARRANTY; without even the implied but WITHOUT ANY WARRANTY; without
warranty of MERCHANTABILITY or FITNESS even the implied warranty of MERCHANTABILITY
FOR A PARTICULAR PURPOSE. See the GNU General or FITNESS FOR A PARTICULAR PURPOSE.
Public License for more details.<br> See the GNU General Public License for more
details.<br>
<br> <br>
You should have received a copy of You should have received a
the GNU General Public License copy of the GNU General Public License
along with this program; if not, write to along with this program; if not,
the Free Software Foundation, Inc., write to the Free Software Foundation,
675 Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
@ -107,246 +140,346 @@ the GNU General Public License
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly
to your setup. If you want to use the documentation that you find here,
it is best if you uninstall what you have and install a setup that
matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for details.<br>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
<ul>
<li>The 1.3 site is <a
href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
match your environment and follow the step by step instructions.<br> that most closely match your environment and follow the
step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the
documentation that you find here, you will want to consider uninstalling
what you have and installing a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<h2>News</h2> <h2>News</h2>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<ol>
</ol>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p> </b></p>
<blockquote> </blockquote>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
have been removed from /etc/shorewall/shorewall.conf. These capabilities
are now automatically detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This
option may be specified in /etc/shorewall/interfaces and overrides the
setting NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
is enabled for address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other
than the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the
outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension
has been added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in netfilter's
connection tracking table. Shorewall automatically detects the availability
of this extension and reports its availability in the output of the start,
restart and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not
create chains in the mangle table but will rather do all 'norfc1918'
filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
<br>
Examples:<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall.
<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to construct
an efficient set of rules that accept connections from a range of network
addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash
or dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>
      192.168.1.8/29<br>
      192.168.1.16/28<br>
      192.168.1.32/27<br>
      192.168.1.64/26<br>
      192.168.1.128/25<br>
      192.168.2.0/23<br>
      192.168.4.0/22<br>
      192.168.8.0/22<br>
      192.168.12.0/29<br>
      192.168.12.8/31<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The "shorewall check" command now includes the chain name when
printing the applicable policy for each pair of zones.<br>
 <br>
    Example:<br>
 <br>
        Policy for dmz to net is REJECT using chain all2all<br>
 <br>
This means that the policy for connections from the dmz to the internet is
REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
</li>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br> <p>Problems Corrected:<br>
</p> </p>
<ol> <ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly <li>The command "shorewall debug try &lt;directory&gt;"
traces the attempt.</li> now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; previously, <li>The INCLUDE directive now works properly in the
INCLUDE in that file was ignored.</li> zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second column <li>/etc/shorewall/routestopped records with an empty
are no longer ignored.<br> second column are no longer ignored.<br>
</li> </li>
</ol> </ol>
<p>New Features:<br> <p>New Features:<br>
</p> </p>
<ol> <ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
now contain a list of addresses. If the list begins with "!' then the rule rule may now contain a list of addresses. If the list begins with
will take effect only if the original destination address in the connection "!' then the rule will take effect only if the original destination
request does not match any of the addresses listed.</li> address in the connection request does not match any of the addresses
listed.</li>
</ol> </ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p> </b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems and iptables 1.2.8 (using the "official" RPM from netfilter.org).
have been encountered with this set of software. The Shorewall version is No problems have been encountered with this set of software. The Shorewall
1.4.4b plus the accumulated changes for 1.4.5.<br> version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p> </p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p> <p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p> version 1.4.4.</p>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level <p><b></b></p>
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous
5-character limit by conditionally omitting the log rule number when
the LOGFORMAT doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p>
I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br>
<br>
<b> Problems corrected:</b><br>
<blockquote>None.<br>
</blockquote>
<b> New Features:<br>
</b>
<ol>
<li>A REDIRECT- rule target has been added. This target
behaves for REDIRECT in the same way as DNAT- does for DNAT in that the
Netfilter nat table REDIRECT rule is added but not the companion filter
table ACCEPT rule.<br>
<br>
</li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and
has been changed to a 'printf' formatting template which accepts three
arguments (the chain name, logging rule number and the disposition).
To use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br>
<br>
LOGFORMAT="fp=%s:%d a=%s "<br>
<br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the
LOGFORMAT string (up to but not including the first '%') to find log
messages in the 'show log', 'status' and 'hits' commands. This part should
not be omitted (the LOGFORMAT should not begin with "%") and the leading
part should be sufficiently unique for /sbin/shorewall to identify Shorewall
messages.<br>
<br>
</li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-]
rule, the logging now takes place in the nat table rather than in the
filter table. This way, only those connections that actually undergo DNAT
or redirection will be logged.<br>
</li>
</ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><br>
</p>
This version primarily corrects the documentation included in
the .tgz and in the .rpm. In addition: <br>
<ol> <ol>
<li>(This change is in 1.4.3 but is not documented) If
you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
return reject replies as follows:<br>
a) tcp - RST<br>
b) udp - ICMP port unreachable<br>
c) icmp - ICMP host unreachable<br>
d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's
traditional convention:<br>
a) tcp - RST<br>
b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br>
</li>
</ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p>
<b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail
to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback
interface have been moved to before the rule that drops status=INVALID
packets. This insures that all loopback traffic is allowed even if
Netfilter connection tracking is confused.</li>
</ol>
<b>New Features:<br>
</b>
<ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a>
now supported in the /etc/shorewall/tunnels file.</li>
<li>You may now change the leading portion of the --log-prefix
used by Shorewall using the LOGMARKER variable in shorewall.conf. By
default, "Shorewall:" is used.<br>
</li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b> </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote>This morning, I gave <a href="GSLUG.htm" target="_top">a
Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint and
is best viewed using Internet Explorer (although Konqueror also seems
to work reasonably well as does Opera 7.1.0). Neither Opera 6 nor
Netscape work well to view the presentation.<br>
</blockquote>
<blockquote>
<ol>
</ol> </ol>
</blockquote>
@ -355,30 +488,37 @@ Ed!
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric
have a LEAF (router/firewall/gateway on Wolzak have a LEAF (router/firewall/gateway
a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that
Shorewall-1.3.14 and Kernel-2.4.20. You features Shorewall-1.4.2 and Kernel-2.4.20.
can find their work at: <a You can find their work at:
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<b>Congratulations to Jacques and Eric on the recent release <b>Congratulations to Jacques and Eric
of Bering 1.2!!! </b><br> on the recent release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#3366ff"
align="center"> valign="top" align="center">
<form method="post" <form method="post"
@ -391,17 +531,22 @@ Ed!
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font
face="Arial" size="-1"> <input type="text" name="words" <font face="Arial" size="-1"> <input type="text"
size="15"></font><font size="-1"> </font> <font face="Arial" name="words" size="15"></font><font size="-1"> </font> <font
size="-1"> <input type="hidden" name="format" value="long"> <input face="Arial" size="-1"> <input type="hidden" name="format"
type="hidden" name="method" value="and"> <input type="hidden" value="long"> <input type="hidden" name="method" value="and"> <input
name="config" value="htdig"> <input type="submit" value="Search"></font> type="hidden" name="config" value="htdig"> <input type="submit"
</p> value="Search"></font> </p>
<font
face="Arial"> <input type="hidden" name="exclude" <font face="Arial"> <input type="hidden"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form>
@ -414,6 +559,7 @@ Ed!
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -421,16 +567,19 @@ Ed!
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;" <td width="100%"
valign="middle"> style="margin-top: 1px;" valign="middle">
@ -443,22 +592,27 @@ Ed!
<p align="center"><font size="4" color="#ffffff"><br> <p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you try it and find <font size="+2"> Shorewall is free but if
it useful, please consider making a donation you try it and find it useful, please consider making a donation
to <a to
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's <a href="http://www.starlight.org"><font
Foundation.</font></a> Thanks!</font></font></p> color="#ffffff">Starlight Children's Foundation.</font></a>
Thanks!</font></font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
</body> </body>

39
STABLE/documentation/shoreline.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>About the Shorewall Author</title> <title>About the Shorewall Author</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
@ -16,7 +17,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -29,7 +30,7 @@
</table> </table>
<p align="center"> <img border="3" src="images/Tom.jpg" <p align="center"> <img border="3" src="images/Tom.jpg"
alt="Tom - June 2003" width="640" height="480"> alt="Aging Geek - June 2003" width="320" height="240">
</p> </p>
<p align="center">Tom -- June 2003<br> <p align="center">Tom -- June 2003<br>
@ -45,8 +46,8 @@
href="http://www.washington.edu">University of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, <li><a href="http://www.tandem.com">Tandem
Incorporated</a> (now part of the <a Computers, Incorporated</a> (now part of the <a
href="http://www.hp.com">The New HP</a>) 1980 - present</li> href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
@ -57,8 +58,8 @@
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known ipchains and developed the scripts which are now collectively
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. known as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then Expanding on what I learned from Seattle Firewall, I then
designed and wrote Shorewall. </p> designed and wrote Shorewall. </p>
@ -75,23 +76,23 @@ I live with my wife Tarry.
Windows system. Serves as a PPTP server for Road Warrior access. Dual Windows system. Serves as a PPTP server for Road Warrior access. Dual
boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li> boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD,
LNE100TX(Tulip) NIC - My personal Linux System which runs Samba. LNE100TX(Tulip) NIC - My personal Linux System which runs
This system also has <a href="http://www.vmware.com/">VMware</a> Samba. This system also has <a href="http://www.vmware.com/">VMware</a>
installed and can run both <a href="http://www.debian.org">Debian installed and can run both <a href="http://www.debian.org">Debian
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
machines.</li> machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD,
NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), EEPRO100 NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
FTP (Pure_ftpd), DNS server (Bind 9).</li> FTP (Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI
- 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall HD - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.4c, a DHCP server and Samba configured as a WINS server..</li> 1.4.6Beta1, a DHCP server and Samba configured as a WINS server..</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 <li>Duron 750, Win ME, 192MB RAM, 20GB HD,
NIC - My wife's personal system.</li> RTL8139 NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
HD, built-in EEPRO100, EEPRO100 in expansion base - My work system.</li> HD, built-in EEPRO100, EEPRO100 in expansion base - My work system.</li>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and <li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC
LinkSys WET11 - Our Laptop.<br> and LinkSys WET11 - Our Laptop.<br>
</li> </li>
</ul> </ul>
@ -125,11 +126,13 @@ FTP (Pure_ftpd), DNS server (Bind 9).</li>
height="75" border="0"> height="75" border="0">
</a><a href="http://www.opera.com"> </a> </font></p> </a><a href="http://www.opera.com"> </a> </font></p>
<p><font size="2">Last updated 6/15/2003 - </font><font size="2"> <a <p><font size="2">Last updated 7/14/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a <font face="Trebuchet MS"><a
href="copyright.htm"><font size="2">Copyright</font> © <font href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

76
STABLE/documentation/shorewall_extension_scripts.htm
View File

@ -14,31 +14,40 @@
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1> <h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> Extension scripts are user-provided scripts that are invoked at various <p> Extension scripts are user-provided scripts that are invoked at various
points during firewall start, restart, stop and clear. The scripts are points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source" placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism. The following scripts can be supplied:</p> mechanism.<br>
</p>
<p><font color="#ff0000"><b>Caution: <br>
</b></font></p>
<ol>
<li><font color="#ff0000"><b>Be sure that you actually need to use an
extension script to do what you want. Shorewall has a wide range of features
that cover most requirements.</b></font></li>
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON
THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE
DOING WITH RESPECT TO iptables/Netfilter</b></font></li>
</ol>
<p>The following scripts can be supplied:</p>
<ul> <ul>
<li>init -- invoked early in "shorewall start" and "shorewall <li>init -- invoked early in "shorewall start" and "shorewall
@ -47,16 +56,13 @@ restart"</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li> <li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li> <li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li> <li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before <li>refresh -- invoked while the firewall is being refreshed but
the common and/or blacklst chains have been rebuilt.</li> before the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li> chain has been created but before any rules have been added to it.</li>
</ul> </ul>
<p><u><b>If your version of Shorewall doesn't have the file that you want <p><u><b>If your version of Shorewall doesn't have the file that you want
to use from the above list, you can simply create the file yourself.</b></u></p> to use from the above list, you can simply create the file yourself.</b></u></p>
@ -65,40 +71,24 @@ to use from the above list, you can simply create the file yourself.</b></u></p>
file has been processed but before the /etc/shorewall/policy file has file has been processed but before the /etc/shorewall/policy file has
been processed.</p> been processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file <p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in the rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p> for making your own customized file.</p>
<p> Rather than running iptables directly, you should run it using the <p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly, function run_iptables. Similarly, rather than running "ip" directly, you
you should use run_ip. These functions accept the same arguments as the should use run_ip. These functions accept the same arguments as the underlying
underlying command but cause the firewall to be stopped if an error occurs command but cause the firewall to be stopped if an error occurs during
during processing of the command.</p> processing of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to use
the following technique</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to
use the following technique</p>
<p> /etc/shorewall/common:</p> <p> /etc/shorewall/common:</p>
<blockquote> <blockquote>
<pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre> <pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
</blockquote> </blockquote>
@ -107,20 +97,22 @@ add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def you to add new rules while still getting the benefit of the latest common.def
file.</p> file.</p>
<p>Remember that /etc/shorewall/common defines rules that are only applied <p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE.</p> if the policy is ACCEPT or CONTINUE<br>
</p>
<p> </p>
<p align="left"><font size="2">Last updated 6/30/2003 - <a
<p align="left"><font size="2">Last updated 2/18/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p> Thomas M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

11
STABLE/documentation/shorewall_features.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -63,14 +63,14 @@ use all types in the same firewall):
</ul> </ul>
</li> </li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
IP addresses and subnetworks is supported.</li> individual IP addresses and subnetworks is supported.</li>
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>: <li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<ul> <ul>
<li>Commands to start, stop and clear the firewall</li> <li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring with an audible alarm <li>Supports status monitoring with an audible
when an "interesting" packet is detected.</li> alarm when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li> <li>Wide variety of informational commands.</li>
</ul> </ul>
@ -114,5 +114,6 @@ Address <b>Verification</b><br>
</p> </p>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

150
STABLE/documentation/shorewall_firewall_structure.htm
View File

@ -16,11 +16,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Firewall Structure</font></h1> <h1 align="center"><font color="#ffffff">Firewall Structure (Under
Construction)</font></h1>
</td> </td>
</tr> </tr>
@ -29,9 +30,9 @@
<p> Shorewall views the network in which it is running as a set of <p> Shorewall views the network in which it is running as a set of
<i> zones. </i>Shorewall itself defines exactly one zone called "fw" which <i> zones. </i>Shorewall itself defines exactly one zone called "fw" which
refers to the firewall system itself . The /etc/shorewall/zones file is refers to the firewall system itself . The /etc/shorewall/zones file
used to define additional zones and the example file provided with Shorewall is used to define additional zones and the example file provided with
defines the zones:</p> Shorewall defines the zones:</p>
<ol> <ol>
<li> net -- the (untrusted) internet.</li> <li> net -- the (untrusted) internet.</li>
@ -39,8 +40,8 @@
and from the local network.  These systems cannot be trusted completely and from the local network.  These systems cannot be trusted completely
since their servers may have been compromised through a security exploit.</li> since their servers may have been compromised through a security exploit.</li>
<li> loc - systems in your local network(s). These systems <li> loc - systems in your local network(s). These systems
must be protected from the internet and from the DMZ and in some cases, must be protected from the internet and from the DMZ and in some
from each other.</li> cases, from each other.</li>
</ol> </ol>
@ -59,8 +60,8 @@ that the firewall zone is named "fw".</p>
of this document, we will consider Netfilter to have three tables:</p> of this document, we will consider Netfilter to have three tables:</p>
<ol> <ol>
<li>Filter table -- this is the main table for packet filtering and can <li>Filter table -- this is the main table for packet filtering and
be displayed with the command "shorewall show".</li> can be displayed with the command "shorewall show".</li>
<li>Nat table -- used for all forms of Network Address Translation (NAT); <li>Nat table -- used for all forms of Network Address Translation (NAT);
SNAT, DNAT and MASQUERADE.</li> SNAT, DNAT and MASQUERADE.</li>
<li>Mangle table -- used to modify fields in the packet header.<br> <li>Mangle table -- used to modify fields in the packet header.<br>
@ -166,21 +167,22 @@ in the Mangle table, Shorewall does not create any rules in that chain.<br>
<p><br> <p><br>
<br> <br>
In the text that follows, the paragraph numbers correspond to the box number In the text that follows, the paragraph numbers correspond to the box
in the diagram above.<br> number in the diagram above.<br>
</p> </p>
<ol> <ol>
<li>Packets entering the firewall first pass through the <i>mangle </i>table's <li>Packets entering the firewall first pass through the <i>mangle </i>table's
PREROUTING chain (you can see the mangle table by typing "shorewall show PREROUTING chain (you can see the mangle table by typing "shorewall show
mangle"). If the packet entered through an interface that has the <b>norfc1918</b> mangle"). If the packet entered through an interface that has the <b>norfc1918</b>
option, then the packet is sent down the <b>man1918</b> chain which will option and if iptables/netfilter doesn't support the connection tracking
drop the packet if its destination IP address is reserved (as specified match extension, then the packet is sent down the <b>man1918</b> chain which
will drop the packet if its destination IP address is reserved (as specified
in the /etc/shorewall/rfc1918 file). Next the packet passes through the<b> in the /etc/shorewall/rfc1918 file). Next the packet passes through the<b>
pretos</b> chain to set its TOS field as specified in the /etc/shorewall/tos pretos</b> chain to set its TOS field as specified in the /etc/shorewall/tos
file. Finally, if traffic control/shaping is being used, the packet is sent file. Finally, if traffic control/shaping is being used, the packet is
through the<b> tcpre</b> chain to be marked for later use in policy routing sent through the<b> tcpre</b> chain to be marked for later use in policy
or traffic control.<br> routing or traffic control.<br>
<br> <br>
Next, if the packet isn't part of an established connection, it passes Next, if the packet isn't part of an established connection, it passes
through the<i> nat</i> table's PREROUTING chain (you can see the nat table through the<i> nat</i> table's PREROUTING chain (you can see the nat table
@ -197,73 +199,67 @@ address doesn't match any of the rules in the <b><i>interface_</i>in</b>
chain then the packet enters a chain called <b><i>sourcezone</i>_dnat</b> chain then the packet enters a chain called <b><i>sourcezone</i>_dnat</b>
where <i>sourcezone</i> is the source zone of the packet. There it is compared where <i>sourcezone</i> is the source zone of the packet. There it is compared
for a match against each of the DNAT records in the rules file that specify for a match against each of the DNAT records in the rules file that specify
<i> sourcezone </i>as the source zone. If a match is found, the destination <i> sourcezone </i>as the source zone. If a match is found, the
IP address (and possibly the destination port) is modified based on the destination IP address (and possibly the destination port) is modified based
rule matched. If NAT_BEFORE_RULES is off, then the order of traversal of on the rule matched. If NAT_BEFORE_RULES is off, then the order of traversal
the <b><i> interface_</i>in</b> and <b><i>sourcezone</i>_dnat</b> is reversed.<br> of the <b><i> interface_</i>in</b> and <b><i>sourcezone</i>_dnat</b> is
reversed.<br>
<br> <br>
</li> </li>
<li>Depending on whether the packet is destined for the firewall itself <li>Depending on whether the packet is destined for the firewall itself
or for another system, it follows either the left or the right path. Traffic or for another system, it follows either the left or the right path. Traffic
going to the firewall goes through chains called INPUT in the mangle table. going to the firewall goes through chain called INPUT in the mangle table.
Shorewall doesn't add any rules to that chain. Traffic next passes the the Shorewall doesn't add any rules to that chain.<br>
INPUT chain in the filter table where it is broken out based on the interface <br>
on which the packet arrived; packets from interface <i>interface</i> are routed </li>
to chain <b><i>interface</i>_in</b>. For example, packets arriving through <li>Traffic that is to be forwarded to another host goes through the chains
eth0 are passed to the chain <b>eth0_in.</b></li> called FORWARD in the mangle table. If MARK_IN_FORWARD=Yes in shorewall.conf,
all rules in /etc/shorewall/tcrules that do not specify Prerouting (:P) are
<ol> processed in a chain called <br>
<li>The first rule in <b><i>interface</i>_in</b> jumps to the chain <br>
named <b>dynamic</b> which matches the source IP in the packet against all
of the addresses that have been blacklisted using <a
href="blacklisting_support.htm#Dynamic">dynamic blacklisting</a>.</li>
<li>If the the interface has the <b>norfc1918</b> option then the packet
is sent down the <b>rfc1918 </b>which checks the source address against those
listed in /etc/shorewall/rfc1918 and treats the packet according to the first
match in that file (if any).</li>
<li>If the interface has the  <b>dhcp </b>option, UDP packets to ports
67 and 68 are accepted.</li>
<li><br>
</li> </li>
</ol> <ol>
<li>Traffic is next sent to an<i> input </i>chain in the mail Netfilter
table (called 'filter'). If the traffic is destined for the firewall itself,
the name of the input chain is formed by appending "_in" to the interface
name. So traffic on eth0 destined for the firewall will enter a chain called
<i>eth0_in</i>. The input chain for traffic that will be routed to
another system is formed by appending "_fwd" to the interface name. So traffic
from eth1 that is going to be forwarded enters a chain called<i> eth1_fwd</i>.
Interfaces described with the wild-card character ("+") in /etc/shorewall/interfaces,
share input chains. if <i>ppp+ </i>appears in /etc/shorewall/interfaces
then all PPP interfaces (ppp0, ppp1, ...) will share the input chains <i>ppp_in</i>
and <i>ppp_fwd</i>. In other words, "+" is deleted from the name before
forming the input chain names.</li>
</ol> </ol>
<li>Traffic is next sent to an<i> interface </i>chain in the main Netfilter
<p> While the use of input chains may seem wasteful in simple environments, table (called 'filter'). If the traffic is destined for the firewall
itself, the name of the interface chain is formed by appending "_in" to
the interface name. So traffic on eth0 destined for the firewall will
enter a chain called <i>eth0_in</i>. The interface chain for traffic
that will be routed to another system is formed by appending "_fwd" to
the interface name. So traffic from eth1 that is going to be forwarded
enters a chain called<i> eth1_fwd</i>. Interfaces described with the wild-card
character ("+") in /etc/shorewall/interfaces, share input chains. if <i>ppp+
</i>appears in /etc/shorewall/interfaces then all PPP interfaces (ppp0,
ppp1, ...) will share the interface chains <i>ppp_in</i> and <i>ppp_fwd</i>.
In other words, "+" is deleted from the name before forming the input chain
names.<br>
<br>
While the use of interfacechains may seem wasteful in simple environments,
in complex setups it substantially reduces the number of rules that each in complex setups it substantially reduces the number of rules that each
packet must traverse.  </p> packet must traverse.  </li>
</ol>
<p> Traffic directed from a zone to the firewall itself is sent through <p> Traffic directed from a zone to the firewall itself is sent through
a chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from a chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from
the internet and addressed to the firewall is sent through a chain named the internet and addressed to the firewall is sent through a chain named
net2fw. Similarly, traffic originating in the firewall and being sent to net2fw. Similarly, traffic originating in the firewall and being sent
a host in a given zone is sent through a chain named fw2<i>&lt;zone name&gt;. to a host in a given zone is sent through a chain named fw2<i>&lt;zone
</i>For example, traffic originating in the firewall and destined name&gt;. </i>For example, traffic originating in the firewall and
for a host in the local network is sent through a chain named <i>fw2loc.</i> destined for a host in the local network is sent through a chain named
<font face="Century Gothic, Arial, Helvetica">  </font></p> <i>fw2loc.</i> <font face="Century Gothic, Arial, Helvetica">  </font></p>
<p> Traffic being forwarded between two zones (or from one interface to <p> Traffic being forwarded between two zones (or from one interface to
a zone to another interface to that zone) is sent through a chain named <i> a zone to another interface to that zone) is sent through a chain named <i>
&lt;source zone&gt;</i>2<i> &lt;destination zone&gt;</i>. So for example, &lt;source zone&gt;</i>2<i> &lt;destination zone&gt;</i>. So for example,
traffic originating in a local system and destined for a remote web server traffic originating in a local system and destined for a remote web server
is sent through chain <i>loc2net. </i>This chain is referred to as is sent through chain <i>loc2net. </i>This chain is referred to
the <i>canonical</i> chain from &lt;source zone&gt; to &lt;destination as the <i>canonical</i> chain from &lt;source zone&gt; to &lt;destination
zone&gt;. Any destination NAT will have occurred <u>before</u> the packet zone&gt;. Any destination NAT will have occurred <u>before</u> the packet
traverses one of these chains so rules in /etc/shorewall/rules should be traverses one of these chains so rules in /etc/shorewall/rules should
expressed in terms of the destination system's real IP address as opposed be expressed in terms of the destination system's real IP address as opposed
to its apparent external address. Similarly, source NAT will occur <u>after</u> to its apparent external address. Similarly, source NAT will occur <u>after</u>
the packet has traversed the appropriate forwarding chain so the rules the packet has traversed the appropriate forwarding chain so the rules
again will be expressed using the source system's real IP address.</p> again will be expressed using the source system's real IP address.</p>
@ -274,16 +270,16 @@ the <i>canonical</i> chain from &lt;source zone&gt; to &lt;destination
"fw" or "all". Policies specifying the pseudo-zone "all" matches all defined "fw" or "all". Policies specifying the pseudo-zone "all" matches all defined
zones and "fw". These chains are referred to as <i>Policy Chains.</i> Notice zones and "fw". These chains are referred to as <i>Policy Chains.</i> Notice
that for an ordered pair of zones (za,zb), the canonical chain (za2zb) that for an ordered pair of zones (za,zb), the canonical chain (za2zb)
may also be the policy chain for the pair or the policy chain may be a may also be the policy chain for the pair or the policy chain may be
different chain (za2all, for example). Packets from one zone to another a different chain (za2all, for example). Packets from one zone to another
will traverse chains as follows:</p> will traverse chains as follows:</p>
<ol> <ol>
<li> If the canonical chain exists, packets first traverse that <li> If the canonical chain exists, packets first traverse
chain.</li> that chain.</li>
<li> If the canonical chain and policy chain are different and <li> If the canonical chain and policy chain are different
the packet does not match a rule in the canonical chain, it then is sent and the packet does not match a rule in the canonical chain, it then
to the policy chain.</li> is sent to the policy chain.</li>
<li> If the canonical chain does not exist, packets are sent <li> If the canonical chain does not exist, packets are sent
immediately to the policy chain.</li> immediately to the policy chain.</li>
@ -304,9 +300,9 @@ from za to zb.</p>
<li> Identify the server's zone.</li> <li> Identify the server's zone.</li>
<li> If the POLICY from the client's zone to the server's zone <li> If the POLICY from the client's zone to the server's zone
is what you want for this client/server pair, you need do nothing further.</li> is what you want for this client/server pair, you need do nothing further.</li>
<li> If the POLICY is not what you want, then you must add a <li> If the POLICY is not what you want, then you must add
rule. That rule is expressed in terms of the client's zone and the a rule. That rule is expressed in terms of the client's zone and
server's zone.</li> the server's zone.</li>
</ol> </ol>
@ -315,8 +311,8 @@ server's zone.</li>
B <font color="#ff6633"><b><u> DOES NOT mean that these connections B <font color="#ff6633"><b><u> DOES NOT mean that these connections
are allowed between zone A and zone B</u></b></font>. It rather means are allowed between zone A and zone B</u></b></font>. It rather means
that you can have a proxy running on the firewall that accepts a connection that you can have a proxy running on the firewall that accepts a connection
from zone A and then establishes its own separate connection from the firewall from zone A and then establishes its own separate connection from the
to zone B.</p> firewall to zone B.</p>
<p> If you adopt the default policy of ACCEPT from the local zone to the <p> If you adopt the default policy of ACCEPT from the local zone to the
internet zone and you are having problems connecting from a local client internet zone and you are having problems connecting from a local client
@ -330,5 +326,7 @@ from zone A and then establishes its own separate connection from the firewall
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

