More 1.4.0 Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@483 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-06 23:41:31 +00:00
parent 09fc5e317a
commit 07f66da156
16 changed files with 8519 additions and 7791 deletions

File diff suppressed because it is too large Load Diff

View File

@ -39,6 +39,7 @@
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1> <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td> </td>
</tr> </tr>
@ -50,8 +51,9 @@
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b> <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. port</b> 7777 to my my personal PC with IP address
I've looked everywhere and can't find <b>how to do it</b>.</a></p> 192.168.1.5. I've looked everywhere and can't find <b>how
to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions <p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
@ -65,14 +67,14 @@
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests <p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
in my local network. <b>External clients can browse</b> in my local network. <b>External clients can browse</b>
http://www.mydomain.com but <b>internal clients can't</b>.</a></p> http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918 <p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 subnet and I use <b>static NAT</b> to assign non-RFC1918
addresses to hosts in Z. Hosts in Z cannot communicate addresses to hosts in Z. Hosts in Z cannot communicate
with each other using their external (non-RFC1918 addresses) with each other using their external (non-RFC1918 addresses)
so they <b>can't access each other using their DNS names.</b></a></p> so they <b>can't access each other using their DNS names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b> <p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b>
@ -108,23 +110,23 @@ so they <b>can't access each other using their DNS names.</b></a></p>
</p> </p>
<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow <p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>. of these <b>DROP messages from port 53</b> <b>to some high numbered
They get dropped, but what the heck are they?</a><br> port</b>. They get dropped, but what the heck are they?</a><br>
</p> </p>
<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b> <p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
in Shorewall log messages <b>so long</b>? I thought MAC addresses were only in Shorewall log messages <b>so long</b>? I thought MAC addresses were
6 bytes in length.</a><b><br> only 6 bytes in length.</a><b><br>
</b></p> </b></p>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using <p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
'shorewall stop', I can't connect to anything</b>. Why doesn't that command 'shorewall stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p> work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall <p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
on RedHat</b> I get messages about insmod failing -- on RedHat</b> I get messages about insmod failing --
what's wrong?</a></p> what's wrong?</a></p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect <p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
@ -136,7 +138,7 @@ what's wrong?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it <p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p> support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p> <p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
@ -147,15 +149,15 @@ what's wrong?</a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to and it has an internel web server that allows me to
configure/monitor it but as expected if I enable <b> rfc1918 configure/monitor it but as expected if I enable <b> rfc1918
blocking</b> for my eth0 interface, it also blocks the <b>cable blocking</b> for my eth0 interface, it also blocks the <b>cable
modems web server</b></a>.</p> modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public <p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 IP addresses, my ISP's DHCP server has an RFC 1918
address. If I enable RFC 1918 filtering on my external address. If I enable RFC 1918 filtering on my external interface,
interface, <b>my DHCP client cannot renew its lease</b>.</a></p> <b>my DHCP client cannot renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see <p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
@ -166,16 +168,16 @@ interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
all over my console</b> making it unusable!<br> all over my console</b> making it unusable!<br>
</a></p> </a></p>
<b>17</b>. <a <b>17</b>. <a
href="#faq17">How do I find out <b>why this traffic is</b> getting href="#faq17">How do I find out <b>why this traffic is</b>
<b>logged?</b></a><br> getting <b>logged?</b></a><br>
<br> <br>
<b>18.</b> <a href="#faq18">Is there any <b>18.</b> <a href="#faq18">Is there
way to use <b>aliased ip addresses</b> with Shorewall, and any way to use <b>aliased ip addresses</b> with Shorewall,