32
STABLE/documentation/shorewall_logging.html
View File

@ -12,12 +12,10 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1> <h1 align="center"><font color="#ffffff">Logging</font></h1>
</td> </td>
</tr> </tr>
@ -88,10 +86,10 @@ file, you must restart syslogd before the changes can take effect.<br>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also specify target support (and most vendor-supplied kernels do), you may also specify
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which will direct netfilter to log the related messages via the ULOG target which
send them to a process called 'ulogd'. The ulogd program is available from will send them to a process called 'ulogd'. The ulogd program is available
http://www.gnumonks.org/projects/ulogd and can be configured to log all from http://www.gnumonks.org/projects/ulogd and can be configured to log
Shorewall message to their own log file.<br> all Shorewall message to their own log file.<br>
<br> <br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from <b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from
syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely
@ -115,9 +113,9 @@ Download the ulod tar file and:<br>
</li> </li>
</ol> </ol>
If you are like me and don't have a development environment on your firewall, If you are like me and don't have a development environment on your
you can do the first six steps on another system then either NFS mount firewall, you can do the first six steps on another system then either
your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i> NFS mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br> directory and move it to your firewall system.<br>
<br> <br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br> Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
@ -129,9 +127,9 @@ your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
</ol> </ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system --level 3 ulogd on" starts ulogd during boot up. Your init system may need
may need something else done to activate the script.<br> something else done to activate the script.<br>
<br> <br>
You will need to change all instances of log levels (usually 'info') in You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the policy, your configuration files to 'ULOG' - this includes entries in the policy,
@ -140,17 +138,15 @@ rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre> <pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and where to look for the log when processing its "show log", "logwatch" and "monitor"
"monitor" commands.<br> commands.<br>
<p><font size="2"> Updated 1/11/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 1/11/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

30
STABLE/documentation/shorewall_mirrors.htm
View File

@ -16,10 +16,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td> </td>
</tr> </tr>
@ -37,19 +38,23 @@
and is located in California, USA. It is mirrored at:</p> and is located in California, USA. It is mirrored at:</p>
<ul> <ul>
<li><a target="_top" href="http://slovakia.shorewall.net"> http://slovakia.shorewall.net</a> <li><a target="_top" href="http://slovakia.shorewall.net">
(Slovak Republic).</li> http://slovakia.shorewall.net</a> (Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall" <li> <a href="http://www.infohiiway.com/shorewall"
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li> target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a> <li><a target="_top" href="http://germany.shorewall.net">
(Hamburg, Germany)</li> http://germany.shorewall.net</a> (Hamburg, Germany)</li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a> href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl <li><a href="http://shorewall.syachile.cl" target="_top">http://shorewall.syachile.cl
</a>(Santiago Chile)</li> </a>(Santiago Chile)</li>
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a> <li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)<br> (Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">http://shorewall.securityopensource.org.br</a> (Brazil)<br>
</li> </li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a> <li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br> (Washington State, USA)<br>
@ -72,17 +77,17 @@
<li> <a target="_blank" <li> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a> href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
(Paris, France)</li> (Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a> <li><a href="ftp://shorewall.greshko.com/pub/shorewall"
(Taipei, Taiwan)</li> target="_top">ftp://shorewall.greshko.com</a> (Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net <li><a href="ftp://ftp.shorewall.net/pub/shorewall"
</a>(Washington State, USA)<br> target="_blank">ftp://ftp.shorewall.net </a>(Washington State, USA)<br>
</li> </li>
</ul> </ul>
Search results and the mailing list archives are always fetched from Search results and the mailing list archives are always fetched from
the site in Washington State.<br> the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 6/5/2003 - <a <p align="left"><font size="2">Last Updated 7/15/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -95,5 +100,8 @@ the site in Washington State.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

51
STABLE/documentation/shorewall_prerequisites.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -30,34 +30,45 @@
Shorewall Requires:<br> Shorewall Requires:<br>
<ul> <ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20. <li>A kernel that supports netfilter. I've tested with 2.4.2 -
With current releases of Shorewall, Traffic Shaping/Control requires at least 2.4.20. With current releases of Shorewall, Traffic Shaping/Control requires
2.4.18.  <a href="kernel.htm"> Check here for kernel configuration at least 2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
information.</a> If you are looking for a firewall for use with information.</a> If you are looking for a firewall for use with
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle Firewall 2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle
site</a> .</li> Firewall site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a <li>iptables 1.2 or later but beware version 1.2.3 -- see the
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The <a href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING:
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should </b></font>The buggy iptables version 1.2.3 is included in RedHat
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4 7.2 and you should upgrade to iptables 1.2.4 prior to installing Shorewall.
is available <a Version 1.2.4 is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a> href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li> and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included with <li>Iproute ("ip" utility). The iproute package is included
most distributions but may not be installed by default. The official with most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing" download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>. target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li> </li>
<li>A Bourne shell or derivative such as bash or ash. This shell must <li>A Bourne shell or derivative such as bash or ash. This shell
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i> must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i> }, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li> } and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>The firewall monitoring display is greatly improved if you have <li>Your shell must produce a sensible result when a number n (128 &lt;=
awk (gawk) installed.</li> n &lt;= 255) is left shifted by 24 bits. You can check this at a shell prompt
by:</li>
<ul>
<li>echo $((128 &lt;&lt; 24))<br>
</li>
<li>The result must be either 2147483648 or -2147483648.<br>
</li>
</ul>
<li>The firewall monitoring display is greatly improved if you
have awk (gawk) installed.</li>
</ul> </ul>
<p align="left"><font size="2">Last updated 3/19/2003 - <a <p align="left"><font size="2">Last updated 7/8/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -67,5 +78,9 @@ download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

147
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -12,28 +12,29 @@
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
Version 4.0</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that we <p align="center">With thanks to Richard who reminded me once again that
must all first walk before we can run.<br> we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations are courtesy of Patrice Vetsel<br>
</p> </p>
@ -42,8 +43,9 @@ must all first walk before we can run.<br>
<p>These guides provide step-by-step instructions for configuring Shorewall <p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p> in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>If you have a <font color="#ff0000"><big><big><b>single public IP address</b></big></big></font>:</p>
<blockquote>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> <li><a href="standalone.htm">Standalone</a>
Linux System (<a href="standalone_fr.html">Version Française</a>)</li> Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
@ -55,26 +57,33 @@ must all first walk before we can run.<br>
network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li> network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.
If you want to learn more about Shorewall than is explained in the above
simple guides,  the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) is for you.</p>
</blockquote>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See <p>If you have <font color="#ff0000"><big><big><b>more than one public IP
Index Below) outlines the steps necessary to set up a firewall address</b></big></big></font>:<br>
where <b>there are multiple public IP addresses involved or </p>
if you want to learn more about Shorewall than is explained in <blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
the single-address guides above.</b></p> (See Index Below) outlines the steps necessary to set up
a firewall where there are <small><small><big><big>multiple
public IP addresses</big></big></small></small> involved or if you
want to learn more about Shorewall than is explained in the
single-address guides above.</blockquote>
<ul> <ul>
</ul> </ul>
<h2><a name="Documentation"></a>Documentation Index</h2> <h2><b><a name="Documentation"></a></b>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> the <a href="shorewall_quickstart_guide.htm">QuickStart
described above</b>. Please review the appropriate guide before Guides</a> described above</b>. Please review the appropriate
trying to use this documentation directly.</p> guide before trying to use this documentation directly.</p>
<ul> <ul>
<li><a <li><a
@ -92,13 +101,15 @@ the single-address guides above.</b></p>
<li><a <li><a
href="configuration_file_basics.htm">Common configuration file href="configuration_file_basics.htm">Common configuration file
features</a> features</a>
<ul> <ul>
<li><a <li><a
href="configuration_file_basics.htm#Comments">Comments in configuration href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li> files</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li> href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a><br> <li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE
Directive</a><br>
</li> </li>
<li><a <li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li> href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
@ -113,15 +124,17 @@ the single-address guides above.</b></p>
href="configuration_file_basics.htm#Compliment">Complementing an IP address href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li> or Subnet</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
(making a test configuration)</a></li> a test configuration)</a></li>
<li><a <li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li> href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration <li><a href="Documentation.htm">Configuration
File Reference Manual</a> File Reference Manual</a>
<ul> <ul>
<li> <a <li> <a
href="Documentation.htm#Variables">params</a></li> href="Documentation.htm#Variables">params</a></li>
@ -135,7 +148,8 @@ the single-address guides above.</b></p>
href="Documentation.htm#Policy">policy</a></font></li> href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li> href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li> <li><a
href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li> href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
@ -150,8 +164,8 @@ the single-address guides above.</b></p>
href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a <li><a
href="Documentation.htm#modules">modules</a></li> href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> <li><a
</li> href="Documentation.htm#TOS">tos</a> </li>
<li><a <li><a
href="Documentation.htm#Blacklist">blacklist</a></li> href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a <li><a
@ -160,10 +174,14 @@ the single-address guides above.</b></p>
href="Documentation.htm#Routestopped">routestopped</a></li> href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li>
<li><a href="CorpNetwork.htm">Corporate
Network Example</a> (Contributed by a Graeme Boyle)<br>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by host <li><a href="ECN.html">ECN Disabling
or subnet</a><br> by host or subnet</a></li>
<li><a href="errata.htm">Errata</a><br>
</li> </li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
@ -171,16 +189,32 @@ the single-address guides above.</b></p>
use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped, use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li> etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="FAQ.htm">FAQs</a><br>
</li>
<li><a href="shorewall_features.htm">Features</a><br>
</li>
<li><a <li><a
href="shorewall_firewall_structure.htm">Firewall Structure</a></li> href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><a href="support.htm">Getting help or answers to questions</a></li>
<li>Greater Seattle Linux Users Group Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a></li>
</ul>
<li><a href="Install.htm">Installation/Upgrade</a><br>
</li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="kernel.htm">Kernel Configuration</a></font></li> href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br> <li><a href="shorewall_logging.html">Logging</a><br>
</li> </li>
<li><a href="MAC_Validation.html">MAC Verification</a><br> <li><a href="MAC_Validation.html">MAC
Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
</li> </li>
<li><a href="myfiles.htm">My Shorewall <li><a href="myfiles.htm">My
Configuration (How I personally use Shorewall)</a><br> Shorewall Configuration (How I personally use Shorewall)</a><br>
</li> </li>
<li><a href="ping.html">'Ping' Management</a><br> <li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
@ -193,12 +227,15 @@ the single-address guides above.</b></p>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
</li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br> <li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li> </li>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0
Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li> Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network <li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
@ -207,51 +244,63 @@ the single-address guides above.</b></p>
Subnets and Routing</a> Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP <li><a href="shorewall_setup_guide.htm#Addresses">4.1
Addresses</a></li> IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li> Resolution Protocol (ARP)</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li> 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a> up your Network</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li> <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> <li><a href="shorewall_setup_guide.htm#NonRouted">5.2
Non-routed</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li> <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li> SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li> Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
NAT</a></li> Static NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
and Ends</a></li> Odds and Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 <li><a
Starting and Stopping the Firewall</a></li> href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul> </ul>
<li><font color="#000099"><a <li><font color="#000099"><a
@ -266,11 +315,15 @@ Addresses</a></li>
</ul> </ul>
<li><font color="#000099"><a <li><font color="#000099"><a
href="NAT.htm">Static NAT</a></font></li> href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent <li><a href="Shorewall_Squid_Usage.html">Squid as a
Proxy with Shorewall</a><br> Transparent Proxy with Shorewall</a></li>
</li>
<li><a href="traffic_shaping.htm">Traffic <li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li> Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
doesn't work)</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
<li>VPN <li>VPN
<ul> <ul>
@ -281,8 +334,8 @@ Shaping/QOS</a></li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br> <li><a href="6to4.htm">6t04</a><br>
</li> </li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from <li><a href="VPN.htm">IPSEC/PPTP</a>
a system behind your firewall to a remote network.</li> from a system behind your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
@ -294,15 +347,11 @@ Shaping/QOS</a></li>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 5/18/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 7/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br> <br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

652
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

642
STABLE/documentation/sourceforge_index.htm
View File

@ -3,47 +3,46 @@
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td width="33%" height="90" valign="middle" <td width="33%" height="90"
align="left"><a href="http://www.cityofshoreline.com"><img valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4" src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0"> border="0">
</a></td> </a></td>
<td valign="middle" width="34%" align="center"> <td valign="middle"
bgcolor="#3366ff" width="34%" align="center">
<img
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
</td> </td>
<td valign="middle"> <td valign="top" width="33"><br>
<h1 align="center"><a href="http://www.shorewall.net"
target="_top"><br>
</a></h1>
<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
@ -57,43 +56,53 @@
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> a <a
(iptables) based firewall that can be used href="http://www.netfilter.org">Netfilter</a> (iptables)
on a dedicated firewall system, a multi-function based firewall that can be used on a dedicated
gateway/router/server or on a standalone GNU/Linux system.</p> firewall system, a multi-function gateway/router/server
or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it
under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in the This program is distributed
hope that it will be useful, but WITHOUT in the hope that it will be useful,
ANY WARRANTY; without even the implied but WITHOUT ANY WARRANTY; without
warranty of MERCHANTABILITY or FITNESS even the implied warranty of MERCHANTABILITY
FOR A PARTICULAR PURPOSE. See the GNU General or FITNESS FOR A PARTICULAR PURPOSE.
Public License for more details.<br> See the GNU General Public License for more details.<br>
<br> <br>
You should have received a copy of You should have received a
the GNU General Public License copy of the GNU General Public License
along with this program; if not, write to along with this program; if not,
the Free Software Foundation, Inc., write to the Free Software Foundation,
675 Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
@ -104,274 +113,401 @@ FOR A PARTICULAR PURPOSE. See the GNU General
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly
to your setup. If you want to use the documentation that you find here,
it is best if you uninstall what you have and install a setup that matches
the documentation on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely the <a
match your environment and follow the step by step instructions.<br> href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
Guide</a> that most closely match your environment and
follow the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you
have and installing a setup that matches the documentation on
this site. See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.
<h2></h2>
<h2><b>News</b></h2> <h2><b>News</b></h2>
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b> </p>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column of
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the
nat table (one for each element in the list). Shorewall now correctly creates
a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a
"-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
have been removed from /etc/shorewall/shorewall.conf. These capabilities
are now automatically detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than
the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the
outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has
been added. This extension is available in recent kernel/iptables releases
and allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not
create chains in the mangle table but will rather do all 'norfc1918'
filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
<br>
Examples:<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall.
<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct
an efficient set of rules that accept connections from a range of network
addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or
dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>
      192.168.1.8/29<br>
      192.168.1.16/28<br>
      192.168.1.32/27<br>
      192.168.1.64/26<br>
      192.168.1.128/25<br>
      192.168.2.0/23<br>
      192.168.4.0/22<br>
      192.168.8.0/22<br>
      192.168.12.0/29<br>
      192.168.12.8/31<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li value="11">The "shorewall check" command now includes the chain
name when printing the applicable policy for each pair of zones.<br>
 <br>
    Example:<br>
 <br>
        Policy for dmz to net is REJECT using chain all2all<br>
 <br>
This means that the policy for connections from the dmz to the internet
is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
</li>
</ol>
<b> </b> <b> </b>
<ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b><b><img </ol>
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p> </b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br> <p>Problems Corrected:<br>
</p> </p>
<ol> <ol>
<li>The command "shorewall debug try &lt;directory&gt;" now correctly <li>The command "shorewall debug try &lt;directory&gt;"
traces the attempt.</li> now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones file; previously, <li>The INCLUDE directive now works properly in the
INCLUDE in that file was ignored.</li> zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second column <li>/etc/shorewall/routestopped records with an empty
are no longer ignored.<br> second column are no longer ignored.<br>
</li> </li>
</ol> </ol>
<p>New Features:<br> <p>New Features:<br>
</p> </p>
<ol> <ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may <li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
now contain a list of addresses. If the list begins with "!' then the rule rule may now contain a list of addresses. If the list begins with "!'
will take effect only if the original destination address in the connection then the rule will take effect only if the original destination address
request does not match any of the addresses listed.</li> in the connection request does not match any of the addresses listed.</li>
</ol> </ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21 kernel and
iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version is
1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21
kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p> version 1.4.4.</p>
<p><b>5/29/2003 - Shorewall-1.4.4b</b><b> </b></p>
<p>Groan -- This version corrects a problem whereby the --log-level <p><b></b></p>
was not being set when logging via syslog. The most commonly reported symptom
was that Shorewall messages were being written to the console even though
console logging was correctly configured per <a href="FAQ.htm#faq16">FAQ
16</a>.<br>
</p>
<p><b>5/27/2003 - Shorewall-1.4.4a</b><b> </b></p>
The Fireparse --log-prefix fiasco continues. Tuomo Soini has pointed
out that the code in 1.4.4 restricts the length of short zone names to
4 characters. I've produced version 1.4.4a that restores the previous 5-character
limit by conditionally omitting the log rule number when the LOGFORMAT
doesn't contain '%d'.
<p><b>5/23/2003 - Shorewall-1.4.4</b><b> </b><b>
</b></p>
I apologize for the rapid-fire releases but since there is a potential
configuration change required to go from 1.4.3a to 1.4.4, I decided to
make it a full release rather than just a bug-fix release. <br>
<br>
<b>    Problems corrected:</b><br>
<blockquote>None.<br>
</blockquote>
<b>    New Features:<br>
</b>
<ol>
<li>A REDIRECT- rule target has been added. This target behaves
for REDIRECT in the same way as DNAT- does for DNAT in that the Netfilter
nat table REDIRECT rule is added but not the companion filter table ACCEPT
rule.<br>
<br>
</li>
<li>The LOGMARKER variable has been renamed LOGFORMAT and
has been changed to a 'printf' formatting template which accepts three
arguments (the chain name, logging rule number and the disposition). To
use LOGFORMAT with fireparse (<a href="http://www.fireparse.com">http://www.fireparse.com</a>),
set it as:<br>
 <br>
       LOGFORMAT="fp=%s:%d a=%s "<br>
 <br>
<b>CAUTION: </b>/sbin/shorewall uses the leading part of the
LOGFORMAT string (up to but not including the first '%') to find log messages
in the 'show log', 'status' and 'hits' commands. This part should not
be omitted (the LOGFORMAT should not begin with "%") and the leading part
should be sufficiently unique for /sbin/shorewall to identify Shorewall
messages.<br>
<br>
</li>
<li>When logging is specified on a DNAT[-] or REDIRECT[-]
rule, the logging now takes place in the nat table rather than in the filter
table. This way, only those connections that actually undergo DNAT or redirection
will be logged.</li>
</ol>
<p><b>5/20/2003 - Shorewall-1.4.3a</b><b> </b><b>
</b><br>
</p>
This version primarily corrects the documentation included in the
.tgz and in the .rpm. In addition: <br>
<ol> <ol>
<li>(This change is in 1.4.3 but is not documented) If
you are running iptables 1.2.7a and kernel 2.4.20, then Shorewall will
return reject replies as follows:<br>
   a) tcp - RST<br>
   b) udp - ICMP port unreachable<br>
   c) icmp - ICMP host unreachable<br>
   d) Otherwise - ICMP host prohibited<br>
If you are running earlier software, Shorewall will follow it's
traditional convention:<br>
   a) tcp - RST<br>
   b) Otherwise - ICMP port unreachable</li>
<li>UDP port 135 is now silently dropped in the common.def
chain. Remember that this chain is traversed just before a DROP or REJECT
policy is enforced.<br>
</li>
</ol> </ol>
<p><b>5/18/2003 - Shorewall 1.4.3</b><br>
</p>
    <b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail
to remove a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback
interface have been moved to before the rule that drops status=INVALID
packets. This insures that all loopback traffic is allowed even if Netfilter
connection tracking is confused.</li>
</ol>
    <b>New Features:<br>
</b>
<ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4
(6to4) tunnels </a>are now supported in the /etc/shorewall/tunnels
file.</li>
<li value="2">You may now change the leading portion
of the --log-prefix used by Shorewall using the LOGMARKER variable in
shorewall.conf. By default, "Shorewall:" is used.<br>
</li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks
Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p>
<p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br>
</p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p>
<blockquote> This morning, I gave <a href="GSLUG.htm"
target="_top">a Shorewall presentation to GSLUG</a>. The presentation
is in HTML format but was generated from Microsoft PowerPoint
and is best viewed using Internet Explorer (although Konqueror also
seems to work reasonably well as does Opera 7.1.0). Neither Opera
6 nor Netscape work well to view the presentation.</blockquote>
<p><b></b></p> <p><b></b></p>
<p><b></b></p>
<blockquote> <blockquote>
<ol> <ol>
</ol> </ol>
</blockquote> </blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
<p><b><a href="News.htm">More News</a></b></p> <p><b><a href="News.htm">More News</a></b></p>
<b> </b> <b> </b>
<h2><b> </b></h2> <h2><b> </b></h2>
<b> </b> <b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric
have a LEAF (router/firewall/gateway Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that
Shorewall-1.3.14 and Kernel-2.4.20. You features Shorewall-1.4.2 and Kernel-2.4.20.
can find their work at: <a You can find their work at:
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques
and Eric on the recent release of Bering
1.2!!! </b><br>
<b>Congratulations to Jacques and
Eric on the recent release of Bering 1.2!!!
</b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img <h1 align="center"><b><a href="http://www.sf.net"><img
@ -383,49 +519,64 @@ on a floppy, CD or compact flash) distribution
<h4><b> </b></h4> <h4><b> </b></h4>
<b> </b> <b> </b>
<h2><b>This site is hosted by the generous folks at <a <h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2> href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b> <b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td width="88" bgcolor="#4b017c" valign="top"
align="center"> <h2><b><a name="Donations"></a>Donations</b></h2>
<b>
</b></td>
<td width="88" bgcolor="#3366ff"
valign="top" align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br> <p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong> <font color="#ffffff"><b>Note:
<font color="#ffffff">Search is unavailable Daily 0200-0330 </b></font></strong> <font
GMT.</font><br> color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
 </p>  </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1">
type="text" name="words" size="15"></font><font size="-1"> </font><font <input type="text" name="words" size="15"></font><font
face="Arial" size="-1"> <input type="hidden" name="format" size="-1"> </font><font face="Arial" size="-1"> <input
value="long"> <input type="hidden" name="method" value="and"> type="hidden" name="format" value="long"> <input
<input type="hidden" name="config" value="htdig"> <input type="hidden" name="method" value="and"> <input type="hidden"
type="submit" value="Search"></font> </p> name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><font color="#ffffff"><b> <a <p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
@ -438,6 +589,7 @@ on a floppy, CD or compact flash) distribution
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -445,9 +597,10 @@ on a floppy, CD or compact flash) distribution
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#3366ff">
<tbody> <tbody>
@ -458,6 +611,7 @@ on a floppy, CD or compact flash) distribution
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
@ -467,22 +621,26 @@ on a floppy, CD or compact flash) distribution
<p align="center"><font size="4" color="#ffffff"><br> <p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you try it and find <font size="+2">Shorewall is free but if you
it useful, please consider making a donation try it and find it useful, please consider making a donation
to <a to
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></font></p> Children's Foundation.</font></a> Thanks!</font></font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 6/17/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
</body> </body>

54
STABLE/documentation/standalone.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -45,16 +45,16 @@
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program if this package is installed by the presence of an <b>ip</b> program on
on your firewall system. As root, you can use the 'which' command to your firewall system. As root, you can use the 'which' command to check
check for this program:</p> for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself <p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are changes.  Points at which configuration changes are recommended are flagged
flagged with <img border="0" src="images/BD21298_.gif" width="13" with <img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
.</p> .</p>
@ -68,8 +68,9 @@ disk, you must run dos2unix against the copy before using it with Shorewall.</p
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li> Version of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a
Version of dos2unix</a></li> href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul> </ul>
@ -118,11 +119,11 @@ one zone is defined:</p>
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from one zone <li>You express your default policy for connections from one
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li> </a>file.</li>
<li>You define exceptions to those default policies in the <a <li>You define exceptions to those default policies in the
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
@ -133,8 +134,8 @@ one zone is defined:</p>
the request is first checked against the rules in /etc/shorewall/common the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample <p>The /etc/shorewall/policy file included with the one-interface sample has
has the following policies:</p> the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -180,8 +181,8 @@ has the following policies:</p>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to <li>drop (ignore) all connection requests from the internet to
your firewall</li> your firewall</li>
<li>reject all other connection requests (Shorewall requires this <li>reject all other connection requests (Shorewall requires
catchall policy).</li> this catchall policy).</li>
</ol> </ol>
@ -235,8 +236,8 @@ option list. </p>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though, destination address is reserved by RFC 1918. In some cases though, ISPs
ISPs are assigning these addresses then using <i>Network Address Translation are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p> </i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
@ -285,8 +286,8 @@ ISPs are assigning these addresses then using <i>Network Address Translat
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server <p align="left">Example - You want to run a Web Server and a POP3 Server on
on your firewall system:</p> your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
@ -334,8 +335,8 @@ uses, see <a href="ports.htm">here</a>.</p>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you the internet because it uses clear text (even for login!). If you want
want shell access to your firewall from the internet, use SSH:</p> shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -396,8 +397,8 @@ want shell access to your firewall from the internet, use SSH:</p>
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped, and stopped using "shorewall stop". When the firewall is stopped, routing
routing is enabled on those hosts that have an entry in <a is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
@ -407,8 +408,8 @@ routing is enabled on those hosts that have an entry in <a
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to added an entry for the IP address that you are connected from to <a
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a and test it using the <a
@ -429,5 +430,6 @@ routing is enabled on those hosts that have an entry in <a
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

106
STABLE/documentation/standalone_fr.html
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -32,22 +32,22 @@
<p align="left"><small><i><u>Notes du traducteur</u> :<br> <p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française traduction exacte du texte, mais plutôt à en faire une version française intelligible
intelligible par tous (et par moi). Les termes techniques sont la plupart par tous (et par moi). Les termes techniques sont la plupart du temps conservés
du temps conservés sous leur forme originale et mis entre parenthèses car sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
vous pouvez les retrouver dans le reste des documentations ainsi que dans dans le reste des documentations ainsi que dans les fichiers de configuration.
les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer N?hésitez pas à me contacter afin d?améliorer ce document <a
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
Tom EASTEP pour son formidable outil et sa disponibilité)</i><i>.</i></small></p> son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall (écluse) <p align="left">Mettre en place un système Linux en tant que firewall (écluse)
pour un petit réseau est une chose assez simple, si vous comprenez les bases pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p> et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se <p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
focalise sur ce qui est nécessaire pour configurer Shorewall, dans son utilisation se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
la plus courante :</p> utilisation la plus courante :</p>
<ul> <ul>
<li>Un système Linux</li> <li>Un système Linux</li>
@ -57,33 +57,33 @@ rtc...</li>
</ul> </ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
pouvez voir si le paquet est installé en vérifiant la présence du programme Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which' ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p> pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour <p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant vous familiariser avec ce qu'il va se passer, et de revenir au début en
le changements dans votre configuration. Les points, où les changements dans effectuant le changements dans votre configuration. Les points, où les changements
la configuration sont recommandées, sont signalés par une <img dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13"> border="0" src="images/BD21298_.gif" width="13" height="13">
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette devez les sauver comme des fichiers Unix si votre éditeur supporte cette
option sinon vous devez les faire passer par dos2unix avant d'essayer de option sinon vous devez les faire passer par dos2unix avant d'essayer de les
les utiliser. De la même manière, si vous copiez un fichier de configuration utiliser. De la même manière, si vous copiez un fichier de configuration depuis
depuis votre disque dur Windows vers une disquette, vous devez lancer dos2unix votre disque dur Windows vers une disquette, vous devez lancer dos2unix sur
sur la copie avant de l'utiliser avec Shorewall.</p> la copie avant de l'utiliser avec Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
@ -101,12 +101,12 @@ un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shor
installés lors de l'installation de Shorewall)</b>.</p> installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux <p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
physiquement présents sur votre système -- chacun des fichiers contient des physiquement présents sur votre système -- chacun des fichiers contient
instructions de configuration détaillées et des entrées par défaut.</p> des instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de <p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique interface, <i>zones.</i> Dans les fichiers de configuration fournis pour une unique
une seule zone est définie :</p> interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
@ -126,8 +126,8 @@ une seule zone est d
<p>Les zones de Shorewall sont définies dans <a <p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p> href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone - <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p> - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées <p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p> en utilisant les termes de zones.</p>
@ -143,10 +143,11 @@ dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules. demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première politique Si aucune des règles dans ce fichier ne correspondent, alors la première
dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues politique est REJECT ou DROP la requête est alors comparée par rapport aux
dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p> règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface <p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p> a les politiques suivantes :</p>
@ -210,8 +211,8 @@ que vous d
<h2 align="left">Interface Externe</h2> <h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque la <p align="left">Le firewall possède une seule interface réseau. Lorsque la
connexion Internet passe par un modem câble ou par un routeur ADSL (pas un connexion Internet passe par un modem câble ou par un routeur ADSL (pas
simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur un simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i> par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
(PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP) (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
@ -247,8 +248,8 @@ de la liste d'option. </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée (<i>Private</i>IP) <p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
pour l'utilisation dans des réseaux privés :</p> (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -309,8 +310,8 @@ vers votre firewall, le format g
</div> </div>
<div align="left"> <div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un serveur <p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
POP3 sur votre système de firewall :</p> serveur POP3 sur votre système de firewall :</p>
</div> </div>
<div align="left"> <div align="left">
@ -362,9 +363,9 @@ particuli
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le <p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
telnet depuis ou vers l'Internet car il utilise du texte en clair (même pour telnet depuis ou vers l'Internet car il utilise du texte en clair (même
le login et le mot de passe !). Si vous voulez avoir un accès au shell de pour le login et le mot de passe !). Si vous voulez avoir un accès au shell
votre firewall depuis Internet, utilisez SSH :</p> de votre firewall depuis Internet, utilisez SSH :</p>
</div> </div>
<div align="left"> <div align="left">
@ -424,26 +425,26 @@ la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br> en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br> des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall <p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
routage est autorisé sur les hôtes qui possèdent une entrée dans <a le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration restart". Si vous voulez enlever toutes traces de Shorewall sur votre
de Netfilter, utilisez "shorewall clear".</p> configuration de Netfilter, utilisez "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall depuis <p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart"; De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i> href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
@ -465,5 +466,6 @@ M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

171
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -14,32 +14,20 @@
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1> the Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> If you have a permanent internet connection such as DSL or Cable, <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. I recommend that you start the firewall automatically at boot.
Once you have installed "firewall" in your init.d directory, simply Once you have installed "firewall" in your init.d directory, simply
@ -49,13 +37,6 @@ to configure your firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p> your favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p> </p>
@ -66,21 +47,16 @@ configured your firewall, you can enable startup by removing the file
edit /etc/default/shorewall and set 'startup=1'.<br> edit /etc/default/shorewall and set 'startup=1'.<br>
</li> </li>
<li>If you use dialup, you may want to start the firewall <li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
"shorewall restart" in that script.</li> restart" in that script.</li>
</ol> </ol>
<p> <p> </p>
</p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall" <p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p> shell program: </p>
<ul> <ul>
<li>shorewall start - starts the firewall</li> <li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li> <li>shorewall stop - stops the firewall</li>
@ -90,21 +66,18 @@ edit /etc/default/shorewall and set 'startup=1'.<br>
in the firewall</li> in the firewall</li>
<li>shorewall clear - remove all rules and chains <li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall</li> installed by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast <li>shorewall refresh - refresh the rules involving the
addresses of firewall interfaces, <a broadcast addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li> href="ECN.html">ECN control rules</a>.</li>
</ul> </ul>
If you include the keyword <i>debug</i> as the first argument, then If you include the keyword <i>debug</i> as the first argument,
a shell trace of the command is produced as in:<br> then a shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre> <pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace <p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace<br> information in the file /tmp/trace<br>
</p> </p>
@ -115,65 +88,79 @@ information in the file /tmp/trace<br>
<p>The "shorewall" program may also be used to monitor the firewall.</p> <p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about the <li>shorewall status - produce a verbose report about the
firewall (iptables -L -n -v)</li> firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report <li>shorewall show <i>chain</i> - produce a verbose report
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li> about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the <li>shorewall show nat - produce a verbose report about
nat table (iptables -t nat -L -n -v)</li> the nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the <li>shorewall show tos - produce a verbose report about
mangle table (iptables -t mangle -L -n -v)</li> the mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li> <li>shorewall show log - display the last 20 packet log
entries.</li>
<li>shorewall show connections - displays the IP connections <li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li> currently being tracked by the firewall.</li>
<li>shorewall <li>shorewall
show show tc - displays
tc - displays
information about the traffic control/shaping configuration.</li> information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the <li>shorewall monitor [ delay ] - Continuously display
firewall status, last 20 log entries and nat. When the log the firewall status, last 20 log entries and nat. When the
entry display changes, an audible alarm is sounded.</li> log entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall <li>shorewall hits - Produces several reports about the
packet log messages in the current /var/log/messages file.</li> Shorewall packet log messages in the current /var/log/messages
file.</li>
<li>shorewall version - Displays the installed version <li>shorewall version - Displays the installed version
number.</li> number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the <li>shorewall check - Performs a <u>cursory</u> validation of
zones, interfaces, hosts, rules and policy files.<br> the zones, interfaces, hosts, rules and policy files.<br>
<br> <br>
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored <font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
and does not parse and validate the generated iptables commands. Even and does not parse and validate the generated iptables commands.
though the "check" command completes successfully, the configuration Even though the "check" command completes successfully, the configuration
may fail to start. Problem reports that complain about errors that the 'check' may fail to start. Problem reports that complain about errors that the 'check'
command does not detect will not be accepted.<br> command does not detect will not be accepted.<br>
<br> <br>
See the recommended way to make configuration changes described below.</b></font><br> See the recommended way to make configuration changes described
below.</b></font><br>
<br> <br>
</li> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if an ] - Restart shorewall using the specified configuration and if
error occurs or if the<i> timeout </i> option is given and the new an error occurs or if the<i> timeout </i> option is given and the new
configuration has been up for that many seconds then shorewall is configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</li> restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and <li>shorewall deny, shorewall reject, shorewall accept
shorewall save implement <a href="blacklisting_support.htm">dynamic and shorewall save implement <a
blacklisting</a>.</li> href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors <li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when the <a href="#Conf">LOGFILE </a>and produces an audible alarm
new Shorewall messages are logged.</li> when new Shorewall messages are logged.</li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of commands
the contents of a zone.<br> for dealing with IP addresses and IP address ranges:<br>
<ul>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ] - displays
the network address, broadcast address, network in CIDR notation and netmask
corresponding to the input[s].</li>
<li>shorewall iprange <i>address1-address2</i> - Decomposes the specified
range of IP addresses into the equivalent list of network/host addresses.
<br>
</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified Adds the specified interface (and host if included) to the specified
zone.</li> zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone
Deletes the specified interface (and host if included) from the specified </i>- Deletes the specified interface (and host if included) from
zone.</li> the specified zone.</li>
</ul> </ul>
@ -187,80 +174,51 @@ from zone vpn1<br>
</blockquote> </blockquote>
</blockquote> </blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and <p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
<b>shorewall try </b>commands allow you to specify which <a <b>shorewall try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a> href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p> to use:</p>
<blockquote> <blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> <p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p> shorewall try <i>configuration-directory</i></p>
</blockquote> </blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the is going to use a file in /etc/shorewall it will first look in the
<i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>, <i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will be that file will be used; otherwise, the file in /etc/shorewall will
used.</p> be used.</p>
<p> When changing the configuration of a production firewall, I recommend <p> When changing the configuration of a production firewall, I recommend
the following:</p> the following:</p>
<ul> <ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li> <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li> <li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change
<li>&lt;copy any files that you need to change from from /etc/shorewall to . and change them here&gt;</li>
/etc/shorewall to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li> <li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li>&lt;correct any errors found by check and check again&gt;</li>
<li><font
color="#009900"><b>/sbin/shorewall try .</b></font></li>
<li><font color="#009900"><b>/sbin/shorewall
try .</b></font></li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall restart" <p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to restore the old configuration. If the new configuration fails
to start, the "try" command will automatically start the old one for to start, the "try" command will automatically start the old one for
you.</p> you.</p>
<p> When the new configuration works then just </p> <p> When the new configuration works then just </p>
<ul> <ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li> <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li> <li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li> <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul> </ul>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br> <p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</p> </p>
@ -272,9 +230,10 @@ you.</p>
<p>  <br> <p>  <br>
</p> </p>
You will note that the commands that result in state transitions You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the actual use the word "firewall" rather than "shorewall". That is because the
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall actual transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br> on Debian); /sbin/shorewall runs 'firewall" according to the following
table:<br>
<br> <br>
<table cellpadding="2" cellspacing="2" border="1"> <table cellpadding="2" cellspacing="2" border="1">
@ -328,14 +287,14 @@ use the word "firewall" rather than "shorewall". That is because the actual
</table> </table>
<br> <br>
<p><font size="2"> Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 7/6/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

181
STABLE/documentation/support.htm
View File

@ -12,15 +12,17 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td
width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
@ -29,12 +31,12 @@
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There
are a number of sources of Shorewall information. Please try these There are a number of sources of Shorewall information. Please
before you post. try these before you post.
<ul> <ul>
<li>Shorewall versions earlier <li>Shorewall versions
that 1.3.0 are no longer supported.<br> earlier that 1.3.0 are no longer supported.<br>
</li> </li>
<li>More than half of the questions posted on the support <li>More than half of the questions posted on the support
list have answers directly accessible from the <a list have answers directly accessible from the <a
@ -42,18 +44,20 @@
Index</a><br> Index</a><br>
</li> </li>
<li> <li>
The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a>
solutions to more than 20 common problems. </li> has solutions to more than 20 common problems.
<li> The </li>
<a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> <li>
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to Information contains a number of tips to
help you solve common problems. </li> help you solve common problems. </li>
<li> The <li>
<a href="http://www.shorewall.net/errata.htm"> Errata</a> has links The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
to download updated components. </li> has links to download updated components. </li>
<li> The <li>
Site and Mailing List Archives search facility can locate The Site and Mailing List Archives search facility can
documents and posts about similar problems: </li> locate documents and posts about similar problems:
</li>
</ul> </ul>
@ -63,6 +67,7 @@ help you solve common problems. </li>
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match: action="http://lists.shorewall.net/cgi-bin/htsearch"> <font size="-1"> Match:
<select name="method"> <select name="method">
<option value="and">All </option> <option value="and">All </option>
<option value="or">Any </option> <option value="or">Any </option>
@ -93,8 +98,8 @@ help you solve common problems. </li>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30"
value=""> <input type="submit" value="Search"><br> name="words" value=""> <input type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
@ -102,34 +107,34 @@ help you solve common problems. </li>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know <li>Please remember we only
what is posted in your message. Do not leave out any information know what is posted in your message. Do not leave out any
that appears to be correct, or was mentioned in a previous information that appears to be correct, or was mentioned
post. There have been countless posts by people who were sure in a previous post. There have been countless posts by people
that some part of their configuration was correct when it actually who were sure that some part of their configuration was correct
contained a small error. We tend to be skeptics where detail when it actually contained a small error. We tend to be skeptics
is lacking.<br> where detail is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're <li>Please keep in mind that
asking for <strong>free</strong> technical support. you're asking for <strong>free</strong> technical
Any help we offer is an act of generosity, not an obligation. support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that practices in writing and formatting your e-mail. Provide details
we need if you expect good answers. <em>Exact quoting </em> of that we need if you expect good answers. <em>Exact quoting </em>
error messages, log entries, command output, and other output is better of error messages, log entries, command output, and other output is
than a paraphrase or summary.<br> better than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> <li>
Please don't describe your environment and then ask Please don't describe your environment and then
us to send you custom configuration files. We're ask us to send you custom configuration files.
here to answer your questions but we can't do We're here to answer your questions but we can't
your job for you.<br> do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem,
include this information:</li> <strong>ALWAYS</strong> include this information:</li>
</ul> </ul>
@ -139,21 +144,15 @@ your job for you.<br>
<li>the exact version of Shorewall <li>the exact version of Shorewall
you are running.<br> you are running.<br>
<br> <br>
<b><font color="#009900">shorewall <b><font
version</font><br> color="#009900">shorewall version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you
are running<br>
<br>
<font color="#009900"><b>uname
-a<br>
<br>
</b></font></li>
</ul> </ul>
@ -174,17 +173,11 @@ of<br>
<br> <br>
<font color="#009900"><b>ip <font color="#009900"><b>ip
route show<br> route show<br>
<br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized,
the exact output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
</li>
</ul> </ul>
@ -194,17 +187,20 @@ route show<br>
<ul> <ul>
<ul> <ul>
<li><font color="#ff0000"><u><i><big><b>If you are having <li><big><font color="#ff0000"><u><i><big><b>THIS IS
connection problems of any kind then:</b></big></i></u></font><br> IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem is
that some type of connection to/from or through your firewall isn't working
then please perform the following four steps:</big></big></big><br>
<br> <br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br> 1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try making the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status 3.<b><font color="#009900"> /sbin/shorewall
&gt; /tmp/status.txt</font></b><br> status &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment
(you may compress it if you like).<br>
<br> <br>
</li> </li>
<li>the exact wording of any <code <li>the exact wording of any <code
@ -222,19 +218,19 @@ route show<br>
</ul> </ul>
<li>As a general matter, please <strong>do not edit the diagnostic <li>As a general matter, please <strong>do not edit the
information</strong> in an attempt to conceal your IP address, diagnostic information</strong> in an attempt to conceal
netmask, nameserver addresses, domain name, etc. These aren't your IP address, netmask, nameserver addresses, domain name,
secrets, and concealing them often misleads us (and 80% of the time, etc. These aren't secrets, and concealing them often misleads us
a hacker could derive them anyway from information contained (and 80% of the time, a hacker could derive them anyway from
in the SMTP headers of your post).<br> information contained in the SMTP headers of your post).<br>
<br> <br>
<strong></strong></li> <strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font <li>Do you see any "Shorewall" messages
color="#009900">/sbin/shorewall show log</font></b>") when ("<b><font color="#009900">/sbin/shorewall show log</font></b>")
you exercise the function that is giving you problems? If when you exercise the function that is giving you problems?
so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces If so, include the message(s) in your post along with a copy of
file.<br> your /etc/shorewall/interfaces file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration <li>Please include any of the Shorewall configuration
@ -245,15 +241,17 @@ so, include the message(s) in your post along with a copy of your /etc/sh
one also knows the policies).<br> one also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to "<font <li>If an error occurs when you try
color="#009900"><b>shorewall start</b></font>", include a trace to "<font color="#009900"><b>shorewall start</b></font>", include
(See the <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a> a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't <li><b>The list server limits posts to 120kb
post GIFs of your network layout, etc. so don't post GIFs of your network
to the Mailing List -- your post will be rejected.</b></li> layout, etc. to the Mailing List -- your post will be
rejected.</b></li>
</ul> </ul>
@ -270,8 +268,8 @@ rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br> my policy to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML I think that blocking all
is a Draconian way to control spam and that the ultimate HTML is a Draconian way to control spam and that the ultimate
losers here are not the spammers but the list subscribers losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need subscriber wrote to me privately "These e-mail admin's need
@ -282,12 +280,13 @@ subscribers to receive list posts as must as possible, I have now
outgoing posts.<br> outgoing posts.<br>
<br> <br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server <big><font color="#cc0000"><b>If you run your own outgoing mail server
and it doesn't have a valid DNS PTR record, your email won't reach the lists and it doesn't have a valid DNS PTR record, your email won't reach the
unless/until the postmaster notices that your posts are being rejected. To lists unless/until the postmaster notices that your posts are being rejected.
avoid this problem, you should configure your MTA to forward posts to shorewall.net To avoid this problem, you should configure your MTA to forward posts to
through an MTA that <u>does</u> have a valid PTR record (such as the one shorewall.net through an MTA that <u>does</u> have a valid PTR record (such
at your ISP). </b></font></big><br> as the one at your ISP). </b></font></big><br>
</blockquote> </blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
@ -301,14 +300,9 @@ MandrakeSoft Multi Network Firewall (MNF) and you have
not purchased an MNF license from MandrakeSoft then you can not purchased an MNF license from MandrakeSoft then you can
post non MNF-specific Shorewall questions to the </b><a post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>. <b>Do not expect to get free MNF support on the list.</b><br> list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>If you have a question, you may post it on the <a <p>Otherwise, please post your question or problem to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Forum</a>:
<font color="#ff6666"><b>DO NOT USE THE FORUM FOR REPORTING PROBLEMS OR
ASKING FOR HELP WITH PROBLEMS.<br>
</b></font><br>
Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a> .</p> list</a> .</p>
@ -322,10 +316,11 @@ ASKING FOR HELP WITH PROBLEMS.<br>
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br> href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 6/14/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 7/9/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
</body> </body>
</html> </html>