maintain separate rulesets for different IPs?</a><br> and maintain separate rulesets for different IPs?</a><br>
<br> <br>
<b>19. </b><a href="#faq19">I have added <b>entries <b>19. </b><a href="#faq19">I have added
to /etc/shorewall/tcrules</b> but they <b>don't </b>seem to <b>do <b>entries to /etc/shorewall/tcrules</b> but they <b>don't </b>seem
anything</b>. Why?</a><br> to <b>do anything</b>. Why?</a><br>
<br> <br>
<b>20. </b><a href="#faq20">I have just set <b>20. </b><a href="#faq20">I have just set
up a server. <b>Do I have to change Shorewall to allow access up a server. <b>Do I have to change Shorewall to allow access
@ -184,19 +186,19 @@ to my server from the internet?<br>
</b></a><b>21. </b><a href="#faq21">I see these <b>strange </b></a><b>21. </b><a href="#faq21">I see these <b>strange
log entries </b>occasionally; what are they?<br> log entries </b>occasionally; what are they?<br>
</a><br> </a><br>
<b>22. </b><a href="#faq22">I have some <b>iptables commands <b>22. </b><a href="#faq22">I have some <b>iptables
</b>that I want to <b>run when Shorewall starts.</b> Which file do commands </b>that I want to <b>run when Shorewall starts.</b> Which
I put them in?</a><br> file do I put them in?</a><br>
<br> <br>
<b>23. </b><a href="#faq23">Why do you use such <b>ugly <b>23. </b><a href="#faq23">Why do you use such <b>ugly
fonts</b> on your <b>web site</b>?</a><br> fonts</b> on your <b>web site</b>?</a><br>
<br> <br>
<b>24. </b><a href="#faq24">How can I <b>allow conections</b> <b>24. </b><a href="#faq24">How can I <b>allow conections</b>
to let's say the ssh port only<b> from specific IP Addresses</b> on to let's say the ssh port only<b> from specific IP Addresses</b>
the internet?</a><br> on the internet?</a><br>
<br> <br>
<b>25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b> <b>25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
I am <b>running</b>?</a><br> I am <b>running</b>?</a><br>
<br> <br>
<hr> <hr>
@ -214,6 +216,7 @@ port-forwarding rule to a local system is as follows:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1"> id="AutoNumber1">
<tbody> <tbody>
@ -229,8 +232,8 @@ port-forwarding rule to a local system is as follows:</p>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
<td>net</td> <td>net</td>
<td>loc:<i>&lt;local IP <td>loc:<i>&lt;local
address&gt;</i>[:<i>&lt;local port</i>&gt;]</td> IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td> <td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td> <td><i>&lt;port #&gt;</i></td>
<td> <br> <td> <br>
@ -254,6 +257,7 @@ address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1"> id="AutoNumber1">
<tbody> <tbody>
@ -288,12 +292,14 @@ address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<div align="left"> <font face="Courier"> </font>If <div align="left"> <font face="Courier"> </font>If
you want to forward requests directed to a particular address ( you want to forward requests directed to a particular address
<i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</div> ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal
system:</div>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1"> id="AutoNumber1">
<tbody> <tbody>
@ -309,8 +315,8 @@ address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<tr> <tr>
<td>DNAT</td> <td>DNAT</td>
<td>net</td> <td>net</td>
<td>loc:<i>&lt;local IP <td>loc:<i>&lt;local
address&gt;</i>[:<i>&lt;local port</i>&gt;]</td> IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td> <td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td> <td><i>&lt;port #&gt;</i></td>
<td>-</td> <td>-</td>
@ -336,13 +342,13 @@ address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<ul> <ul>
<li>You are trying to test from <li>You are trying to test
inside your firewall (no, that won't work -- see <a from inside your firewall (no, that won't work -- see
href="#faq2">FAQ #2</a>).</li> <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem <li>You have a more basic
with your local system such as an incorrect default gateway problem with your local system such as an incorrect default
configured (it should be set to the IP address of your gateway configured (it should be set to the IP address of
firewall's internal interface).</li> your firewall's internal interface).</li>
</ul> </ul>
@ -351,37 +357,39 @@ firewall's internal interface).</li>
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port <h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
forwarding</h4> forwarding</h4>
<b>Answer: </b>To further diagnose this <b>Answer: </b>To further diagnose this
problem:<br> problem:<br>
<ul> <ul>
<li>As root, type "iptables -t nat -Z". <li>As root, type "iptables -t nat
This clears the NetFilter counters in the nat table.</li> -Z". This clears the NetFilter counters in the nat table.</li>
<li>Try to connect to the redirected port <li>Try to connect to the redirected
from an external host.</li> port from an external host.</li>
<li>As root type "shorewall show nat"</li> <li>As root type "shorewall show nat"</li>
<li>Locate the appropriate DNAT rule. <li>Locate the appropriate DNAT rule.