176
STABLE/documentation/three-interface.htm
View File

@ -16,10 +16,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber5" bgcolor="#400169" height="90"> id="AutoNumber5" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1> <h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
</td> </td>
</tr> </tr>
@ -55,28 +56,28 @@ Relay, dial-up, ...</li>
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> program tell if this package is installed by the presence of an <b>ip</b>
on your firewall system. As root, you can use the 'which' command program on your firewall system. As root, you can use the 'which' command
to check for this program:</p> to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself <p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended are changes. Points at which configuration changes are recommended
flagged with <img border="0" src="images/BD21298_.gif" width="13" are flagged with <img border="0" src="images/BD21298_.gif"
height="13"> width="13" height="13">
. Configuration notes that are unique to LEAF/Bering are marked with <img . Configuration notes that are unique to LEAF/Bering are marked with <img
src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" height="36"> src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" height="36">
</p> </p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system,     If you edit your configuration files on a Windows
you must save them as Unix files if your editor supports that option system, you must save them as Unix files if your editor supports
or you must run them through dos2unix before trying to use them. Similarly, that option or you must run them through dos2unix before trying to
if you copy a configuration file from your Windows hard drive to a use them. Similarly, if you copy a configuration file from your Windows
floppy disk, you must run dos2unix against the copy before using it with hard drive to a floppy disk, you must run dos2unix against the copy before
Shorewall.</p> using it with Shorewall.</p>
<ul> <ul>
<li><a <li><a
@ -92,9 +93,9 @@ Shorewall.</p>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the
/etc/shorewall -- for simple setups, you will only need to deal with directory /etc/shorewall -- for simple setups, you will only need to
a few of these as described in this guide. After you have <a deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
@ -141,11 +142,11 @@ instructions and default entries.</p>
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from <li>You express your default policy for connections
one zone to another zone in the<a from one zone to another zone in the<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li> href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in <li>You define exceptions to those default policies
the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
@ -228,10 +229,11 @@ instructions and default entries.</p>
<ol> <ol>
<li>allow all connection requests from your local network <li>allow all connection requests from your local network
to the internet</li> to the internet</li>
<li>drop (ignore) all connection requests from the internet <li>drop (ignore) all connection requests from the
to your firewall or local network</li> internet to your firewall or local network</li>
<li>optionally accept all connection requests from the <li>optionally accept all connection requests from
firewall to the internet (if you uncomment the additional policy)</li> the firewall to the internet (if you uncomment the additional
policy)</li>
<li>reject all other connection requests.</li> <li>reject all other connection requests.</li>
</ol> </ol>
@ -247,9 +249,9 @@ and make any changes that you wish.</p>
</p> </p>
<p align="left">The firewall has three network interfaces. Where Internet <p align="left">The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External
will be the ethernet adapter that is connected to that "Modem" (e.g., Interface</i> will be the ethernet adapter that is connected to that
<b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint "Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External <u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
@ -270,25 +272,25 @@ the computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter <p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your (eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you have DMZ computers will be connected to the same switch (note: If you
only a single DMZ system, you can connect the firewall directly to the have only a single DMZ system, you can connect the firewall directly
computer using a <i>cross-over </i> cable).</p> to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u>Do not connect more than one interface to the same </b></u>Do not connect more than one interface to the
hub or switch (even for testing). It won't work the way that you expect same hub or switch (even for testing). It won't work the way that
it to and you will end up confused and believing that Shorewall doesn't you expect it to and you will end up confused and believing that Shorewall
work at all.</p> doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    The Shorewall three-interface sample configuration assumes     The Shorewall three-interface sample configuration
that the external interface is <b>eth0, </b>the local interface is assumes that the external interface is <b>eth0, </b>the local interface
<b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration is <b>eth1 </b>and the DMZ interface is <b> eth2</b>. If your configuration
is different, you will have to modify the sample /etc/shorewall/interfaces is different, you will have to modify the sample /etc/shorewall/interfaces
file accordingly. While you are there, you may wish to review the list file accordingly. While you are there, you may wish to review the
of options that are specified for the interfaces. Some hints:</p> list of options that are specified for the interfaces. Some hints:</p>
<ul> <ul>
<li> <li>
@ -316,8 +318,9 @@ IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses for your internal the Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other computers). network (the local and DMZ Interfaces on your firewall plus your other
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p> computers). RFC 1918 reserves several <i>Private </i>IP address ranges
for this purpose:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -336,14 +339,14 @@ IP address of your external interface and if it is one of the above
<p align="left">You will want to assign your local addresses from one <i> <p align="left">You will want to assign your local addresses from one <i>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists of subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have a a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have
<i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR)</a> notation with consists of the subnet address followed </i>(CIDR)</a> notation with consists of the subnet address followed
by "/24". The "24" refers to the number of consecutive "1" bits from by "/24". The "24" refers to the number of consecutive "1" bits
the left of the subnet mask. </p> from the left of the subnet mask. </p>
</div> </div>
<div align="left"> <div align="left">
@ -393,11 +396,12 @@ IP address of your external interface and if it is one of the above
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Your local computers (Local Computers 1 &amp; 2)     Your local computers (Local Computers 1 &amp;
should be configured with their<i> default gateway</i> set to the 2) should be configured with their<i> default gateway</i> set
IP address of the firewall's internal interface and your DMZ computers to the IP address of the firewall's internal interface and your
( DMZ Computers 1 &amp; 2) should be configured with their default DMZ computers ( DMZ Computers 1 &amp; 2) should be configured with
gateway set to the IP address of the firewall's DMZ interface.   </p> their default gateway set to the IP address of the firewall's DMZ
interface.   </p>
</div> </div>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
@ -430,9 +434,9 @@ then you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When one forward packets which have an RFC-1918 destination address. When
of your local systems (let's assume local computer 1) sends a connection one of your local systems (let's assume local computer 1) sends a
request to an internet host, the firewall must perform <i>Network connection request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface; in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself in other words, the firewall makes it look as if the firewall itself
@ -489,7 +493,7 @@ change them appropriately:<br>
</p> </p>
<ul> <ul>
<li>NAT_ENABLED=Yes</li> <li>NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)</li>
<li>IP_FORWARDING=On<br> <li>IP_FORWARDING=On<br>
</li> </li>
@ -501,10 +505,10 @@ change them appropriately:<br>
DMZ computers. Because these computers have RFC-1918 addresses, it DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection them. It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to the requests to your firewall who rewrites the destination address to
address of your server and forwards the packet to that server. When your the address of your server and forwards the packet to that server.
server responds, the firewall automatically performs SNAT to rewrite When your server responds, the firewall automatically performs SNAT
the source address in the response.</p> to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure Destination Network Address Translation</i> (DNAT). You configure
@ -588,10 +592,10 @@ the same as <i>&lt;port&gt;</i>.</p>
<ul> <ul>
<li>When you are connecting to your server from your <li>When you are connecting to your server from your
local systems, you must use the server's internal IP address (10.10.11.2).</li> local systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to port <li>Many ISPs block incoming connection requests to
80. If you have problems connecting to your web server, try the port 80. If you have problems connecting to your web server, try
following rule and try connecting to port 5000 (e.g., connect to the following rule and try connecting to port 5000 (e.g., connect
<a href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z to <a href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z
is your external IP).</li> is your external IP).</li>
</ul> </ul>
@ -699,8 +703,8 @@ can replace the loc-&gt;dmz rule above with:</p>
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p> address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
    At this point, add the DNAT and ACCEPT rules for your     At this point, add the DNAT and ACCEPT rules for
servers. </p> your servers. </p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
@ -710,8 +714,8 @@ address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
will be written). Alternatively, your ISP may have given you the IP will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. It is <u>your</u> responsibility as your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one to configure the resolver in your internal systems. You can take
of two approaches:</p> one of two approaches:</p>
<ul> <ul>
<li> <li>
@ -726,23 +730,24 @@ as your primary and secondary name servers. It is <u>your</u> responsibili
<li> <li>
<p align="left"><img border="0" src="images/BD21298_2.gif" <p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your     You can configure a<i> Caching Name Server </i>on
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching your firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
name server (which also requires the 'bind' RPM) and for Bering users, name server (which also requires the 'bind' RPM) and for Bering
there is dnscache.lrp. If you take this approach, you configure your users, there is dnscache.lrp. If you take this approach, you configure
internal systems to use the caching name server as their primary (and your internal systems to use the caching name server as their primary
only) name server. You use the internal IP address of the firewall (10.10.10.254 (and only) name server. You use the internal IP address of the firewall
in the example above) for the name server address if you choose to (10.10.10.254 in the example above) for the name server address if
run the name server on your firewall. To allow your local systems to you choose to run the name server on your firewall. To allow your local
talk to your caching name server, you must open port 53 (both UDP systems to talk to your caching name server, you must open port 53
and TCP) from the local network to the server; you do that by adding (both UDP and TCP) from the local network to the server; you do that
the rules in /etc/shorewall/rules. </p> by adding the rules in /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<p align="left">If you run the name server on the firewall: <p align="left">If you run the name server on the firewall:
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
@ -1045,8 +1050,8 @@ allowing all connections from the firewall to the internet.</p>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you the internet because it uses clear text (even for login!). If
want shell access to your firewall from the internet, use SSH:</p> you want shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
@ -1171,10 +1176,10 @@ you have completed configuration of your firewall, you can enable Shorewall
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
    The three-interface sample assumes that you want to     The three-interface sample assumes that you want to
enable routing to/from <b>eth1 (</b>your local network) and<b> eth2 enable routing to/from <b>eth1 (</b>your local network) and<b>
</b>(DMZ) when Shorewall is stopped. If these two interfaces don't eth2 </b>(DMZ) when Shorewall is stopped. If these two interfaces
connect to your local network and DMZ or if you want to enable a don't connect to your local network and DMZ or if you want to enable
different set of hosts, modify /etc/shorewall/routestopped accordingly.</p> a different set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1182,17 +1187,18 @@ different set of hosts, modify /etc/shorewall/routestopped accordingly.
the internet, do not issue a "shorewall stop" command unless you the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to
an <i><a href="configuration_file_basics.htm#Configs">alternate create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 5/19/2003 - <a <p align="left"><font size="2">Last updated 6/27/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a><br> Thomas M. Eastep</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

279
STABLE/documentation/three-interface_fr.html
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber5" bgcolor="#400169" height="90"> id="AutoNumber5" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -42,21 +42,21 @@ ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p> Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br> <p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau Mettre en place un système linux en tant que firewall pour un petit
contenant une DMZ est une chose assez simple à réaliser si vous comprenez réseau contenant une DMZ est une chose assez simple à réaliser si vous
les bases et suivez cette documentation.</p> comprenez les bases et suivez cette documentation.</p>
<p>Ce guide ne prétend pas vous mettre au courant de toutes les possibilités <p>Ce guide ne prétend pas vous mettre au courant de toutes les possibilités
de Shorewall. Il se focalise sur les besoins pour configurer Shorewall dans de Shorewall. Il se focalise sur les besoins pour configurer Shorewall
une de ses utilisations les plus populaire :</p> dans une de ses utilisations les plus populaire :</p>
<ul> <ul>
<li>Un système Linux utilisé en tant que firewall/routeur pour un petit <li>Un système Linux utilisé en tant que firewall/routeur pour un
réseau local.</li> petit réseau local.</li>
<li>Une seule adresse IP publique.</li> <li>Une seule adresse IP publique.</li>
<li>Une DMZ connectée sur une interface Ethernet séparée.</li> <li>Une DMZ connectée sur une interface Ethernet séparée.</li>
<li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame Relay, <li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame
RTC, ...</li> Relay, RTC, ...</li>
</ul> </ul>
@ -66,17 +66,17 @@ Tom EASTEP pour son formidable outil et sa disponibilit
height="635"> height="635">
</p> </p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
pouvez voir si le paquet est installé en vérifiant la présence du programme Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which' ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p> pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour <p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant vous familiariser avec ce qu'il va se passer, et de revenir au début en
le changements dans votre configuration. Les points où, les changements dans effectuant le changements dans votre configuration. Les points où, les changements
la configuration sont recommandées, sont signalés par une <img dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13"> border="0" src="images/BD21298_.gif" width="13" height="13">
</p> </p>
@ -144,8 +144,8 @@ Shorewall)</b>.</p>
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p> <p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone - <p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p> - par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées <p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p> en utilisant les termes de zones.</p>
@ -154,18 +154,18 @@ par d
<li>Vous exprimez les politiques par défaut pour les connexions d'une <li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li> </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut <li>Vous définissez les exceptions à ces règles de politiques par
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul> </ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les <p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules. demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique dans /etc/shorewall/policy qui y correspond est appliquée. Si
politique est REJECT ou DROP la requête est alors comparée par rapport aux cette politique est REJECT ou DROP la requête est alors comparée par rapport
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit aux règles contenues dans /etc/shorewall/common (l'archive d'exemple vous
ce fichier).</p> fournit ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface <p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p> sample a les politiques suivantes :</p>
@ -268,10 +268,10 @@ l'Internet</li>
(non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur (non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de Protocol (PPTP), dans ce cas l'interface extérieure sera une interface
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC), de type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
votre interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris votre interface extérieure sera aussi ppp0. Si votre connexion passe par
(ISDN), votre interface extérieure sera ippp0<b>.</b></p> Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
@ -279,31 +279,31 @@ votre interface ext
CLAMPMSS=yes dans <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p> CLAMPMSS=yes dans <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Votre <i>Interface locale</i> sera un adaptateur Ethernet <p align="left">Votre <i>Interface locale</i> sera un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs (eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos
locaux seront connectés à ce même switch (note : si vous n'avez qu'un seul ordinateurs locaux seront connectés à ce même switch (note : si vous n'avez
ordinateur en local, vous pouvez le connecter directement au firewall par qu'un seul ordinateur en local, vous pouvez le connecter directement au
un <i>câble croisé</i>).</p> firewall par un <i>câble croisé</i>).</p>
<p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet <p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs (eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
appartenant à la DMZ seront connectés à ce même switch (note : si vous n'avez appartenant à la DMZ seront connectés à ce même switch (note : si vous
qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement au n'avez qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement
firewall par un <i>câble croisé</i>).</p> au firewall par un <i>câble croisé</i>).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
</b></u> Ne connectez pas l'interface interne et externe sur le même hub </b></u> Ne connectez pas l'interface interne et externe sur le même
ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas que hub ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez
ce soit shorewall qui ne marche pas.</p> pas que ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose L'exemple de configuration de Shorewall pour trois interfaces suppose
que l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b> que l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1
et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère, </b> et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence. diffère, vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
spécifiées pour les interfaces. Quelques trucs :</p> options qui sont spécifiées pour les interfaces. Quelques trucs :</p>
<ul> <ul>
<li> <li>
@ -311,9 +311,9 @@ et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diff
remplacer le "detect" dans la seconde colonne par un "-". </p> remplacer le "detect" dans la seconde colonne par un "-". </p>
</li> </li>
<li> <li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si <p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
d'option. </p> liste d'option. </p>
</li> </li>
</ul> </ul>
@ -324,15 +324,16 @@ d'option. </p>
sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single Public IP address). Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez (DHCP) ou lors de l'établissement de votre connexion lorsque vous vous
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre connectez (modem standard) ou établissez votre connexion PPP. Dans de rares
provider peu vous assigner une adresse statique (staticIP address); cela cas , votre provider peu vous assigner une adresse statique (staticIP address);
signifie que vous configurez votre interface externe sur votre firewall afin cela signifie que vous configurez votre interface externe sur votre firewall
d'utiliser cette adresse de manière permanente. Une fois votre adresse externe afin d'utiliser cette adresse de manière permanente. Une fois votre adresse
assignée, elle va être partagée par tout vos systèmes lors de l'accès à Internet. externe assignée, elle va être partagée par tout vos systèmes lors de l'accès
Vous devrez assigner vos propres adresses à votre réseau local (votre interface à Internet. Vous devrez assigner vos propres adresses à votre réseau local
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918 (votre interface interne sur le firewall ainsi que les autres ordinateurs).
réserve plusieurs plages d'IP (Private IP address ranges) à cette fin :</p> La RFC 1918 réserve plusieurs plages d'IP (Private IP address ranges) à
cette fin :</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -341,9 +342,9 @@ r
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface Avant de lancer Shorewall, vous devriez regarder l'adresse de votre
externe et si elle est comprise dans une des plages précédentes, vous devriez interface externe et si elle est comprise dans une des plages précédentes,
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p> vous devriez enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
@ -351,14 +352,15 @@ r
(<i>sub-network </i>ou <i>subnet)</i> et les adresse pour la DMZ à un autre (<i>sub-network </i>ou <i>subnet)</i> et les adresse pour la DMZ à un autre
sous-réseau. Pour ce faire, nous pouvons considérer qu'un sous-réseau consiste sous-réseau. Pour ce faire, nous pouvons considérer qu'un sous-réseau consiste
en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera
une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0 est une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0
réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i> et x.y.z.255 est réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i>
est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet Broadcast</i> et x.y.z.255 est réservée en tant qu'adresse de broadcast du sous-réseau
<i>Address)</i>. Sous Shorewall, un sous-réseau est décrit/désigné en utilisant (<i>Subnet Broadcast</i> <i>Address)</i>. Sous Shorewall, un sous-réseau
la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain est décrit/désigné en utilisant la notation <a
Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau suivie par href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing</i>(CIDR)</a>
"/24". Le "24" se réfère au nombre de bits "1" consécutifs dans la partie qui consiste en l'adresse du sous-réseau suivie par "/24". Le "24" se réfère
gauche du masque de sous-réseau. </p> au nombre de bits "1" consécutifs dans la partie gauche du masque de sous-réseau.
</p>
</div> </div>
<div align="left"> <div align="left">
@ -393,17 +395,17 @@ r
</div> </div>
<div align="left"> <div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la première <p align="left">Il est de convention d'assigner à l'interface interne la
adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent) première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
ou la dernière utilisable (10.10.10.254).</p> précédent) ou la dernière utilisable (10.10.10.254).</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">L'un des buts d'un sous-réseau est de permettre à tous les <p align="left">L'un des buts d'un sous-réseau est de permettre à tous les
ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs ils ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs
peuvent communiquer directement. Pour communiquer avec des systèmes en dehors ils peuvent communiquer directement. Pour communiquer avec des systèmes
du sous-réseau, les ordinateurs envoient des paquets à travers le gateway en dehors du sous-réseau, les ordinateurs envoient des paquets à travers
(routeur).</p> le gateway (routeur).</p>
</div> </div>
<div align="left"> <div align="left">
@ -417,8 +419,8 @@ pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
</div> </div>
<p align="left">Cette courte description ne fait que survoler les concepts <p align="left">Cette courte description ne fait que survoler les concepts
de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur l'adressage de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur
IP et le routage, je vous recommande chaudement <i>"IP Fundamentals: l'adressage IP et le routage, je vous recommande chaudement <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
@ -430,8 +432,8 @@ What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
</p> </p>
<p align="left">La passerelle par défaut (default gateway) pour les ordinateurs <p align="left">La passerelle par défaut (default gateway) pour les ordinateurs
de la DMZ sera 10.10.11.254 et le passerelle par défaut pour les ordinateurs de la DMZ sera 10.10.11.254 et le passerelle par défaut pour les
en local sera 10.10.10.254.</p> ordinateurs en local sera 10.10.10.254.</p>
<h2 align="left">IP Masquerading (SNAT)</h2> <h2 align="left">IP Masquerading (SNAT)</h2>
@ -451,9 +453,10 @@ rout
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p> 1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP <p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
Masquerading mais vous verrez aussi le terme de Source Network Address Translation l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
(SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p> Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
:</p>
<ul> <ul>
<li> <li>
@ -481,9 +484,9 @@ Masquerading mais vous verrez aussi le terme de Source Network Address Translati
height="13"> height="13">
Si votre IP externe est statique, vous pouvez la mettre dans la troisième Si votre IP externe est statique, vous pouvez la mettre dans la troisième
colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre
firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de firewall fonctionnera bien si vous laissez cette colonne vide. Le fait
mettre votre IP statique dans la troisième colonne permet un traitement des de mettre votre IP statique dans la troisième colonne permet un traitement
paquets sortant un peu plus efficace.<br> des paquets sortant un peu plus efficace.<br>
</p> </p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -506,10 +509,10 @@ Masquerading mais vous verrez aussi le terme de Source Network Address Translati
serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse
RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre serveur, de connexion au firewall qui ré écrit l'adresse de destination de votre
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall serveur, et fait passer le paquet à celui-ci. Lorsque votre serveur répond,
applique automatiquement un SNAT pour ré écrire l'adresse source dans la le firewall applique automatiquement un SNAT pour ré écrire l'adresse source
réponse.</p> dans la réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network <p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant Address Translation(DNAT). Vous configurez le port forwarding en utilisant
@ -594,12 +597,12 @@ port&gt;</i>]</td>
<p>Deux points importants à garder en mémoire :</p> <p>Deux points importants à garder en mémoire :</p>
<ul> <ul>
<li>Lorsque vous vous connectez à votre serveur à partir de votre réseau <li>Lorsque vous vous connectez à votre serveur à partir de votre
local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li> réseau local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
<li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes <li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes
de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous de connexion entrantes sur le port 80. Si vous avez des problèmes pour
connecter à votre serveur web, essayez la règle suivante et connectez vous vous connecter à votre serveur web, essayez la règle suivante et connectez
sur le port 5000 (c.a.d., connectez vous à <a vous sur le port 5000 (c.a.d., connectez vous à <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> où w.x.y.z est votre href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> où w.x.y.z est votre
IP externe).</li> IP externe).</li>
@ -634,10 +637,10 @@ IP externe).</li>
</table> </table>
</blockquote> </blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis <p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
le réseau local en utilisant votre adresse externe, et si vous avez une adresse depuis le réseau local en utilisant votre adresse externe, et si vous avez
IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
par :</p> précédente par :</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -667,9 +670,9 @@ par :</p>
</blockquote> </blockquote>
<p>Si vous avez une IP dynamique, alors vous devez vous assurer que votre <p>Si vous avez une IP dynamique, alors vous devez vous assurer que votre
interface externe est en route avant de lancer Shorewall et vous devez suivre interface externe est en route avant de lancer Shorewall et vous devez
les étapes suivantes (en supposant que votre interface externe est <b>eth0</b>) suivre les étapes suivantes (en supposant que votre interface externe est
:</p> <b>eth0</b>) :</p>
<ol> <ol>
<li>Insérez ce qui suit dans /etc/shorewall/params :<br> <li>Insérez ce qui suit dans /etc/shorewall/params :<br>
@ -708,8 +711,8 @@ par :</p>
</table> </table>
</blockquote> </blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse <p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p> adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13"> <p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p> A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -718,38 +721,38 @@ IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur <p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le (ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
firewall (Domain Name Service) est configuré automatiquement (c.a.d., le fichier firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
/etc/resolv.conf a été écrit). Il arrive que votre provider vous donne une fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous
paire d'adresse IP pour les DNS (name servers) afin que vous configuriez manuellement donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez
votre serveur de nom primaire et secondaire. La manière dont le DNS est configuré manuellement votre serveur de nom primaire et secondaire. La manière dont
sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une le DNS est configuré sur votre firewall est de votre responsabilité. Vous
de ses deux façons :</p> pouvez procéder d'une de ses deux façons :</p>
<ul> <ul>
<li> <li>
<p align="left">Vous pouvez configurer votre système interne pour utiliser <p align="left">Vous pouvez configurer votre système interne pour utiliser
les noms de serveurs de votre provider. Si votre fournisseur vous donne les les noms de serveurs de votre provider. Si votre fournisseur vous donne
adresses de leurs serveurs ou si ces adresses sont disponibles sur leur site les adresses de leurs serveurs ou si ces adresses sont disponibles sur leur
web, vous pouvez configurer votre système interne afin de les utiliser. Si site web, vous pouvez configurer votre système interne afin de les utiliser.
cette information n'est pas disponible, regardez dans /etc/resolv.conf sur Si cette information n'est pas disponible, regardez dans /etc/resolv.conf
votre firewall -- les noms des serveurs sont donnés dans l'enregistrement sur votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
"nameserver" dans ce fichier. </p> "nameserver" dans ce fichier. </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_2.gif" <p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13"> width="13" height="13">
Vous pouvez installer/configurer un cache dns (Caching Name Server) sur Vous pouvez installer/configurer un cache dns (Caching Name Server)
votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache sur votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre
un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs en cache un serveur de nom (le RPM requis aussi le RPM 'bind') et pour
de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez les utilisateurs de Bering, il y a dnscache.lrp. Si vous adoptez cette
votre système interne pour utiliser le firewall lui même comme étant le seul approche, vous configurez votre système interne pour utiliser le firewall
serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne du firewall lui même comme étant le seul serveur de nom primaire. Vous pouvez utiliser
(10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom si vous décidez l'adresse IP interne du firewall (10.10.10.254 dans l'exemple) pour l'adresse
de faire tourner le serveur de nom sur votre firewall. Pour permettre à de serveur de nom si vous décidez de faire tourner le serveur de nom sur
vos systèmes locaux de discuter avec votre serveur cache de nom, vous devez votre firewall. Pour permettre à vos systèmes locaux de discuter avec votre
ouvrir le port 53 (UDP ET  TCP) sur le firewall vers le réseau local; vous serveur cache de nom, vous devez ouvrir le port 53 (UDP ET  TCP) sur le
ferez ceci en ajoutant les règles suivantes dans /etc/shorewall/rules. firewall vers le réseau local; vous ferez ceci en ajoutant les règles suivantes
</p> dans /etc/shorewall/rules. </p>
</li> </li>
</ul> </ul>
@ -1126,8 +1129,8 @@ firewall depuis Internet, utilisez SSH :</p>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13" <p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13"> height="13">
Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres connexions Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres
désirées.</p> connexions désirées.</p>
</div> </div>
<div align="left"> <div align="left">
@ -1138,11 +1141,11 @@ firewall depuis Internet, utilisez SSH :</p>
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13" <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow"> height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation</a> configure votre La <a href="Install.htm">procédure d'installation</a> configure votre
système pour lancer Shorewall au boot du système, mais au début avec la version système pour lancer Shorewall au boot du système, mais au début avec la
1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall version 1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de
avec que la configuration soit finie. Une fois que vous en avez fini avec lancer Shorewall avec que la configuration soit finie. Une fois que vous
la configuration du firewall, vous pouvez permettre le lancement de Shorewall en avez fini avec la configuration du firewall, vous pouvez permettre le
en supprimant le fichier /etc/shorewall/startup_disabled.<br> lancement de Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer <p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer
@ -1152,8 +1155,8 @@ syst
<div align="left"> <div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall <p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
routage est autorisé sur les hôtes qui possèdent une entrée dans <a le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
@ -1167,15 +1170,14 @@ syst
routage depuis/vers <b>eth1 </b>(votre réseau local) et<b> eth2</b>(DMZ) routage depuis/vers <b>eth1 </b>(votre réseau local) et<b> eth2</b>(DMZ)
lorsque Shorewall est arrêté. Si ces deux interfaces ne sont pas lorsque Shorewall est arrêté. Si ces deux interfaces ne sont pas
connectées à votre réseau local et votre DMZ, ou si vous voulez permettre connectées à votre réseau local et votre DMZ, ou si vous voulez permettre
un ensemble d'hôtes différents, modifiez /etc/shorewall/routestopped en un ensemble d'hôtes différents, modifiez /etc/shorewall/routestopped en conséquence.</p>
conséquence.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet, <p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée) pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart"; De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
@ -1190,5 +1192,6 @@ dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a><br> Thomas M. Eastep</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

80
STABLE/documentation/traffic_shaping.htm
View File

@ -16,12 +16,10 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1> <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td> </td>
</tr> </tr>
@ -45,9 +43,9 @@ to be running Linux Kernel 2.4.18 or later.</p>
the setting of this variable determines whether Shorewall clears the traffic the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br> shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li> </li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can <li><b>/etc/shorewall/tcrules</b> - A file where you
specify firewall marking of packets. The firewall mark value may can specify firewall marking of packets. The firewall mark value
be used to classify packets for traffic shaping/control.<br> may be used to classify packets for traffic shaping/control.<br>
</li> </li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file <li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which that is sourced by Shorewall during "shorewall start" and which
@ -55,28 +53,28 @@ to be running Linux Kernel 2.4.18 or later.</p>
I have provided a <a I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections table-driven CBQ shaping but if you read the traffic shaping sections
of the HOWTO mentioned above, you can probably code your own of the HOWTO mentioned above, you can probably code your own faster
faster than you can learn how to use my sample. I personally use than you can learn how to use my sample. I personally use
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall HTB support may eventually become an integral part of Shorewall
since HTB is a lot simpler and better-documented than CBQ. As of since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
2.4.20, HTB is a standard part of the kernel but iproute2 must be patched HTB is a standard part of the kernel but iproute2 must be patched in
in order to use it.<br> order to use it.<br>
<br> <br>
In tcstart, when you want to run the 'tc' utility, use In tcstart, when you want to run the 'tc' utility,
the run_tc function supplied by shorewall if you want tc errors use the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br> to stop the firewall.<br>
<br> <br>
You can generally use off-the-shelf traffic shaping scripts by You can generally use off-the-shelf traffic shaping scripts by
simply copying them to /etc/shorewall/tcstart. I use <a simply copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
modified it according to the Wonder Shaper README). <b>WARNING: </b>If and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address) you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied script won't work. Traffic shaping occurs after SNAT has already been
so when traffic shaping happens, all outbound traffic will have as a source applied so when traffic shaping happens, all outbound traffic will have
address the IP addresss of your firewall's external interface.<br> as a source address the IP addresss of your firewall's external interface.<br>
</li> </li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file <li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping. that is sourced by Shorewall when it is clearing traffic shaping.
@ -85,8 +83,8 @@ simply copying them to /etc/shorewall/tcstart. I use <a
</ul> </ul>
Shorewall allows you to start traffic shaping when Shorewall itself Shorewall allows you to start traffic shaping when Shorewall itself
starts or it allows you to bring up traffic shaping when you bring up starts or it allows you to bring up traffic shaping when you bring up your
your interfaces.<br> interfaces.<br>
<br> <br>
To start traffic shaping when Shorewall starts:<br> To start traffic shaping when Shorewall starts:<br>
@ -94,8 +92,8 @@ your interfaces.<br>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li> <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic <li>Supply an /etc/shorewall/tcstart script to configure your traffic
shaping rules.</li> shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic <li>Optionally supply an /etc/shorewall/tcclear script to stop
shaping. That is usually unnecessary.</li> traffic shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can <li>If your tcstart script uses the 'fwmark' classifier, you can
mark packets using entries in /etc/shorewall/tcrules.</li> mark packets using entries in /etc/shorewall/tcrules.</li>
@ -131,10 +129,10 @@ not be covered here. You then should:<br>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before <p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are packets based on their destination address when SNAT or Masquerading
being used. Beginning with Shorewall 1.3.12, you can cause packet marking are being used. Beginning with Shorewall 1.3.12, you can cause packet
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br> option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p> </p>
<p align="left">Columns in the file are as follows:</p> <p align="left">Columns in the file are as follows:</p>
@ -142,18 +140,19 @@ not be covered here. You then should:<br>
<ul> <ul>
<li>MARK - Specifies the mark value is to be assigned <li>MARK - Specifies the mark value is to be assigned
in case of a match. This is an integer in the range 1-255. Beginning in case of a match. This is an integer in the range 1-255. Beginning
with Shorewall version 1.3.14, this value may be optionally followed by ":" with Shorewall version 1.3.14, this value may be optionally followed by
and either 'F' or 'P' to designate that the marking will occur in the FORWARD ":" and either 'F' or 'P' to designate that the marking will occur in the
or PREROUTING chains respectively. If this additional specification is omitted, FORWARD or PREROUTING chains respectively. If this additional specification
the chain used to mark packets will be determined by the setting of the is omitted, the chain used to mark packets will be determined by the setting
MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br> of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br> <br>
Example - 5<br> Example - 5<br>
</li> </li>
<li>SOURCE - The source of the packet. If the packet originates <li>SOURCE - The source of the packet. If the packet
on the firewall, place "fw" in this column. Otherwise, this is originates on the firewall, place "fw" in this column. Otherwise,
a comma-separated list of interface names, IP addresses, MAC addresses this is a comma-separated list of interface names, IP addresses, MAC
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br> addresses in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or
Subnets.<br>
<br> <br>
Examples<br> Examples<br>
    eth0<br>     eth0<br>
@ -166,9 +165,9 @@ list of IP addresses and/or subnets.<br>
from /etc/protocol, a number or "all"<br> from /etc/protocol, a number or "all"<br>
</li> </li>
<li>PORT(S) - Destination Ports. A comma-separated list <li>PORT(S) - Destination Ports. A comma-separated list
of Port names (from /etc/services), port numbers or port ranges of Port names (from /etc/services), port numbers or port ranges (e.g.,
(e.g., 21:22); if the protocol is "icmp", this column is interpreted 21:22); if the protocol is "icmp", this column is interpreted as
as the destination icmp type(s).<br> the destination icmp type(s).<br>
</li> </li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. <li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate If omitted, any source port is acceptable. Specified as a comma-separate
@ -178,8 +177,8 @@ as the destination icmp type(s).<br>
<p align="left">Example 1 - All packets arriving on eth1 should be marked <p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked 2. All packets originating on the firewall itself should be marked with
with 3.</p> 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -337,5 +336,6 @@ local systems or from my laptop or firewall).</li>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

60
STABLE/documentation/troubleshoot.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -60,14 +60,14 @@
<blockquote> <blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre> <pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote> </blockquote>
A search through the trace for "No chain/target/match by that name" turned A search through the trace for "No chain/target/match by that name"
up the following:  turned up the following: 
<blockquote> <blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre> <pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote> </blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten tcp-reset". In this case, the user had compiled his own kernel and had
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>) forgotten to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3> <h3>Your network environment</h3>
@ -78,8 +78,8 @@ an ill-conceived network setup. Here are several popular snafus: </p>
<li>Port Forwarding where client and server are <li>Port Forwarding where client and server are
in the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li> in the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the <li>Changing the IP address of a local system to be in the
external subnet, thinking that Shorewall will suddenly believe that external subnet, thinking that Shorewall will suddenly believe
the system is in the 'net' zone.</li> that the system is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. <li>Multiple interfaces connected to the same HUB or Switch.
Given the way that the Linux kernel respond to ARP "who-has" requests, Given the way that the Linux kernel respond to ARP "who-has" requests,
this type of setup does NOT work the way that you expect it to.</li> this type of setup does NOT work the way that you expect it to.</li>
@ -89,10 +89,10 @@ the system is in the 'net' zone.</li>
<h3 align="left">If you are having connection problems:</h3> <h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are <p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES
TO MAKE IT WORK. Such additional rules will NEVER make it work, they TRYING TO MAKE IT WORK. Such additional rules will NEVER make it work,
add clutter to your rule set and they represent a big security hole in they add clutter to your rule set and they represent a big security hole
the event that you forget to remove them later.</p> in the event that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to <p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of ACCEPT in an effort to make something work. That robs you of one of
@ -102,8 +102,8 @@ the event that you forget to remove them later.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't <p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall see Shorewall messages, then your problem is probably NOT a Shorewall
problem. If you DO see packet messages, it may be an indication that you problem. If you DO see packet messages, it may be an indication that
are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p> you are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear <p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p> two variables in /etc/shorewall/shorewall.conf:</p>
@ -123,9 +123,9 @@ the event that you forget to remove them later.</p>
<p align="left">Let's look at the important parts of this message:</p> <p align="left">Let's look at the important parts of this message:</p>
<ul> <ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all <li>all2all:REJECT - This packet was REJECTed out of the
chain -- the packet was rejected under the "all"-&gt;"all" REJECT all2all chain -- the packet was rejected under the "all"-&gt;"all"
policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li> REJECT policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li> <li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li> <li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li> <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -161,8 +161,8 @@ or FORWARD chains? This means that:
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> (using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
file are you?); or</li> file are you?); or</li>
<li>the source and destination hosts are both connected <li>the source and destination hosts are both connected
to the same interface and you don't have a policy or rule for to the same interface and you don't have a policy or rule for the
the source zone to or from the destination zone.</li> source zone to or from the destination zone.</li>
</ol> </ol>
</li> </li>
@ -184,12 +184,12 @@ and the zone containing 10.1.1.2, the ping requests will be dropped.
<li>If you specify "routefilter" for an interface, that <li>If you specify "routefilter" for an interface, that
interface must be up prior to starting the firewall.</li> interface must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems <li>Is your routing correct? For example, internal systems
usually need to be configured with their default gateway set to the usually need to be configured with their default gateway set to
IP address of their nearest firewall interface. One often overlooked the IP address of their nearest firewall interface. One often overlooked
aspect of routing is that in order for two hosts to communicate, the aspect of routing is that in order for two hosts to communicate,
routing between them must be set up <u>in both directions.</u> So when the routing between them must be set up <u>in both directions.</u>
setting up routing between <b>A</b> and<b> B</b>, be sure to verify So when setting up routing between <b>A</b> and<b> B</b>, be sure
that the route from <b>B</b> back to <b>A</b> is defined.</li> to verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have <li>Some versions of LRP (EigerStein2Beta for example) have
a shell with broken variable expansion. <a a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
@ -199,12 +199,13 @@ a shell with broken variable expansion. <a
<li>Shorewall requires the "ip" program. That program <li>Shorewall requires the "ip" program. That program
is generally included in the "iproute" package which should be included is generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a by default). You may also download the latest source tarball from
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a> <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li> .</li>
<li>Problems with NAT? Be sure that you let Shorewall <li>Problems with NAT? Be sure that you let
add all external addresses to be use with NAT unless you have set <a Shorewall add all external addresses to be use with NAT unless you
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li> have set <a href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No
in /etc/shorewall/shorewall.conf.</li>
</ul> </ul>
@ -220,5 +221,6 @@ add all external addresses to be use with NAT unless you have set <a
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
</body> </body>
</html> </html>