It will be in a chain called <i>&lt;source zone&gt;</i>_dnat It will be in a chain called <i>&lt;source zone&gt;</i>_dnat
('net_dnat' in the above examples).</li> ('net_dnat' in the above examples).</li>
<li>Is the packet count in the first column <li>Is the packet count in the first
non-zero? If so, the connection request is reaching the firewall column non-zero? If so, the connection request is reaching
and is being redirected to the server. In this case, the problem the firewall and is being redirected to the server. In this
is usually a missing or incorrect default gateway setting on case, the problem is usually a missing or incorrect default
the server (the server's default gateway should be the IP address gateway setting on the server (the server's default gateway should
of the firewall's interface to the server).</li> be the IP address of the firewall's interface to the server).</li>
<li>If the packet count is zero:</li> <li>If the packet count is zero:</li>
<ul> <ul>
<li>the connection request is not reaching <li>the connection request is not
your server (possibly it is being blocked by your ISP); or</li> reaching your server (possibly it is being blocked by your
<li>you are trying to connect to a secondary ISP); or</li>
IP address on your firewall and your rule is only redirecting <li>you are trying to connect to
the primary IP address (You need to specify the secondary IP address a secondary IP address on your firewall and your rule is
in the "ORIG. DEST." column in your DNAT rule); or</li> only redirecting the primary IP address (You need to specify
<li>your DNAT rule doesn't match the the secondary IP address in the "ORIG. DEST." column in your
connection request in some other way. In that case, you may DNAT rule); or</li>
have to use a packet sniffer such as tcpdump or ethereal to further <li>your DNAT rule doesn't match
diagnose the problem.<br> the connection request in some other way. In that case, you
may have to use a packet sniffer such as tcpdump or ethereal
to further diagnose the problem.<br>
</li> </li>
@ -412,8 +420,8 @@ diagnose the problem.<br>
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a> href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
(or using a separate DNS server for local clients) such that www.mydomain.com (or using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5 internally. resolves to 130.141.100.69 externally and 192.168.1.5 internally.
That's what I do here at shorewall.net for my local systems that That's what I do here at shorewall.net for my local systems
use static NAT.</li> that use static NAT.</li>
</ul> </ul>
@ -422,9 +430,9 @@ diagnose the problem.<br>
<p align="left">If you insist on an IP solution to the accessibility problem <p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your rather than a DNS solution, then assuming that your
external interface is eth0 and your internal interface external interface is eth0 and your internal interface
is eth1 and that eth1 has IP address 192.168.1.254 with subnet is eth1 and that eth1 has IP address 192.168.1.254 with subnet
192.168.1.0/24, in /etc/shorewall/rules, add:</p> 192.168.1.0/24, in /etc/shorewall/rules, add:</p>
<div align="left"> <div align="left">
@ -434,6 +442,7 @@ is eth1 and that eth1 has IP address 192.168.1.254 with subnet
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1"> id="AutoNumber1">
<tbody> <tbody>
@ -470,7 +479,7 @@ is eth1 and that eth1 has IP address 192.168.1.254 with subnet
<p align="left">That rule only works of course if you have a static external <p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are IP address. If you have a dynamic IP address and are
running Shorewall 1.3.4 or later then include this in running Shorewall 1.3.4 or later then include this in
/etc/shorewall/params:</p> /etc/shorewall/init:</p>
</div> </div>
@ -487,6 +496,7 @@ is eth1 and that eth1 has IP address 192.168.1.254 with subnet
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1"> id="AutoNumber1">
<tbody> <tbody>
@ -522,7 +532,7 @@ is eth1 and that eth1 has IP address 192.168.1.254 with subnet
<div align="left"> <div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE <p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time client to automatically restart Shorewall each time
that you get a new IP address.</p> that you get a new IP address.</p>
</div> </div>
@ -540,13 +550,13 @@ that you get a new IP address.</p>
<p align="left">Another good way to approach this problem is to switch from <p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have static NAT to Proxy ARP. That way, the hosts in Z