250
STABLE/documentation/two-interface.htm
View File

@ -18,10 +18,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber5" style="border-collapse: collapse;" width="100%" id="AutoNumber5"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1> <h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
</td> </td>
</tr> </tr>
@ -30,19 +31,19 @@
</table> </table>
<p align="left">Setting up a Linux system as a firewall for a small network <p align="left">Setting up a Linux system as a firewall for a small network
is a fairly straight-forward task if you understand the basics and is a fairly straight-forward task if you understand the basics
follow the documentation.</p> and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of <p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall Shorewall. It rather focuses on what is required to configure Shorewall
in its most common configuration:</p> in its most common configuration:</p>
<ul> <ul>
<li>Linux system used as a firewall/router for a small <li>Linux system used as a firewall/router for a
local network.</li> small local network.</li>
<li>Single public IP address.</li> <li>Single public IP address.</li>
<li>Internet connection through cable modem, DSL, ISDN, <li>Internet connection through cable modem, DSL,
Frame Relay, dial-up ...</li> ISDN, Frame Relay, dial-up ...</li>
</ul> </ul>
@ -59,8 +60,8 @@
</b></p> </b></p>
<p><b>Note however, that the Shorewall configuration produced by Mandrake <p><b>Note however, that the Shorewall configuration produced by Mandrake
Internet Connection Sharing is strange and is apt to confuse you if you use Internet Connection Sharing is strange and is apt to confuse you if you
the rest of this documentation (it has two local zones; "loc" and "masq" use the rest of this documentation (it has two local zones; "loc" and "masq"
where "loc" is empty; this conflicts with this documentation which assumes where "loc" is empty; this conflicts with this documentation which assumes
a single local zone "loc"). We therefore recommend that once you have set a single local zone "loc"). We therefore recommend that once you have set
up this sharing that you uninstall the Mandrake Shorewall RPM and install up this sharing that you uninstall the Mandrake Shorewall RPM and install
@ -71,18 +72,18 @@
<p>Shorewall requires that you have the iproute/iproute2 package installed <p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can (on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b> tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which' command program on your firewall system. As root, you can use the 'which'
to check for this program:</p> command to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself <p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your
changes. Points at which configuration changes are recommended configuration changes. Points at which configuration changes are
are flagged with <img border="0" src="images/BD21298_.gif" recommended are flagged with <img border="0"
width="13" height="13"> src="images/BD21298_.gif" width="13" height="13">
. Configuration notes that are unique to LEAF/Bering are . Configuration notes that are unique to LEAF/Bering
marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)" are marked with <img src="images/leaflogo.gif" alt="(LEAF Logo)"
width="49" height="36"> width="49" height="36">
</p> </p>
@ -91,8 +92,8 @@ are flagged with <img border="0" src="images/BD21298_.gif"
system, you must save them as Unix files if your editor supports system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying to that option or you must run them through dos2unix before trying to
use them. Similarly, if you copy a configuration file from your Windows use them. Similarly, if you copy a configuration file from your Windows
hard drive to a floppy disk, you must run dos2unix against the copy before hard drive to a floppy disk, you must run dos2unix against the copy
using it with Shorewall.</p> before using it with Shorewall.</p>
<ul> <ul>
<li><a <li><a
@ -108,9 +109,9 @@ using it with Shorewall.</p>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the     The configuration files for Shorewall are contained in
directory /etc/shorewall -- for simple setups, you will only need to the directory /etc/shorewall -- for simple setups, you will only need
deal with a few of these as described in this guide. After you have to deal with a few of these as described in this guide. After you have
<a href="Install.htm">installed Shorewall</a>, <b>download the <a <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>, href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
@ -164,8 +165,8 @@ in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.
<p>For each connection request entering the firewall, the request is first <p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or that matches the request is applied. If that policy is REJECT
DROP  the request is first checked against the rules in /etc/shorewall/common or DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p> (the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has <p>The /etc/shorewall/policy file included with the two-interface sample has
@ -238,12 +239,13 @@ the following policies:</p>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from your local network <li>allow all connection requests from your local
to the internet</li> network to the internet</li>
<li>drop (ignore) all connection requests from the <li>drop (ignore) all connection requests from the
internet to your firewall or local network</li> internet to your firewall or local network</li>
<li>optionally accept all connection requests from <li>optionally accept all connection requests from
the firewall to the internet (if you uncomment the additional policy)</li> the firewall to the internet (if you uncomment the additional
policy)</li>
<li>reject all other connection requests.</li> <li>reject all other connection requests.</li>
</ol> </ol>
@ -270,15 +272,15 @@ connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    If your external interface is <b>ppp0</b> or<b> ippp0</b>      If your external interface is <b>ppp0</b> or<b>
then you will want to set CLAMPMSS=yes in <a ippp0</b>  then you will want to set CLAMPMSS=yes in <a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p> href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter <p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your other (eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you computers will be connected to the same hub/switch (note: If you
have only a single internal system, you can connect the firewall directly have only a single internal system, you can connect the firewall
to the computer using a <i>cross-over </i> cable).</p> directly to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif" <p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60"> width="60" height="60">
@ -289,12 +291,13 @@ have only a single internal system, you can connect the firewall directl
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
    The Shorewall two-interface sample configuration assumes     The Shorewall two-interface sample configuration
that the external interface is <b>eth0</b> and the internal interface assumes that the external interface is <b>eth0</b> and the internal
is <b>eth1</b>. If your configuration is different, you will have interface is <b>eth1</b>. If your configuration is different, you
to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> will have to modify the sample <a
file accordingly. While you are there, you may wish to review the href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
list of options that are specified for the interfaces. Some hints:</p> accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
<ul> <ul>
<li> <li>
@ -313,17 +316,18 @@ to modify the sample <a href="Documentation.htm#Interfaces">/etc/shorewall/
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet <p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
a single <i> Public</i> IP address. This address may be assigned via you a single <i> Public</i> IP address. This address may be assigned
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
establishing your connection when you dial in (standard modem) or establish of establishing your connection when you dial in (standard modem) or
your PPP connection. In rare cases, your ISP may assign you a<i> static</i> establish your PPP connection. In rare cases, your ISP may assign you
IP address; that means that you configure your firewall's external interface a<i> static</i> IP address; that means that you configure your firewall's
to use that address permanently.<i> </i>However your external address external interface to use that address permanently.<i> </i>However your
is assigned, it will be shared by all of your systems when you access external address is assigned, it will be shared by all of your systems
the Internet. You will have to assign your own addresses in your internal when you access the Internet. You will have to assign your own addresses
network (the Internal Interface on your firewall plus your other computers). in your internal network (the Internal Interface on your firewall plus
RFC 1918 reserves several <i>Private </i>IP address ranges for this purpose:</p> your other computers). RFC 1918 reserves several <i>Private </i>IP address
ranges for this purpose:</p>
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -332,10 +336,10 @@ the Internet. You will have to assign your own addresses in your internal
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    Before starting Shorewall, you should look at the     Before starting Shorewall, you should look at
IP address of your external interface and if it is one of the above the IP address of your external interface and if it is one of
ranges, you should remove the 'norfc1918' option from the external the above ranges, you should remove the 'norfc1918' option from
interface's entry in /etc/shorewall/interfaces.</p> the external interface's entry in /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
@ -343,8 +347,8 @@ the Internet. You will have to assign your own addresses in your internal
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255 is x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall, is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
</i>(CIDR) notation</a> with consists of the subnet address followed </i>(CIDR) notation</a> with consists of the subnet address followed
@ -399,17 +403,17 @@ a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13" <p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13"> height="13">
    Your local computers (computer 1 and computer 2     Your local computers (computer 1 and computer
in the above diagram) should be configured with their<i> default 2 in the above diagram) should be configured with their<i> default
gateway</i> to be the IP address of the firewall's internal interface.<i>      gateway</i> to be the IP address of the firewall's internal interface.<i>     
</i> </p> </i> </p>
</div> </div>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals: more about IP addressing and routing, I highly recommend <i>"IP
What Everyone Needs to Know about Addressing &amp; Routing",</i> Fundamentals: What Everyone Needs to Know about Addressing &amp;
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p> Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured <p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p> your network as shown here:</p>
@ -432,9 +436,9 @@ in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC
<h2 align="left">IP Masquerading (SNAT)</h2> <h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred <p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers don't to as <i>non-routable</i> because the Internet backbone routers
forward packets which have an RFC-1918 destination address. When don't forward packets which have an RFC-1918 destination address.
one of your local systems (let's assume computer 1) sends a connection When one of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface; in the packet to be the address of the firewall's external interface;
@ -442,10 +446,10 @@ in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its response be routed across the internet so the remote host can't address its
to computer 1). When the firewall receives a return packet, it rewrites response to computer 1). When the firewall receives a return packet,
the destination address back to 10.10.10.1 and forwards the packet on it rewrites the destination address back to 10.10.10.1 and forwards
to computer 1. </p> the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to as<i> <p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address IP Masquerading</i> but you will also see the term <i>Source Network Address
@ -467,24 +471,25 @@ is initiating the connection.
</ul> </ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with <p align="left">In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use Masquerading entries in the /etc/shorewall/masq file. You will normally use
if your external IP is dynamic and SNAT if the IP is static.</p> Masquerading if your external IP is dynamic and SNAT if the IP is
static.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    If your external firewall interface is <b>eth0</b>,     If your external firewall interface is <b>eth0</b>,
you do not need to modify the file provided with the sample. Otherwise, you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change the first column to the name edit /etc/shorewall/masq and change the first column to the name
of your external interface and the second column to the name of your of your external interface and the second column to the name of
internal interface.</p> your internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13"> height="13">
    If your external IP is static, you can enter it in     If your external IP is static, you can enter it
the third column in the /etc/shorewall/masq entry if you like although in the third column in the /etc/shorewall/masq entry if you like
your firewall will work fine if you leave that column empty. Entering although your firewall will work fine if you leave that column empty.
your static IP in column 3 makes processing outgoing packets a little Entering your static IP in column 3 makes processing outgoing packets
more efficient.<br> a little more efficient.<br>
<br> <br>
<img border="0" src="images/BD21298_.gif" width="13" <img border="0" src="images/BD21298_.gif" width="13"
height="13" alt=""> height="13" alt="">
@ -494,7 +499,7 @@ is initiating the connection.
</p> </p>
<ul> <ul>
<li>NAT_ENABLED=Yes</li> <li>NAT_ENABLED=Yes (Shorewall versions earlier than 1.4.6)</li>
<li>IP_FORWARDING=On<br> <li>IP_FORWARDING=On<br>
</li> </li>
@ -505,11 +510,11 @@ is initiating the connection.
<p align="left">One of your goals may be to run one or more servers on your <p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, local computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly it is not possible for clients on the internet to connect directly
to them. It is rather necessary for those clients to address their connection to them. It is rather necessary for those clients to address their
requests to the firewall who rewrites the destination address to the connection requests to the firewall who rewrites the destination address
address of your server and forwards the packet to that server. When to the address of your server and forwards the packet to that server.
your server responds, the firewall automatically performs SNAT to rewrite When your server responds, the firewall automatically performs SNAT
the source address in the response.</p> to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i> <p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure Destination Network Address Translation</i> (DNAT). You configure
@ -580,13 +585,13 @@ to them. It is rather necessary for those clients to address their connect
<ul> <ul>
<li>You must test the above rule from a client outside <li>You must test the above rule from a client outside
of your local network (i.e., don't test from a browser running on of your local network (i.e., don't test from a browser running
computers 1 or 2 or on the firewall). If you want to be able to on computers 1 or 2 or on the firewall). If you want to be able
access your web server using the IP address of your external interface, to access your web server using the IP address of your external interface,
see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li> see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to <li>Many ISPs block incoming connection requests
port 80. If you have problems connecting to your web server, try to port 80. If you have problems connecting to your web server,
the following rule and try connecting to port 5000.</li> try the following rule and try connecting to port 5000.</li>
</ul> </ul>
@ -624,24 +629,24 @@ any DNAT rules that you require.</p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting <p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver an IP address your firewall's <i>Domain Name Service </i>(DNS)
will be automatically configured (e.g., the /etc/resolv.conf file resolver will be automatically configured (e.g., the /etc/resolv.conf
will be written). Alternatively, your ISP may have given you the IP file will be written). Alternatively, your ISP may have given you the
address of a pair of DNS <i> name servers</i> for you to manually configure IP address of a pair of DNS <i> name servers</i> for you to manually
as your primary and secondary name servers. Regardless of how DNS configure as your primary and secondary name servers. Regardless of
gets configured on your firewall, it is <u>your</u> responsibility to how DNS gets configured on your firewall, it is <u>your</u> responsibility
configure the resolver in your internal systems. You can take one of to configure the resolver in your internal systems. You can take one
two approaches:</p> of two approaches:</p>
<ul> <ul>
<li> <li>
<p align="left">You can configure your internal systems to use your ISP's <p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can configure or if those addresses are available on their web site, you can
your internal systems to use those addresses. If that information configure your internal systems to use those addresses. If that
isn't available, look in /etc/resolv.conf on your firewall system information isn't available, look in /etc/resolv.conf on your firewall
-- the name servers are given in "nameserver" records in that file. system -- the name servers are given in "nameserver" records in that
</p> file. </p>
</li> </li>
<li> <li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" <p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -649,13 +654,14 @@ two approaches:</p>
    You can configure a<i> Caching Name Server </i>on     You can configure a<i> Caching Name Server </i>on
your firewall.<i> </i>Red Hat has an RPM for a caching name your firewall.<i> </i>Red Hat has an RPM for a caching name
server (the RPM also requires the 'bind' RPM) and for Bering users, server (the RPM also requires the 'bind' RPM) and for Bering users,
there is dnscache.lrp. If you take this approach, you configure your there is dnscache.lrp. If you take this approach, you configure
internal systems to use the firewall itself as their primary (and only) your internal systems to use the firewall itself as their primary
name server. You use the internal IP address of the firewall (10.10.10.254 (and only) name server. You use the internal IP address of the firewall
in the example above) for the name server address. To allow your (10.10.10.254 in the example above) for the name server address.
local systems to talk to your caching name server, you must open port To allow your local systems to talk to your caching name server,
53 (both UDP and TCP) from the local network to the firewall; you you must open port 53 (both UDP and TCP) from the local network to the
do that by adding the following rules in /etc/shorewall/rules. </p> firewall; you do that by adding the following rules in /etc/shorewall/rules.
</p>
</li> </li>
</ul> </ul>
@ -744,8 +750,8 @@ do that by adding the following rules in /etc/shorewall/rules. </p>
<div align="left"> <div align="left">
<p align="left">Those rules allow DNS access from your firewall and may be <p align="left">Those rules allow DNS access from your firewall and may be
removed if you uncommented the line in /etc/shorewall/policy allowing removed if you uncommented the line in /etc/shorewall/policy
all connections from the firewall to the internet.</p> allowing all connections from the firewall to the internet.</p>
</div> </div>
<div align="left"> <div align="left">
@ -971,12 +977,12 @@ or delete other connections as required.</p>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a>     The <a href="Install.htm">installation procedure
configures your system to start Shorewall at system boot  but beginning </a> configures your system to start Shorewall at system boot 
with Shorewall version 1.3.9 startup is disabled so that your system but beginning with Shorewall version 1.3.9 startup is disabled so
won't try to start Shorewall before configuration is complete. Once that your system won't try to start Shorewall before configuration
you have completed configuration of your firewall, you can enable Shorewall is complete. Once you have completed configuration of your firewall,
startup by removing the file /etc/shorewall/startup_disabled.<br> you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p> </p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -991,8 +997,8 @@ you have completed configuration of your firewall, you can enable Shorewall
routing is enabled on those hosts that have an entry in <a routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall from command. If you want to totally remove any trace of Shorewall
your Netfilter configuration, use "shorewall clear".</p> from your Netfilter configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
@ -1007,20 +1013,22 @@ if you wish to enable access to/from other hosts, change /etc/shorewall/
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you the internet, do not issue a "shorewall stop" command unless
have added an entry for the IP address that you are connected from you have added an entry for the IP address that you are connected
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p> href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 2/21/2003 - <a <p align="left"><font size="2">Last updated 6/27/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a><br> Thomas M. Eastep</font></a><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

247
STABLE/documentation/two-interface_fr.html
View File

@ -20,11 +20,8 @@
</head> </head>
<body lang="fr-FR"> <body lang="fr-FR">
<p style="margin-bottom: 0cm;"><a name="AutoNumber5"></a><br>
</p>
<table width="100%" border="0" cellpadding="0" cellspacing="0" <table width="100%" border="0" cellpadding="0" cellspacing="0"
bgcolor="#400169"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
@ -41,9 +38,9 @@
<small><i><u>Notes du traducteur</u> :<br> <small><i><u>Notes du traducteur</u> :<br>
Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou
mon travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne mon travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne
me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais plut&ocirc;t
plut&ocirc;t &agrave; en faire une version fran&ccedil;aise intelligible &agrave; en faire une version fran&ccedil;aise intelligible par tous (et
par tous (et par moi). Les termes techniques sont la plupart du temps conserv&eacute;s par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez
les retrouver dans le reste des documentations ainsi que dans les fichiers les retrouver dans le reste des documentations ainsi que dans les fichiers
de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer
@ -57,8 +54,8 @@ qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i>
pour un petit r&eacute;seau est une chose assez simple, si vous comprenez pour un petit r&eacute;seau est une chose assez simple, si vous comprenez
les bases et suivez la documentation.</p> les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se <p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans se focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
son utilisation la plus courante :</p> son utilisation la plus courante :</p>
<ul> <ul>
@ -86,13 +83,13 @@ ISDN, "Frame Relay", RTC ... </p>
vous pouvez facilement r&eacute;aliser la configuration ci-dessus en utilisant vous pouvez facilement r&eacute;aliser la configuration ci-dessus en utilisant
l'applet Mandrake "Internet Connection Sharing". Depuis le "Mandrake Control l'applet Mandrake "Internet Connection Sharing". Depuis le "Mandrake Control
Center", s&eacute;lectionnez "Network &amp; Internet" et "Connection Sharing". Center", s&eacute;lectionnez "Network &amp; Internet" et "Connection Sharing".
Vous ne devriez pas avoir besoin de vous r&eacute;f&eacute;rer &agrave; ce Vous ne devriez pas avoir besoin de vous r&eacute;f&eacute;rer &agrave;
guide.</b></p> ce guide.</b></p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i> <p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i>
</i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant </i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant
la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall. Sous la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall.
root, utilisez la commande 'which' pour rechercher le programme :</p> Sous root, utilisez la commande 'which' pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre> <pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
@ -106,10 +103,10 @@ par une <img src="images/BD21298_.gif" name="Image2" align="bottom"
<p><img src="images/j0213519.gif" name="Image3" align="bottom" <p><img src="images/j0213519.gif" name="Image3" align="bottom"
width="60" height="60" border="0"> width="60" height="60" border="0">
&nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration sur &nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration
un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix si sur un syst&egrave;me Windows, vous devez les sauver comme des fichiers
votre &eacute;diteur offre cette option sinon vous devez les faire passer Unix si votre &eacute;diteur offre cette option sinon vous devez les faire
par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re, passer par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re,
si vous copiez un fichier de configuration depuis votre disque dur Windows si vous copiez un fichier de configuration depuis votre disque dur Windows
vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser
avec Shorewall.</p> avec Shorewall.</p>
@ -134,8 +131,8 @@ of dos2unix</a> </p>
&nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans &nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans
le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous
n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit
dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute; dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute; Shorewall</a>,
Shorewall</a>, t&eacute;l&eacute; chargez<b> le <a t&eacute;l&eacute; chargez<b> le <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>, href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers vers /etc/shorewall un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers vers /etc/shorewall
(ces fichiers remplaceront les fichiers de m&ecirc;me nom).</b></p> (ces fichiers remplaceront les fichiers de m&ecirc;me nom).</b></p>
@ -204,11 +201,11 @@ d&eacute;faut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/r
<p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te <p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te
est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules. est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules.
Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande de Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande
connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy de connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou DROP&nbsp; qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou
la requ&ecirc;te est dans un premier temps compar&eacute;e par rapport aux DROP&nbsp; la requ&ecirc;te est dans un premier temps compar&eacute;e par
r&egrave;gles contenues dans /etc/shorewall/common.</p> rapport aux r&egrave;gles contenues dans /etc/shorewall/common.</p>
<p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface) <p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface)
a les politiques suivantes:</p> a les politiques suivantes:</p>
@ -291,9 +288,9 @@ a les politiques suivantes:</p>
</dd> </dd>
</dl> </dl>
<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante est <blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante
inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall puisse est inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall
avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez puisse avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
la ligne.</blockquote> la ligne.</blockquote>
<a name="AutoNumber31"></a> <a name="AutoNumber31"></a>
<dl> <dl>
@ -354,8 +351,8 @@ local. </p>
</li> </li>
<li> <li>
<p style="margin-bottom: 0cm;">Facultativement&nbsp;accepter toutes les <p style="margin-bottom: 0cm;">Facultativement&nbsp;accepter toutes les
demandes de connexion de votre firewall vers l'Internet (si vous avez d&eacute; demandes de connexion de votre firewall vers l'Internet (si vous avez
comment&eacute; la politique additionnelle) </p> d&eacute; comment&eacute; la politique additionnelle) </p>
</li> </li>
<li> <li>
<p>reject (rejeter) toutes les autres demandes de connexion. </p> <p>reject (rejeter) toutes les autres demandes de connexion. </p>
@ -376,10 +373,11 @@ et faite les changements que vous d&eacute;sirez.</p>
<p align="left">Le firewall a deux interfaces de r&eacute;seau. Lorsque la <p align="left">Le firewall a deux interfaces de r&eacute;seau. Lorsque la
connexion Internet passe par le c&acirc;ble ou par un ROUTEUR (pas un simple connexion Internet passe par le c&acirc;ble ou par un ROUTEUR (pas un simple
modem) ADSL (non USB), l'interface vers l'ext&eacute;rieur (<i>External Interface)</i> modem) ADSL (non USB), l'interface vers l'ext&eacute;rieur (<i>External
sera l'adaptateur sur lequel est connect&eacute; le routeur (e.g., <b>eth0</b>)&nbsp; Interface)</i> sera l'adaptateur sur lequel est connect&eacute; le routeur
<u>&agrave; moins que</u> vous ne vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol (e.g., <b>eth0</b>)&nbsp; <u>&agrave; moins que</u> vous ne vous connectiez
over<u>E</u>thernet</i> (PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP), par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol over<u>E</u>thernet</i>
(PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP),
dans ce cas l'interface ext&eacute;rieure sera une interface de type ppp dans ce cas l'interface ext&eacute;rieure sera une interface de type ppp
(e.g., <b>ppp0</b>). Si vous vous connectez par un simple modem (RTC), votre (e.g., <b>ppp0</b>). Si vous vous connectez par un simple modem (RTC), votre
interface ext&eacute;rieure sera aussi <b>ppp0</b>. Si votre connexion passe interface ext&eacute;rieure sera aussi <b>ppp0</b>. Si votre connexion passe
@ -393,8 +391,8 @@ ou <b>ippp0</b>&nbsp; alors vous mettrez CLAMPMSS=yes dans <a
<p align="left">Votre <i>Internal Interface</i> (interface vers votre r&eacute;seau <p align="left">Votre <i>Internal Interface</i> (interface vers votre r&eacute;seau
local -&gt; LAN) sera un adaptateur Ethernet (eth1 ou eth0) et sera connect&eacute;e local -&gt; LAN) sera un adaptateur Ethernet (eth1 ou eth0) et sera connect&eacute;e
&agrave; un hub ou switch (ou un PC avec un c&acirc;ble crois&eacute;). Vos &agrave; un hub ou switch (ou un PC avec un c&acirc;ble crois&eacute;).
autres ordinateurs seront connect&eacute;s &agrave; ce m&ecirc;me hub/switch</p> Vos autres ordinateurs seront connect&eacute;s &agrave; ce m&ecirc;me hub/switch</p>
<p align="left"><b><u><img src="images/j0213519.gif" name="Image8" <p align="left"><b><u><img src="images/j0213519.gif" name="Image8"
align="bottom" width="60" height="60" border="0"> align="bottom" width="60" height="60" border="0">
@ -405,11 +403,12 @@ pas que ce soit shorewall qui ne marche pas.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image9" <p align="left"><img src="images/BD21298_.gif" name="Image9"
align="left" width="13" height="13" border="0"> align="left" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Le fichier de configuration d'exemple pour deux interfaces &nbsp;&nbsp;&nbsp; Le fichier de configuration d'exemple pour deux interfaces
suppose que votre interface externe est <b>eth0</b>et que l'interne est <b>eth1</b>. suppose que votre interface externe est <b>eth0</b>et que l'interne est
Si votre configuration est diff&eacute;rente, vous devrez modifier le fichier <b>eth1</b>. Si votre configuration est diff&eacute;rente, vous devrez modifier
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> en cons&eacute;quence. le fichier <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options qui en cons&eacute;quence. Tant que vous y &ecirc;tes, vous pourriez parcourir
sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p> la liste des options qui sont sp&eacute;cifi&eacute;es pour les interfaces.
Quelques trucs:</p>
<ul> <ul>
<li> <li>
@ -431,17 +430,17 @@ ou <b>ippp0</b> ou si vous avez une adresse IP statique, vous pouvez enlever
sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP
address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i> address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i>
Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement de
de votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
votre connexion PPP. Dans de rares cas , votre provider peut vous assigner votre connexion PPP. Dans de rares cas , votre provider peut vous assigner
une adresse statique<i> (static</i>IP address); cela signifie que vous devez une adresse statique<i> (static</i>IP address); cela signifie que vous devez
configurer l'interface externe de votre firewall afin d'utiliser cette adresse configurer l'interface externe de votre firewall afin d'utiliser cette adresse
de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle
va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s
&agrave; Internet. Vous devrez assigner vos propres adresses dans votre &agrave; Internet. Vous devrez assigner vos propres adresses dans votre r&eacute;seau
r&eacute;seau local (votre interface interne sur le firewall &nbsp;ainsi local (votre interface interne sur le firewall &nbsp;ainsi que les autres
que les autres ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages d'IP (<i>Private</i>IP
d'IP (<i>Private</i>IP address ranges) &agrave; cette fin :</p> address ranges) &agrave; cette fin :</p>
<pre style="text-align: left;"> 10.0.0.0 - 10.255.255.255an<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre style="text-align: left;"> 10.0.0.0 - 10.255.255.255an<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -455,11 +454,11 @@ externe dans le fichier /etc/shorewall/interfaces.</p>
<p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau <p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau
(<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer (<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer
un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque
sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0. L'adresse sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0.
x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau (<i>Subnet L'adresse x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau
Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse de (<i>Subnet Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse
broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un sous-r&eacute;seau de broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un
est d&eacute;crit en utilisant <a sous-r&eacute;seau est d&eacute;crit en utilisant <a
href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain
Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie
par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de
@ -510,8 +509,8 @@ bits marquant "1" dans la partie gauche du masque de sous-r&eacute;seau.</p>
</dl> </dl>
<p align="left">Il est de mise d'assigner l'interface interne (LAN) &agrave; <p align="left">Il est de mise d'assigner l'interface interne (LAN) &agrave;
la premi&egrave;re adresse utilisable du sous-r&eacute;seau (10.10.10.1 dans la premi&egrave;re adresse utilisable du sous-r&eacute;seau (10.10.10.1
l'exemple pr&eacute;c&eacute;dent) ou la derni&egrave;re adresse utilisable dans l'exemple pr&eacute;c&eacute;dent) ou la derni&egrave;re adresse utilisable
(10.10.10.254).</p> (10.10.10.254).</p>
<p align="left">L'un des buts d'un sous-r&eacute;seau est de permettre &agrave; <p align="left">L'un des buts d'un sous-r&eacute;seau est de permettre &agrave;
@ -524,14 +523,14 @@ des paquets &agrave; travers le gateway (routeur).</p>
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur &nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur
2 dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle 2 dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle
par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de l'interface
l'interface interne du firewall.</p> interne du firewall.</p>
<p align="left">The foregoing short discussion barely scratches the surface <p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more about regarding subnetting and routing. If you are interested in learning more
IP addressing and routing, I highly recommend <i>"IP Fundamentals: What Everyone about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
Needs to Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall, What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A.
1999, ISBN 0-13-975483-0.</p> Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">Le reste de ce guide assumera que vous avez configur&eacute; <p align="left">Le reste de ce guide assumera que vous avez configur&eacute;
votre r&eacute;seau comme montr&eacute; ci-dessous :</p> votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
@ -547,8 +546,8 @@ votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
<p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont <p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont
parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs
Internet (backbone) ne font pas circuler les paquets qui ont une adresse de Internet (backbone) ne font pas circuler les paquets qui ont une adresse
destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes de destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur
par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>. par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>.
Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a
@ -557,22 +556,22 @@ le firewall fait croire que c'est lui m&ecirc;me qui initie la connexion.
Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable
de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont
pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC
1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet, donc 1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet,
l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave; l'ordinateur donc l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave;
1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse, il remet l'ordinateur 1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse,
l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet vers il remet l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet
l'ordinateur 1. </p> vers l'ordinateur 1. </p>
<p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est <p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est
souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi le souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi
terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;. le terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
Shorewall suit la convention utilis&eacute;e avec Netfilter:</p> Shorewall suit la convention utilis&eacute;e avec Netfilter:</p>
<ul> <ul>
<li> <li>
<p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous laissez <p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous laissez
votre firewall d&eacute;tecter automatiquement l'adresse de l'interface externe. votre firewall d&eacute;tecter automatiquement l'adresse de l'interface
</p> externe. </p>
</li> </li>
<li> <li>
<p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous sp&eacute;cifiez <p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous sp&eacute;cifiez
@ -592,15 +591,15 @@ SNAT si elle est statique.</p>
&nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>, &nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>,
vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans
le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re
colonne par le nom de votre interface externe, et la seconde colonne par le colonne par le nom de votre interface externe, et la seconde colonne par
nom de votre interface interne.</p> le nom de votre interface interne.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image14" <p align="left"><img src="images/BD21298_.gif" name="Image14"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre &nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre
dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez, dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez,
de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez cette de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez
colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me cette colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
colonne permet un traitement des paquets sortant un peu plus efficace.<br> colonne permet un traitement des paquets sortant un peu plus efficace.<br>
<br> <br>
<img src="images/BD21298_.gif" name="Image15" align="bottom" <img src="images/BD21298_.gif" name="Image15" align="bottom"
@ -628,12 +627,12 @@ de se connecter directement &agrave; eux. Il est n&eacute;cessaire &agrave;
ces clients d'adresser leurs demandes de connexion au firewall qui r&eacute; ces clients d'adresser leurs demandes de connexion au firewall qui r&eacute;
&eacute;crit l'adresse de destination de votre serveur, et fait passer le &eacute;crit l'adresse de destination de votre serveur, et fait passer le
paquet &agrave; celui-ci. Lorsque votre serveur r&eacute;pond, le firewall paquet &agrave; celui-ci. Lorsque votre serveur r&eacute;pond, le firewall
applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse source applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse
dans la r&eacute;ponse.</p> source dans la r&eacute;ponse.</p>
<p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i> <p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i>
ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez le ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez
port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p> le port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
<p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding <p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding
dans /etc/shorewall/rules est:</p> dans /etc/shorewall/rules est:</p>
@ -760,8 +759,8 @@ voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave; ce syst&egrav
<li> <li>
<p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle pr&eacute;c&eacute;dente <p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle pr&eacute;c&eacute;dente
depuis un client &agrave; l'ext&eacute;rieur de votre r&eacute;seau local depuis un client &agrave; l'ext&eacute;rieur de votre r&eacute;seau local
(c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1 ou (c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1
2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der ou 2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der
&agrave; votre serveur web en utilisant l'adresse IP externe de votre firewall, &agrave; votre serveur web en utilisant l'adresse IP externe de votre firewall,
regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. </p> regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. </p>
</li> </li>
@ -838,39 +837,40 @@ les r&egrave;gles DNAT dont vous avez besoin.</p>
<h2 align="left">Domain Name Server (DNS)</h2> <h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez &agrave; votre fournisseur <p align="left">Normalement, quand vous vous connectez &agrave; votre fournisseur
(ISP), une partie consiste &agrave; obtenir votre adresse IP, votre DNS pour (ISP), une partie consiste &agrave; obtenir votre adresse IP, votre DNS
le firewall (<i>Domain Name Service) </i>est configur&eacute; automatiquement pour le firewall (<i>Domain Name Service) </i>est configur&eacute; automatiquement
(c.a.d.,le fichier /etc/resolv.conf a &eacute;t&eacute; &eacute;crit). Il (c.a.d.,le fichier /etc/resolv.conf a &eacute;t&eacute; &eacute;crit). Il
arrive que votre provider vous donne une paire d'adresse IP pour les DNS<i> arrive que votre provider vous donne une paire d'adresse IP pour les DNS<i>
(name servers)</i> afin que vous configuriez manuellement votre serveur de (name servers)</i> afin que vous configuriez manuellement votre serveur
nom primaire et secondaire. La mani&egrave;re dont le DNS est configur&eacute; de nom primaire et secondaire. La mani&egrave;re dont le DNS est configur&eacute;
sur votre firewall est de <u>votre</u> responsabilit&eacute;. Vous pouvez sur votre firewall est de <u>votre</u> responsabilit&eacute;. Vous pouvez
proc&eacute;der d'une de ses deux fa&ccedil;ons :</p> proc&eacute;der d'une de ses deux fa&ccedil;ons :</p>
<ul> <ul>
<li> <li>
<p align="left">Vous pouvez configurer votre syst&egrave;me interne pour <p align="left">Vous pouvez configurer votre syst&egrave;me interne
utiliser les noms de serveurs de votre provider. Si votre fournisseur vous pour utiliser les noms de serveurs de votre provider. Si votre fournisseur
donne les adresses de leurs serveurs ou si ces adresses sont disponibles vous donne les adresses de leurs serveurs ou si ces adresses sont disponibles
sur leur site web, vous pouvez configurer votre syst&egrave;me interne afin sur leur site web, vous pouvez configurer votre syst&egrave;me interne
de les utiliser. Si cette information n' est pas disponible, regardez dans afin de les utiliser. Si cette information n' est pas disponible, regardez
/etc/resolv.conf sur votre firewall -- les noms des serveurs sont donn&eacute;s dans /etc/resolv.conf sur votre firewall -- les noms des serveurs sont
dans l'enregistrement "nameserver" dans ce fichier. </p> donn&eacute;s dans l'enregistrement "nameserver" dans ce fichier. </p>
</li> </li>
<li> <li>
<p align="left"><img src="images/BD21298_.gif" name="Image17" <p align="left"><img src="images/BD21298_.gif" name="Image17"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Vous pouvez configurer un cache dns<i> (Caching Name &nbsp;&nbsp;&nbsp; Vous pouvez configurer un cache dns<i> (Caching Name
Server) </i>sur votre firewall.<i> </i>Red Hat a un RPM pour mettre en cache Server) </i>sur votre firewall.<i> </i>Red Hat a un RPM pour mettre en
un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs cache un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les
de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez utilisateurs de Bering, il y a dnscache.lrp. Si vous adoptez cette approche,
votre syst&egrave;me interne pour utiliser le firewall lui m&ecirc;me comme vous configurez votre syst&egrave;me interne pour utiliser le firewall
&eacute;tant le seul serveur de nom primaire. Vous pouvez utiliser l'adresse lui m&ecirc;me comme &eacute;tant le seul serveur de nom primaire. Vous
IP interne du firewall (10.10.10.254 dans l'exemple) pour l'adresse de serveur pouvez utiliser l'adresse IP interne du firewall (10.10.10.254 dans l'exemple)
de nom. Pour permettre &agrave; vos syst&egrave;mes locaux de discuter avec pour l'adresse de serveur de nom. Pour permettre &agrave; vos syst&egrave;mes
votre serveur cache de nom, vous devez ouvrir le port 53 (UDP ET&nbsp; TCP) locaux de discuter avec votre serveur cache de nom, vous devez ouvrir le
sur le firewall vers le r&eacute;seau local; vous ferez ceci en ajoutant port 53 (UDP ET&nbsp; TCP) sur le firewall vers le r&eacute;seau local;
les r&egrave;gles suivantes dans /etc/shorewall/rules. </p> vous ferez ceci en ajoutant les r&egrave;gles suivantes dans /etc/shorewall/rules.
</p>
</li> </li>
</ul> </ul>
@ -1038,10 +1038,10 @@ contiennent les r&egrave;gles suivantes :</p>
</dd> </dd>
</dl> </dl>
<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave; partir <p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave;
de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez d&eacute; partir de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez
comment&eacute; la ligne dans /etc/shorewall/policy autorisant toutes les d&eacute; comment&eacute; la ligne dans /etc/shorewall/policy autorisant
connexions depuis le firewall vers Internet.</p> toutes les connexions depuis le firewall vers Internet.</p>
<p align="left">Les exemples contiennent aussi :</p> <p align="left">Les exemples contiennent aussi :</p>
<a name="AutoNumber45"></a> <a name="AutoNumber45"></a>
@ -1102,11 +1102,12 @@ connexions depuis le firewall vers Internet.</p>
</dl> </dl>
<p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un <p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un
serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre r&eacute;seau serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre
local.</p> r&eacute;seau local.</p>
<p align="left">Si vous voulez permettre d'autres connexions entre votre firewall <p align="left">Si vous voulez permettre d'autres connexions entre votre
et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est :</p> firewall et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est
:</p>
<a name="AutoNumber46"></a> <a name="AutoNumber46"></a>
<dl> <dl>
<dd> <dd>
@ -1247,15 +1248,15 @@ firewall :</p>
</dd> </dd>
</dl> </dl>
<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter aux <p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter
r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez aux r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p> configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p>
<p align="left">Si vous ne savez pas quel port et quel protocole une application <p align="left">Si vous ne savez pas quel port et quel protocole une application
particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p> particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p>
<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre le <p align="left"><b>Important: </b>Je ne vous recommande pas de permettre
telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me le telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell
sur votre firewall depuis Internet, utilisez SSH :</p> sur votre firewall depuis Internet, utilisez SSH :</p>
<a name="AutoNumber48"></a> <a name="AutoNumber48"></a>
@ -1327,12 +1328,12 @@ pour ajouter ou supprimer les connexions voulues.</p>
&nbsp;&nbsp;&nbsp; La&nbsp; <a href="Install.htm">proc&eacute;dure d'installation</a> &nbsp;&nbsp;&nbsp; La&nbsp; <a href="Install.htm">proc&eacute;dure d'installation</a>
configure votre syst&egrave;me pour lancer Shorewall au boot du syst&egrave;me, configure votre syst&egrave;me pour lancer Shorewall au boot du syst&egrave;me,
mais pour les d&eacute;butants sous Shorewall version 1.3.9, le lancement mais pour les d&eacute;butants sous Shorewall version 1.3.9, le lancement
est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie. Une est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie.
fois la configuration de votre firewall achev&eacute;e, vous pouvez permettre Une fois la configuration de votre firewall achev&eacute;e, vous pouvez
le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p> permettre le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p> des paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
<p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall <p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall
start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;, start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;,
@ -1345,10 +1346,11 @@ dans votre configuration de Netfilter, utilisez "shorewall clear".</p>
<p align="left"><img src="images/BD21298_.gif" name="Image20" <p align="left"><img src="images/BD21298_.gif" name="Image20"
align="bottom" width="13" height="13" border="0"> align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez &nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez
permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local) lorsque permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local)
Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est pas connect&eacute; lorsque Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est
&agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s depuis ou pas connect&eacute; &agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s
vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped en cons&eacute;quence.</p> depuis ou vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped
en cons&eacute;quence.</p>
<p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave; <p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave;
votre firewall depuis Internet, n'essayez pas la commande "shorewall stop" votre firewall depuis Internet, n'essayez pas la commande "shorewall stop"
@ -1374,5 +1376,6 @@ M. Eastep</font></a></p>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