non-RFC1918 addresses and can be accessed externally and have non-RFC1918 addresses and can be accessed externally
internally using the same address. </p> and internally using the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all <p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
Z-&gt;Z traffic through your firewall then:</p> traffic through your firewall then:</p>
<p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br> <p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
@ -565,6 +575,7 @@ Z-&gt;Z traffic through your firewall then:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber2"> id="AutoNumber2">
<tbody> <tbody>
@ -596,6 +607,7 @@ Z-&gt;Z traffic through your firewall then:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
@ -628,6 +640,7 @@ Z-&gt;Z traffic through your firewall then:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3" width="369"> id="AutoNumber3" width="369">
<tbody> <tbody>
@ -680,14 +693,14 @@ Z-&gt;Z traffic through your firewall then:</p>
also rejects TCP ports 135, 137 and 139 as well as UDP ports also rejects TCP ports 135, 137 and 139 as well as UDP ports
137-139. These are ports that are used by Windows (Windows <u>can</u> 137-139. These are ports that are used by Windows (Windows <u>can</u>
be configured to use the DCE cell locator on port 135). Rejecting be configured to use the DCE cell locator on port 135). Rejecting
these connection requests rather than dropping them cuts down these connection requests rather than dropping them cuts down
slightly on the amount of Windows chatter on LAN segments connected slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p> to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably <p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server your ISP preventing you from running a web server
in violation of your Service Agreement.</p> in violation of your Service Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my <h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
@ -731,12 +744,12 @@ in violation of your Service Agreement.</p>
and how do I change the destination?</h4> and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of <p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
facility (see "man openlog") and you get to choose the log level (again, (see "man openlog") and you get to choose the log level (again, see "man
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a> syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart When you have changed /etc/syslog.conf, be sure to restart
syslogd (on a RedHat system, "service syslog restart"). </p> syslogd (on a RedHat system, "service syslog restart"). </p>
@ -744,7 +757,7 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
<p align="left">By default, older versions of Shorewall ratelimited log messages <p align="left">By default, older versions of Shorewall ratelimited log messages
through <a href="Documentation.htm#Conf">settings</a> through <a href="Documentation.htm#Conf">settings</a>
in /etc/shorewall/shorewall.conf -- If you want to log in /etc/shorewall/shorewall.conf -- If you want to log
all messages, set: </p> all messages, set: </p>
<div align="left"> <div align="left">
@ -775,8 +788,8 @@ all messages, set: </p>
</p> </p>
</blockquote> </blockquote>
I personnaly use Logwatch. It emails me a report I personnaly use Logwatch. It emails me a report
each day from my various systems with each report summarizing the each day from my various systems with each report summarizing the
logged activity on the corresponding system. logged activity on the corresponding system.
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619 <h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
are <b>flooding the logs</b> with their connect requests. Can i exclude are <b>flooding the logs</b> with their connect requests. Can i exclude
@ -799,8 +812,8 @@ logged activity on the corresponding system.
</ol> </ol>
You can distinguish the difference by setting the <b>logunclean</b> You can distinguish the difference by setting the <b>logunclean</b>
option (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>) option (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
on your external interface (eth0 in the above example). If they get logged on your external interface (eth0 in the above example). If they get
twice, they are corrupted. I solve this problem by using an /etc/shorewall/common logged twice, they are corrupted. I solve this problem by using an /etc/shorewall/common
file like this:<br> file like this:<br>
<blockquote> <blockquote>
@ -812,9 +825,9 @@ logged activity on the corresponding system.