210
STABLE/documentation/upgrade_issues.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -55,17 +55,37 @@ are currently running.<br>
<h3> </h3> <h3> </h3>
<h3>Version &gt;= 1.4.6</h3>
<ul>
<li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed
from shorewall.conf. These capabilities are now automatically detected by
Shorewall.</li>
<li>An undocumented <i>feature</i> previously allowed entries in the host
file as follows:<br>
<br>
<i>zone</i>    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
<i>zone</i>   eth1:192.168.1.0/24,192.168.2.0/24<br>
</li>
</ul>
<h3>Version &gt;= 1.4.4</h3> <h3>Version &gt;= 1.4.4</h3>
If you are upgrading from 1.4.3 and have set the LOGMARKER variable in If you are upgrading from 1.4.3 and have set the LOGMARKER variable
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
you must set the new LOGFORMAT variable appropriately and remove your setting you must set the new LOGFORMAT variable appropriately and remove your setting
of LOGMARKER<br> of LOGMARKER<br>
<br> <br>
<h3>Version 1.4.4<br> <h3>Version 1.4.4<br>
</h3> </h3>
If you have zone names that are 5 characters long, you may experience problems If you have zone names that are 5 characters long, you may experience
starting Shorewall because the --log-prefix in a logging rule is too long. problems starting Shorewall because the --log-prefix in a logging rule
Upgrade to Version 1.4.4a to fix this problem..<br> is too long. Upgrade to Version 1.4.4a to fix this problem..<br>
<h3>Version &gt;= 1.4.2</h3> <h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular There are some cases where you may want to handle traffic from a particular
@ -74,8 +94,8 @@ Upgrade to Version 1.4.4a to fix this problem..<br>
<ol> <ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li> <li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a transparent <li><a href="Shorewall_Squid_Usage.html">When running Squid as a
proxy in your local zone.</a></li> transparent proxy in your local zone.</a></li>
</ol> </ol>
If you have either of these cases, you will want to review the current If you have either of these cases, you will want to review the current
@ -84,29 +104,30 @@ Upgrade to Version 1.4.4a to fix this problem..<br>
<h3>Version &gt;= 1.4.1</h3> <h3>Version &gt;= 1.4.1</h3>
<ul> <ul>
<li>Beginning with Version 1.4.1, traffic between groups in the <li>Beginning with Version 1.4.1, traffic between groups in
same zone is accepted by default. Previously, traffic from a zone to itself the same zone is accepted by default. Previously, traffic from a zone
was treated just like any other traffic; any matching rules were applied to itself was treated just like any other traffic; any matching rules
followed by enforcement of the appropriate policy. With 1.4.1 and later were applied followed by enforcement of the appropriate policy. With 1.4.1
versions, unless you have explicit rules for traffic from Z to Z or you and later versions, unless you have explicit rules for traffic from Z
have an explicit Z to Z policy (where "Z" is some zone) then traffic between to Z or you have an explicit Z to Z policy (where "Z" is some zone) then
the groups in zone Z will be accepted. If you do have one or more explicit traffic between the groups in zone Z will be accepted. If you do have one
rules for Z to Z or if you have an explicit Z to Z policy then the behavior or more explicit rules for Z to Z or if you have an explicit Z to Z policy
is as it was in prior versions.</li> then the behavior is as it was in prior versions.</li>
</ul> </ul>
<blockquote> <blockquote>
<ol> <ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic <li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed and between two interfaces to the same zone, that policy can be removed
traffic between the interfaces will traverse fewer rules than previously.</li> and traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z <li>If you have a Z Z DROP or Z Z REJECT policy or you have
rules then your configuration should not require any change.</li> Z-&gt;Z rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that <li>If you are currently relying on a implicit policy (one
has "all" in either the SOURCE or DESTINATION column) to prevent traffic that has "all" in either the SOURCE or DESTINATION column) to prevent
between two interfaces to a zone Z and you have no rules for Z-&gt;Z then traffic between two interfaces to a zone Z and you have no rules for
you should add an explicit DROP or REJECT policy for Z to Z.<br> Z-&gt;Z then you should add an explicit DROP or REJECT policy for Z to
Z.<br>
</li> </li>
</ol> </ol>
@ -124,27 +145,27 @@ between them. </li>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote> </blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to Here, zone z1 is nested in zone z2 and the firewall is not going
be involved in any traffic between these two zones. Beginning with Shorewall to be involved in any traffic between these two zones. Beginning with
1.4.1, you can prevent Shorewall from setting up any infrastructure to handle Shorewall 1.4.1, you can prevent Shorewall from setting up any infrastructure
traffic between z1 and z2 by using the new NONE policy:<br> to handle traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre> <pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote> </blockquote>
Note that NONE policies are generally used in pairs unless there is Note that NONE policies are generally used in pairs unless there
asymetric routing where only the traffic on one direction flows through is asymetric routing where only the traffic on one direction flows through
the firewall and you are using a NONE polciy in the other direction. </blockquote> the firewall and you are using a NONE polciy in the other direction. </blockquote>
<h3>Version 1.4.1<br> <h3>Version 1.4.1<br>
</h3> </h3>
<ul> <ul>
<li>In Version 1.4.1, Shorewall will never create rules to deal <li>In Version 1.4.1, Shorewall will never create rules to
with traffic from a given group back to itself. The <i>multi</i> interface deal with traffic from a given group back to itself. The <i>multi</i>
option is no longer available so if you want to route traffic between two interface option is no longer available so if you want to route traffic
subnetworks on the same interface then I recommend that you upgrade to Version between two subnetworks on the same interface then I recommend that you
1.4.2 and use the 'routeback' interface or host option. </li> upgrade to Version 1.4.2 and use the 'routeback' interface or host option. </li>
</ul> </ul>
@ -153,31 +174,32 @@ between them. </li>
iproute package ('ip' utility).</b><br> iproute package ('ip' utility).</b><br>
<br> <br>
<b>Note: </b>Unfortunately, some distributions call this package <b>Note: </b>Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br> iproute2 which will cause the upgrade of Shorewall to fail with the
diagnostic:<br>
<br> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1      error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
<br> <br>
This may be worked around by using the --nodeps option of rpm (rpm This may be worked around by using the --nodeps option of rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br> (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
If you are upgrading from a version &lt; 1.4.0, then:<br> If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul> <ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options <li>The <b>noping </b>and <b>forwardping</b> interface
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf. options are no longer supported nor is the <b>FORWARDPING </b>option
ICMP echo-request (ping) packets are treated just like any other connection in shorewall.conf. ICMP echo-request (ping) packets are treated just
request and are subject to rules and policies.</li> like any other connection request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li> (they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when there contents are determined by BOTH the interfaces and hosts files when
are entries for the zone in both files.</li> there are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and <li>The <b>routestopped</b> option in the interfaces
hosts file has been eliminated; use entries in the routestopped file and hosts file has been eliminated; use entries in the routestopped
instead.</li> file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted; you must convert to using the new syntax.</li> is no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf <li value="6">The ALLOWRELATED variable in shorewall.conf
@ -216,18 +238,18 @@ file.</li>
<blockquote> <blockquote>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to <li>There is an <u>explicit</u> policy for the source zone
or from the destination zone. An explicit policy names both zones and to or from the destination zone. An explicit policy names both zones
does not use the 'all' reserved word.</li> and does not use the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone <li>There are one or more rules for traffic for the source
to or from the destination zone including rules that use the 'all' reserved zone to or from the destination zone including rules that use the 'all'
word. Exception: if the source zone and destination zone are the same reserved word. Exception: if the source zone and destination zone are
then the rule must be explicit - it must name the zone in both the SOURCE the same then the rule must be explicit - it must name the zone in both
and DESTINATION columns.</li> the SOURCE and DESTINATION columns.</li>
</ul> </ul>
</blockquote> </blockquote>
@ -246,13 +268,14 @@ subnet on the interface (as shown by "ip addr show <i>interface</i>")
and would masquerade traffic from that subnet. Any other subnets that and would masquerade traffic from that subnet. Any other subnets that
routed through eth1 needed their own entry in /etc/shorewall/masq to routed through eth1 needed their own entry in /etc/shorewall/masq to
be masqueraded or to have SNAT applied.</li> be masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the <li>Beginning with Shorewall 1.3.14, Shorewall uses
firewall's routing table to determine ALL subnets routed through the firewall's routing table to determine ALL subnets routed through
the named interface. Traffic originating in ANY of those subnets the named interface. Traffic originating in ANY of those subnets is
is masqueraded or has SNAT applied.</li> masqueraded or has SNAT applied.</li>
</ul> </ul>
You will need to make a change to your configuration if:<br> You will need to make a change to your configuration
if:<br>
<ol> <ol>
<li>You have one or more entries in /etc/shorewall/masq <li>You have one or more entries in /etc/shorewall/masq
@ -262,8 +285,8 @@ is masqueraded or has SNAT applied.</li>
</ol> </ol>
Two examples:<br> Two examples:<br>
<br> <br>
 <b>Example 1</b> -- Suppose that your current config is  <b>Example 1</b> -- Suppose that your current config
as follows:<br> is as follows:<br>
   <br>    <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
@ -271,8 +294,8 @@ as follows:<br>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer <blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
</blockquote> </blockquote>
<b>Example 2</b>-- What if your current configuration is <b>Example 2</b>-- What if your current configuration
like this?<br> is like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
@ -293,8 +316,9 @@ the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br> handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now If you have installed the 1.3.10 Beta 1 RPM and are
upgrading to version 1.3.10, you will need to use the '--force' option:<br> now upgrading to version 1.3.10, you will need to use the '--force'
option:<br>
<br> <br>
<blockquote> <blockquote>
@ -332,15 +356,16 @@ upgrading to version 1.3.10, you will need to use the '--force' option:<b
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p> <p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have <li>Be sure you
a backup -- you will need to transcribe have a backup -- you will need
any Shorewall configuration changes to transcribe any Shorewall configuration
that you have made to the new configuration.</li> changes that you have made to the new
<li>Replace the shorwall.lrp configuration.</li>
package provided on the Bering <li>Replace the
floppy with the later one. If you did shorwall.lrp package provided on
not obtain the later version from Jacques's site, see additional the Bering floppy with the later one. If you did
instructions below.</li> not obtain the later version from Jacques's site,
see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall file and remove the /var/lib/shorewall
entry if present. Then do not entry if present. Then do not
@ -362,28 +387,30 @@ forget to backup root.lrp !</li>
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 your firewall setup slightly under Shorewall versions
and 1.3.7</p> 1.3.6 and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn <font face="Courier">run_iptables -A
-j RETURN # So that the connection tracking table can newnotsyn -j RETURN # So that the connection tracking
be rebuilt<br> table can be rebuilt<br>
                                    # from                                    
non-SYN packets after takeover.<br> # from non-SYN packets after takeover.<br>
 </font> </p>  </font> </p>
</li> </li>
<li> <li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common <font face="Courier">run_iptables -A
-p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
Acks to rebuild connection<br> #Accept Acks to rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
@ -428,14 +455,17 @@ Acks to rebuild connection<br>
<p align="left">The functions and versions files together with the 'firewall' <p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall. symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications If you have applications that access these files, those
should be modified accordingly.</p> applications should be modified accordingly.</p>
<p><font size="2"> Last updated 5/27/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2"> Last updated 6/29/2003 - <a href="support.htm">Tom
</p> Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

3
STABLE/documentation/useful_links.html
View File

@ -12,7 +12,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4" style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -61,5 +61,6 @@
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