<h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in <h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in
Shorewall log messages so long? I thought MAC addresses were only 6 bytes Shorewall log messages so long? I thought MAC addresses were only 6 bytes
in length. What is labeled as the MAC address in a Shorewall log message in length.</h4>
is actually the Ethernet frame header. In contains:<br> What is labeled as the MAC address in a Shorewall log message is actually
</h4> the Ethernet frame header. IT contains:<br>
<ul> <ul>
<li>the destination MAC address (6 bytes)</li> <li>the destination MAC address (6 bytes)</li>
@ -835,7 +848,7 @@ logged activity on the corresponding system.
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall <h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that stop', I can't connect to anything. Why doesn't that
command work?</h4> command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into <p align="left">The 'stop' command is intended to place your firewall into
@ -893,9 +906,9 @@ command work?</h4>
<div align="left"> <div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The <p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
Net zone is defined as all hosts that are connected through eth0 and the zone is defined as all hosts that are connected through eth0 and the local
local zone is defined as all hosts connected through eth1</p> zone is defined as all hosts connected through eth1</p>
</div> </div>
@ -935,9 +948,9 @@ must more commonly used.</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem <h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me to and it has an internal web server that allows me to
configure/monitor it but as expected if I enable rfc1918 configure/monitor it but as expected if I enable rfc1918
blocking for my eth0 interface (the internet one), it also blocking for my eth0 interface (the internet one), it also
blocks the cable modems web server.</h4> blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking <p align="left">Is there any way it can add a rule before the rfc1918 blocking
@ -946,9 +959,8 @@ blocks the cable modems web server.</h4>
addresses?</p> addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall <p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
earlier than 1.3.1, create /etc/shorewall/start and in it, place the than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
following:</p>
<div align="left"> <div align="left">
@ -966,6 +978,7 @@ following:</p>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
@ -1036,10 +1049,10 @@ your firewall, then you would add two entries to /etc/shorewall/rfc
<div align="left"> <div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public <h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
RFC 1918 filtering on my external interface, my DHCP client cannot renew 1918 filtering on my external interface, my DHCP client cannot renew its
its lease.</h4> lease.</h4>
</div> </div>
@ -1096,25 +1109,25 @@ to the internet.</p>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command <p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start. to your startup scripts or place it in /etc/shorewall/start.
Under RedHat, the max log level that is sent to the Under RedHat, the max log level that is sent to the
console is specified in /etc/sysconfig/init in the LOGLEVEL console is specified in /etc/sysconfig/init in the LOGLEVEL
variable.<br> variable.<br>
</p> </p>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting <h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4> logged?</h4>
<b>Answer: </b>Logging occurs out of <b>Answer: </b>Logging occurs out
a number of chains (as indicated in the log message) in of a number of chains (as indicated in the log message)
Shorewall:<br> in Shorewall:<br>
<ol> <ol>
<li><b>man1918 - </b>The destination <li><b>man1918 - </b>The destination
address is listed in /etc/shorewall/rfc1918 with a <b>logdrop address is listed in /etc/shorewall/rfc1918 with a <b>logdrop
</b>target -- see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li> </b>target -- see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The source address <li><b>rfc1918</b> - The source
is listed in /etc/shorewall/rfc1918 with a <b>logdrop </b>target address is listed in /etc/shorewall/rfc1918 with a <b>logdrop
-- see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li> </b>target -- see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b> <li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b>
or <b>all2all </b>- You have a<a or <b>all2all </b>- You have a<a
href="Documentation.htm#Policy"> policy</a> that specifies a log level href="Documentation.htm#Policy"> policy</a> that specifies a log level
@ -1123,40 +1136,40 @@ intend to ACCEPT this traffic then you need a <a
href="Documentation.htm#Rules">rule</a> to that effect.<br> href="Documentation.htm#Rules">rule</a> to that effect.<br>
</li> </li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt; <li><b>&lt;zone1&gt;2&lt;zone2&gt;
</b>- Either you have a<a href="Documentation.htm#Policy"> </b>- Either you have a<a
policy</a> for <b>&lt;zone1&gt; </b>to <b>&lt;zone2&gt;</b> href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
that specifies a log level and this packet is being logged </b>to <b>&lt;zone2&gt;</b> that specifies a log level and
under that policy or this packet matches a <a this packet is being logged under that policy or this packet
href="Documentation.htm#Rules">rule</a> that includes a log level.</li> matches a <a href="Documentation.htm#Rules">rule</a> that includes
<li><b>&lt;interface&gt;_mac</b> - The packet a log level.</li>
is being logged under the <b>maclist</b> <a <li><b>&lt;interface&gt;_mac</b> - The
packet is being logged under the <b>maclist</b> <a
href="Documentation.htm#Interfaces">interface option</a>.<br> href="Documentation.htm#Interfaces">interface option</a>.<br>
</li> </li>
<li><b>logpkt</b> - The packet is <li><b>logpkt</b> - The packet
being logged under the <b>logunclean</b> <a is being logged under the <b>logunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a>.</li> href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is <li><b>badpkt </b>- The packet
being logged under the <b>dropunclean</b> <a is being logged under the <b>dropunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a> as specified href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet <li><b>blacklst</b> - The packet
is being logged because the source IP is blacklisted in is being logged because the source IP is blacklisted in
the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li> </a>file.</li>
<li><b>newnotsyn </b>- The packet <li><b>newnotsyn </b>- The packet
is being logged because it is a TCP packet that is not part is being logged because it is a TCP packet that is not
of any current connection yet it is not a syn packet. Options part of any current connection yet it is not a syn packet.
affecting the logging of such packets include <b>NEWNOTSYN Options affecting the logging of such packets include <b>NEWNOTSYN
</b>and <b>LOGNEWNOTSYN </b>in <a </b>and <b>LOGNEWNOTSYN </b>in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li> href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b> <li><b>INPUT</b> or <b>FORWARD</b>
- The packet has a source IP address that isn't in any of - The packet has a source IP address that isn't in any
your defined zones ("shorewall check" and look at the printed of your defined zones ("shorewall check" and look at the
zone definitions) or the chain is FORWARD and the destination IP printed zone definitions) or the chain is FORWARD and the destination
isn't in any of your defined zones.</li> IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet is being logged <li><b>logflags </b>- The packet is being
because it failed the checks implemented by the <b>tcpflags logged because it failed the checks implemented by the <b>tcpflags
</b><a href="Documentation.htm#Interfaces">interface option</a>.<br> </b><a href="Documentation.htm#Interfaces">interface option</a>.<br>
</li> </li>
@ -1166,49 +1179,23 @@ zone definitions) or the chain is FORWARD and the destination IP
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b> <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different with Shorewall, and maintain separate rulesets for different
IPs?</h4> IPs?</h4>
<b>Answer: </b>Yes. You simply use the <b>Answer: </b>Yes. See <a
IP address in your rules (or if you use NAT, use the local href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>.