55
STABLE/documentation/whitelisting_under_shorewall.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -27,9 +27,9 @@
</tbody> </tbody>
</table> </table>
<p align="left">For a brief time, the 1.2 version of Shorewall supported an <p align="left">For a brief time, the 1.2 version of Shorewall supported
/etc/shorewall/whitelist file. This file was intended to contain a list of an /etc/shorewall/whitelist file. This file was intended to contain a list
IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist of IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist
file was implemented as a stop-gap measure until the facilities necessary file was implemented as a stop-gap measure until the facilities necessary
for implementing white lists using zones was in place. As of Version 1.3 for implementing white lists using zones was in place. As of Version 1.3
RC1, those facilities were available.</p> RC1, those facilities were available.</p>
@ -39,12 +39,13 @@ to a set
following environment:</p> following environment:</p>
<ul> <ul>
<li>A firewall with three interfaces -- one to the internet, one to <li>A firewall with three interfaces -- one to the internet, one
a local network and one to a DMZ.</li> to a local network and one to a DMZ.</li>
<li>The local network uses SNAT to the internet and is comprised of <li>The local network uses SNAT to the internet and is comprised
the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 of the class B network 10.10.0.0/16 (Note: While this example uses an RFC
local network, the technique described here in no way depends on that or 1918 local network, the technique described here in no way depends on
on SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li> that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static
NAT, etc.).</li>
<li>The network operations staff have workstations with IP addresses <li>The network operations staff have workstations with IP addresses
in the class C network 10.10.10.0/24</li> in the class C network 10.10.10.0/24</li>
<li>We want the network operations staff to have full access to all <li>We want the network operations staff to have full access to all
@ -127,7 +128,6 @@ since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -139,7 +139,6 @@ we don't specify a zone for it here.</p>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> <blockquote> <font face="Century Gothic, Arial, Helvetica">
</font> </font>
<table border="2"> <table border="2">
<tbody> <tbody>
<tr> <tr>
@ -159,23 +158,21 @@ we don't specify a zone for it here.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is <p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is stopped,
stopped, only the hosts in the <b>ops</b> zone will be allowed to access the only the hosts in the <b>ops</b> zone will be allowed to access the firewall
firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than 10.10.0.0/16
than 10.10.0.0/16 so that the limited broadcast address (255.255.255.255) so that the limited broadcast address (255.255.255.255) falls into that
falls into that zone. If I used 10.10.0.0/16 then I would have to have a zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
separate entry for that special address.</p> that special address.</p>
<h2>Policy File</h2> <h2>Policy File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> <blockquote> <font face="Century Gothic, Arial, Helvetica">
</font> </font>
<table border="2"> <table border="2">
<tbody> <tbody>
<tr> <tr>
@ -189,18 +186,14 @@ separate entry for that special address.</p>
<td><font color="#0000ff">ops</font></td> <td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">all</font></td> <td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ACCEPT</font></td> <td><font color="#0000ff">ACCEPT</font></td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td><font color="#0000ff">all</font></td> <td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ops</font></td> <td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">CONTINUE</font></td> <td><font color="#0000ff">CONTINUE</font></td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
@ -208,7 +201,6 @@ separate entry for that special address.</p>
<td>net</td> <td>net</td>
<td>ACCEPT</td> <td>ACCEPT</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
@ -226,7 +218,6 @@ separate entry for that special address.</p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -271,8 +262,6 @@ file.<font color="#ff0000"><b></b></font></p>
<td> </td> <td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
@ -280,6 +269,7 @@ file.<font color="#ff0000"><b></b></font></p>
<p>This is the rule that transparently redirects web traffic to the transparent <p>This is the rule that transparently redirects web traffic to the transparent
proxy running on the firewall. The SOURCE column explicitly excludes the proxy running on the firewall. The SOURCE column explicitly excludes the
<b>ops</b> zone from the rule.</p> <b>ops</b> zone from the rule.</p>
<h2>Routestopped File</h2> <h2>Routestopped File</h2>
<blockquote> <blockquote>
@ -302,24 +292,17 @@ file.<font color="#ff0000"><b></b></font></p>
<td>10.10.10.0/24</td> <td>10.10.10.0/24</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p> © <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
<br>
<br> <br>
<br> <br>
</body> </body>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.5 VERSION=1.4.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

10
STABLE/firewall
View File

@ -1866,7 +1866,7 @@ add_nat_rule() {
log_rule $loglevel $chain $logtarget -t nat log_rule $loglevel $chain $logtarget -t nat
fi fi
addnatrule $chain -j $target1 addnatrule $chain $proto -j $target1
else else
for adr in `separate_list $addr`; do for adr in `separate_list $addr`; do
run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \ run_iptables2 -t nat -A OUTPUT $proto $sports -d $adr \
@ -1899,7 +1899,7 @@ add_nat_rule() {
log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr` log_rule $loglevel $chain $logtarget -t nat -d `fix_bang $adr`
fi fi
addnatrule $chain -d $adr -j $target1 addnatrule $chain $proto -d $adr -j $target1
done done
else else
for adr in `separate_list $addr`; do for adr in `separate_list $addr`; do
@ -2218,11 +2218,11 @@ process_rule() # $1 = target
fatal_error "Empty source zone or qualifier: rule \"$rule\"" fatal_error "Empty source zone or qualifier: rule \"$rule\""
fi fi
if [ "$clientzone" = "${clientzone%\!*}" ]; then if [ "$clientzone" = "${clientzone%!*}" ]; then
excludezones= excludezones=
else else
excludezones="${clientzone#*\!}" excludezones="${clientzone#*!}"
clientzone="${clientzone%\!*}" clientzone="${clientzone%!*}"
[ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\ [ "$logtarget" = DNAT ] || [ "$logtarget" = REDIRECT ] ||\
fatal_error "Exclude list only allowed with DNAT or REDIRECT" fatal_error "Exclude list only allowed with DNAT or REDIRECT"

161
STABLE/functions
View File

@ -219,3 +219,164 @@ strip_file() # $1 = Base Name of the file, $2 = Full Name of File (optional)
> $TMP_DIR/$1 > $TMP_DIR/$1
fi fi
} }
#
# Note: The following set of IP address manipulation functions have anomalous
# behavior when the shell only supports 32-bit signed arithmatic and
# the IP address is 128.0.0.0 or 128.0.0.1.
#
#
# So that emacs doesn't get lost, we use $LEFTSHIFT rather than <<
#
LEFTSHIFT='<<'
#
# Convert an IP address in dot quad format to an integer
#
decodeaddr() {
local x
local temp=0
local ifs=$IFS
IFS=.
for x in $1; do
temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
done
echo $temp
IFS=$ifs
}
#
# convert an integer to dot quad format
#
encodeaddr() {
addr=$1
local x
local y=$(($addr & 255))
for x in 1 2 3 ; do
addr=$(($addr >> 8))
y=$(($addr & 255)).$y
done
echo $y
}
#
# Enumerate the members of an IP range -- When using a shell supporting only
# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
#
ip_range() {
local first last l x y z vlsm
case $1 in
[0-9]*.*.*.*-*.*.*.*)
;;
*)
echo $1
return
;;
esac
first=`decodeaddr ${1%-*}`
last=`decodeaddr ${1#*-}`
if [ $first -gt $last ]; then
fatal_error "Invalid IP address range: $1"
fi
l=$(( $last + 1 ))
while [ $first -le $last ]; do
vlsm=
x=31
y=2
z=1
while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
vlsm=/$x
x=$(( $x - 1 ))
z=$y
y=$(( $y * 2 ))
done
echo `encodeaddr $first`$vlsm
first=$(($first + $z))
done
}
#
# Netmask from CIDR
#
ip_netmask() {
local vlsm=${1#*/}
[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
}
#
# Network address from CIDR
#
ip_network() {
local decodedaddr=`decodeaddr ${1%/*}`
local netmask=`ip_netmask $1`
echo `encodeaddr $(($decodedaddr & $netmask))`
}
#
# The following hack is supplied to compensate for the fact that many of
# the popular light-weight Bourne shell derivatives don't support XOR ("^").
#
# Note: 2147483647 = 0x7fffffff
ip_broadcast() {
local x=$(( ${1#*/} - 1 ))
[ $x -eq -1 ] && echo -1 || echo $(( 2147483647 >> $x ))
}
#
# Calculate broadcast address from CIDR
#
broadcastaddress() {
local decodedaddr=`decodeaddr ${1%/*}`
local netmask=`ip_netmask $1`
local broadcast=`ip_broadcast $1`
echo `encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast ))`
}
#
# Test for subnet membership
#
in_subnet() # $1 = IP address, $2 = CIDR network
{
local netmask=`ip_netmask $2`
test $(( `decodeaddr $1` & $netmask)) -eq $(( `decodeaddr ${2%/*}` & $netmask ))
}
#
# Netmask to VLSM
#
ip_vlsm() {
local mask=`decodeaddr $1`
local vlsm=0
local x=$(( 128 $LEFTSHIFT 24 ))
while [ $(( $x & $mask )) -ne 0 ]; do
[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask...
vlsm=$(($vlsm + 1))
done
if [ $(( $mask & 2147483647)) -ne 0 ]; then
echo "Invalid net mask: $1" >&2
else
echo $vlsm
fi
}

3
STABLE/hosts
View File

@ -20,7 +20,7 @@
# ZONE - The name of a zone defined in /etc/shorewall/zones # ZONE - The name of a zone defined in /etc/shorewall/zones
# #
# HOST(S) - The name of an interface followed by a colon (":") and # HOST(S) - The name of an interface followed by a colon (":") and
# either: # a comma-separated list whose elements are either:
# #
# a) The IP address of a host # a) The IP address of a host
# b) A subnetwork in the form # b) A subnetwork in the form
@ -33,6 +33,7 @@
# #
# eth1:192.168.1.3 # eth1:192.168.1.3
# eth2:192.168.2.0/24 # eth2:192.168.2.0/24
# eth3:192.168.2.0/24,192.168.3.1
# #
# OPTIONS - A comma-separated list of options. Currently-defined # OPTIONS - A comma-separated list of options. Currently-defined
# options are: # options are:

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.5 VERSION=1.4.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

14
STABLE/interfaces
View File

@ -20,6 +20,10 @@
# an alias (e.g., eth0:0) here; see # an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18 # http://www.shorewall.net/FAQ.htm#faq18
# #
# You may specify wildcards here. For example, if you
# want to make an entry that applies to all PPP
# interfaces, use 'ppp+'.
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE. # DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
# #
# BROADCAST The broadcast address for the subnetwork to which the # BROADCAST The broadcast address for the subnetwork to which the
@ -89,6 +93,16 @@
# sub-networking as described at: # sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet # http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
# #
# newnotsyn - TCP packets that don't have the SYN
# flag set and which are not part of an
# established connection will be accepted
# from this interface, even if
# NEWNOTSYN=No has been specified in
# /etc/shorewall/shorewall.conf.
#
# This option has no effect if
# NEWNOTSYN=Yes.
#
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.

13
STABLE/masq
View File

@ -42,12 +42,15 @@
# will automatically add this address to the # will automatically add this address to the
# INTERFACE named in the first column. # INTERFACE named in the first column.
# #
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if # You may also specify a range of up to 256
# the address given in this column is the primary # IP addresses if you want the SNAT address to
# IP address for the interface in the INTERFACE # be assigned from that range in a round-robin
# column. # range by connection. The range is specified by
# <first ip in range>-<last ip in range>.
# #
# This column may not contain a DNS Name. # Example: 206.124.146.177-206.124.146.180
#
# This column may not contain DNS Names.
# #
# Example 1: # Example 1:
# #

181
STABLE/releasenotes.txt
View File

@ -2,19 +2,180 @@ This is a minor release of Shorewall.
Problems Corrected: Problems Corrected:
1) The command "shorewall debug try <directory>" now correctly traces 1) A problem seen on RH7.3 systems where Shorewall encountered start
the attempt. errors when started using the "service" mechanism has been worked
around.
2) The INCLUDE directive now works properly in the zones file; 2) Where a list of IP addresses appears in the DEST column of a DNAT[-]
previously, INCLUDE in that file was ignored. rule, Shorewall incorrectly created multiple DNAT rules in the nat
table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.
3) /etc/shorewall/routestopped records with an empty second column are no 3) Corrected a problem in Beta 1 where DNS names containing a "-" were
longer ignored. mis-handled when they appeared in the DEST column of a rule.
4) The handling of z1!z2 in the SOURCE column of DNAT and REDIRECT
rules has been corrected.
5) The message "Adding rules for DHCP" is now suppressed if there are
no DHCP rules to add.
Migration Issues:
1) In earlier versions, an undocumented feature allowed entries in
the host file as follows:
z eth1:192.168.1.0/24,eth2:192.168.2.0/24
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:
z eth1:192.168.1.0/24,192.168.2.0/24
2) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are
now automatically detected by Shorewall (see below).
New Features: New Features:
1) The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now 1) A 'newnotsyn' interface option has been added. This option may be
contain a list of addresses. If the list begins with "!' then the specified in /etc/shorewall/interfaces and overrides the setting
rule will take effect only if the original destination address in NEWNOTSYN=No for packets arriving on the associated interface.
the connection request does not match any of the addresses listed.
2) The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now
documented. ADD_SNAT_ALIASES=Yes is enabled for address ranges.
3) Shorewall can now add IP addresses to subnets other than the first
one on an interface.
4) DNAT[-] rules may now be used to load balance (round-robin) over a
set of servers. Any number of servers may be specified in a range of
addresses given as <first address>-<last address> and multiple
ranges or individual servers may be specified in a comma-separated
list.
Example:
DNAT net loc:192.168.10.2-192.168.10.5,192.168.10.44 tcp 80
5) The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration options
have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The
output of the start, restart and check commands have been enhanced
to report the outcome:
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Verifying Configuration...
6) Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in
netfilter's connection tracking table.
Shorewall automatically detects the availability of this extension
and reports its availability in the output of the start, restart and
check commands.
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Verifying Configuration...
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:
a) To handle 'norfc1918' filtering, Shorewall will not create chains
in the mangle table but will rather do all 'norfc1918' filtering in
the filter table (rfc1918 chain).
b) Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table
is extended to check that the original destination address was the
same as specified (or defaulted to) in the DNAT rule.
7) The shell used to interpret the firewall script
(/usr/share/shorewall/firewall) may now be specified using the
SHOREWALL_SHELL parameter in shorewall.conf.
8) An 'ipcalc' command has been added to /sbin/shorewall.
ipcalc [ <address> <netmask> | <address>/<vlsm> ]
Examples:
[root@wookie root]# shorewall ipcalc 192.168.1.0/24
CIDR=192.168.1.0/24
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
[root@wookie root]#
[root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0
CIDR=192.168.1.0/24
NETMASK=255.255.255.0
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
[root@wookie root]#
Warning:
If your shell only supports 32-bit signed arithmatic (ash or
dash), then the ipcalc command produces incorrect information for
IP addresses 128.0.0.0-1 and for /1 networks. Bash should produce
correct information for all valid IP addresses.
9) An 'iprange' command has been added to /sbin/shorewall.
iprange <address>-<address>
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to
construct an efficient set of rules that accept connections from a
range of network addresses.
Note: If your shell only supports 32-bit signed arithmetic (ash or
dash) then the range may not span 128.0.0.0.
Example:
[root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9
192.168.1.4/30
192.168.1.8/29
192.168.1.16/28
192.168.1.32/27
192.168.1.64/26
192.168.1.128/25
192.168.2.0/23
192.168.4.0/22
192.168.8.0/22
192.168.12.0/29
192.168.12.8/31
[root@gateway root]#
10) A list of host/net addresses is now allowed in an entry in
/etc/shorewall/hosts.
Example:
foo eth1:192.168.1.0/24,192.168.2.0/24
11) The "shorewall check" command now includes the chain name when
printing the applicable policy for each pair of zones.
Example:
Policy for dmz to net is REJECT using chain all2all
This means that the policy for connections from the dmz to the
internet is REJECT and the applicable entry in the
/etc/shorewall/policy was the all->all policy.
12) Support for the 2.6 Kernel series has been added.

18
STABLE/rules
View File

@ -107,6 +107,12 @@
# 3. You may not specify both an interface and # 3. You may not specify both an interface and
# an address. # an address.
# #
# Unlike in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# The port that the server is listening on may be # The port that the server is listening on may be
# included and separated from the server's IP address by # included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the # ":". If omitted, the firewall will not modifiy the
@ -137,7 +143,7 @@
# In that case, it is suggested that this field contain # In that case, it is suggested that this field contain
# "-" # "-"
# #
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then # If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in # only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below: # this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed. # 1. There are 15 or less ports listed.
@ -154,7 +160,7 @@
# specify an ADDRESS in the next column, then place "-" # specify an ADDRESS in the next column, then place "-"
# in this column. # in this column.
# #
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then # If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in # only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above: # this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed. # 1. There are 15 or less ports listed.
@ -214,6 +220,14 @@
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST # # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 # DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 \
# tcp 22
############################################################################## ##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST # PORT PORT(S) DEST

72
STABLE/shorewall
View File

@ -82,6 +82,22 @@
# be automatically reinstated the # be automatically reinstated the
# next time that Shorewall starts. # next time that Shorewall starts.
# #
# shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
#
# Displays information about the network
# defined by the argument[s]
#
# shorewall iprange <address>-<address> Decomposes a range of IP addresses into
# a list of network/host addresses.
#
# Fatal Error
#
fatal_error() # $@ = Message
{
echo " $@" >&2
exit 2
}
# Display a chain if it exists # Display a chain if it exists
# #
@ -138,6 +154,13 @@ get_config() {
[ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}" [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:" [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
if [ -n "$SHOREWALL_SHELL" ]; then
if [ ! -e "$SHOREWALL_SHELL" ]; then
echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
exit 2
fi
fi
} }
# #
@ -521,6 +544,8 @@ usage() # $1 = exit status
echo " reject <address> ..." echo " reject <address> ..."
echo " allow <address> ..." echo " allow <address> ..."
echo " save" echo " save"
echo " ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
echo " iprange <address>-<address>"
exit $1 exit $1
} }
@ -653,11 +678,13 @@ esac
case "$1" in case "$1" in
start|stop|restart|reset|clear|refresh|check) start|stop|restart|reset|clear|refresh|check)
[ $# -ne 1 ] && usage 1 [ $# -ne 1 ] && usage 1
exec $FIREWALL $debugging $nolock $1 get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
;; ;;
add|delete) add|delete)
[ $# -ne 3 ] && usage 1 [ $# -ne 3 ] && usage 1
exec $FIREWALL $debugging $nolock $1 $2 $3 get_config
exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1 $2 $3
;; ;;
show|list) show|list)
[ $# -gt 2 ] && usage 1 [ $# -gt 2 ] && usage 1
@ -860,7 +887,48 @@ case "$1" in
fi fi
mutex_off mutex_off
;; ;;
ipcalc)
if [ $# -eq 2 ]; then
address=${2%/*}
vlsm=${2#*/}
elif [ $# -eq 3 ]; then
address=$2
vlsm=`ip_vlsm $3`
else
usage 1
fi
[ -z "$vlsm" ] && exit 2
[ "x$address" = "x$vlsm" ] && usage 2
[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
address=$address/$vlsm
echo " CIDR=$address"
temp=`ip_netmask $address`; echo " NETMASK=`encodeaddr $temp`"
temp=`ip_network $address`; echo " NETWORK=$temp"
temp=`broadcastaddress $address`; echo " BROADCAST=$temp"
;;
iprange)
case $2 in
*.*.*.*-*.*.*.*)
ip_range $2
;;
*) *)
usage 1 usage 1
;; ;;
esac esac
;;
call)
#
# Undocumented way to call functions in /usr/share/shorewall/functions directly
#
shift;
$@
;;
*)
usage 1
;;
esac

53
STABLE/shorewall.conf
View File

@ -144,7 +144,7 @@ BLACKLIST_LOGLEVEL=
# Example: LOGNEWNOTSYN=debug # Example: LOGNEWNOTSYN=debug
LOGNEWNOTSYN= LOGNEWNOTSYN=info
# #
# MAC List Log Level # MAC List Log Level
@ -191,6 +191,14 @@ RFC1918_LOG_LEVEL=info
# #
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
#
# SHELL
#
# The firewall script is normally interpreted by /bin/sh. If you wish to change
# the shell used to interpret that script, specify the shell here.
SHOREWALL_SHELL=/bin/sh
# SUBSYSTEM LOCK FILE # SUBSYSTEM LOCK FILE
# #
# Set this to the name of the lock file expected by your init scripts. For # Set this to the name of the lock file expected by your init scripts. For
@ -230,24 +238,6 @@ MODULESDIR=
# #
FW=fw FW=fw
#
# ENABLE NAT SUPPORT
#
# You probally want yes here. Only gateways not doing NAT in any form, like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED=Yes
#
# ENABLE MANGLE SUPPORT
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos file
# and will not initialize the mangle table when starting or stopping
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED=Yes
# #
# ENABLE IP FORWARDING # ENABLE IP FORWARDING
# #
@ -378,26 +368,6 @@ ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes NAT_BEFORE_RULES=Yes
# MULTIPORT support
#
# If your kernel includes the multiport match option
# (CONFIG_IP_NF_MATCH_MULTIPORT), you may enable it's use here. When this
# option is enabled by setting it's value to "Yes" or "yes":
#
# 1) If you list more that 15 ports in a comma-seperated list in
# /etc/shorewall/rules, Shorewall will not use the multiport option
# but will generate a separate rule for each element of each port
# list.
# 2) If you include a port range (<low port>:<high port>) in the
# rule, Shorewall will not use the multiport option but will generate
# a separate rule for each element of each port list.
#
# See the /etc/shorewall/rules file for additional information on this option.
#
# if this variable is not set or is set to the empty value, "No" is assumed.
MULTIPORT=No
# DNAT IP ADDRESS DETECTION # DNAT IP ADDRESS DETECTION
# #
# Normally when Shorewall encounters the following rule: # Normally when Shorewall encounters the following rule:
@ -447,7 +417,7 @@ MUTEX_TIMEOUT=60
# #
# NEWNOTSYN # NEWNOTSYN
# #
# If this variable is set to "No" or "no", then When a TCP packet that does # If this variable is set to "No" or "no", then when a TCP packet that does
# not have the SYN flag set and the ACK and RST flags clear then unless the # not have the SYN flag set and the ACK and RST flags clear then unless the
# packet is part of an established connection, it will be dropped by the # packet is part of an established connection, it will be dropped by the
# firewall # firewall
@ -458,6 +428,9 @@ MUTEX_TIMEOUT=60
# Users with a High-availability setup with two firewall's and one acting # Users with a High-availability setup with two firewall's and one acting
# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may # as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
# also need to select NEWNOTSYN=Yes. # also need to select NEWNOTSYN=Yes.
#
# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis
# using the 'newnotsyn' option in /etc/shorewall/interfaces.
NEWNOTSYN=No NEWNOTSYN=No

10
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.5 %define version 1.4.6
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,14 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-1
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0RC1
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0Beta2
* Fri Jul 04 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0Beta1
* Tue Jun 17 2003 Tom Eastep <tom@shorewall.net> * Tue Jun 17 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.5-1 - Changed version to 1.4.5-1
* Thu May 29 2003 Tom Eastep <tom@shorewall.net> * Thu May 29 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.5 VERSION=1.4.6
usage() # $1 = exit status usage() # $1 = exit status
{ {