IP address in your rules). <b>Note:</b> The ":n" notation (e.g.,
eth0:0) is deprecated and will disappear eventually. Neither
iproute (ip and tc) nor iptables supports that notation so neither
does Shorewall. <br>
<br>
<b>Example 1:</b><br>
<br>
/etc/shorewall/rules
<pre wrap=""><span class="moz-txt-citetags"></span> # Accept AUTH but only on address 192.0.2.125<br><span
class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span> ACCEPT net fw:192.0.2.125 tcp auth<br><span
class="moz-txt-citetags"></span></pre>
<span class="moz-txt-citetags"></span><b>Example
2 (NAT):</b><br>
<br>
<span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
<pre wrap=""><span class="moz-txt-citetags"></span><span
class="moz-txt-citetags"></span> 192.0.2.126 eth0 10.1.1.126</pre>
/etc/shorewall/rules
<pre wrap=""><span class="moz-txt-citetags"></span> # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
class="moz-txt-citetags"></span><br> <span class="moz-txt-citetags"></span>ACCEPT net loc:10.1.1.126 tcp www<span
class="moz-txt-citetags"></span><br></pre>
<b>Example 3 (DNAT):<br>
</b>
<pre> # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br> DNAT net loc:10.1.1.127 tcp smtp - 192.0.2.127<br></pre>
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules <h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
but they don't seem to do anything. Why?</h4> but they don't seem to do anything. Why?</h4>
You probably haven't set TC_ENABLED=Yes in You probably haven't set TC_ENABLED=Yes
/etc/shorewall/shorewall.conf so the contents of the tcrules in /etc/shorewall/shorewall.conf so the contents of the tcrules
file are simply being ignored.<br> file are simply being ignored.<br>
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have <h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from the internet?</b><br> to change Shorewall to allow access to my server from the
internet?</b><br>
</h4> </h4>
Yes. Consult the <a Yes. Consult the <a
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that you href="shorewall_quickstart_guide.htm">QuickStart guide</a> that
used during your initial setup for information about how to set up you used during your initial setup for information about how to set
rules for your server.<br> up rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally; <h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br> what are they?<br>
@ -1221,50 +1208,51 @@ rules for your server.<br>
192.0.2.3 is external on my firewall... 172.16.0.0/24 192.0.2.3 is external on my firewall... 172.16.0.0/24
is my internal LAN<br> is my internal LAN<br>
<br> <br>
<b>Answer: </b>While most people associate the <b>Answer: </b>While most people associate
Internet Control Message Protocol (ICMP) with 'ping', ICMP is the Internet Control Message Protocol (ICMP) with 'ping', ICMP
a key piece of the internet. ICMP is used to report problems back is a key piece of the internet. ICMP is used to report problems
to the sender of a packet; this is what is happening here. Unfortunately, back to the sender of a packet; this is what is happening here.
where NAT is involved (including SNAT, DNAT and Masquerade), there Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade),
are a lot of broken implementations. That is what you are seeing with there are a lot of broken implementations. That is what you are seeing
these messages.<br> with these messages.<br>
<br> <br>
Here is my interpretation of what is happening Here is my interpretation of what is happening
-- to confirm this analysis, one would have to have packet sniffers -- to confirm this analysis, one would have to have packet sniffers
placed a both ends of the connection.<br> placed a both ends of the connection.<br>
<br> <br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179 Host 172.16.1.10 behind NAT gateway 206.124.146.179
sent a UDP DNS query to 192.0.2.3 and your DNS server tried to sent a UDP DNS query to 192.0.2.3 and your DNS server tried
send a response (the response information is in the brackets -- note to send a response (the response information is in the brackets --
source port 53 which marks this as a DNS reply). When the response was note source port 53 which marks this as a DNS reply). When the response
returned to to 206.124.146.179, it rewrote the destination IP TO 172.16.1.10 was returned to to 206.124.146.179, it rewrote the destination IP
and forwarded the packet to 172.16.1.10 who no longer had a connection TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer
on UDP port 2857. This causes a port unreachable (type 3, code 3) had a connection on UDP port 2857. This causes a port unreachable
to be generated back to 192.0.2.3. As this packet is sent back through (type 3, code 3) to be generated back to 192.0.2.3. As this packet is
206.124.146.179, that box correctly changes the source address in sent back through 206.124.146.179, that box correctly changes the
the packet to 206.124.146.179 but doesn't reset the DST IP in the original source address in the packet to 206.124.146.179 but doesn't reset
DNS response similarly. When the ICMP reaches your firewall (192.0.2.3), the DST IP in the original DNS response similarly. When the ICMP
your firewall has no record of having sent a DNS reply to 172.16.1.10 reaches your firewall (192.0.2.3), your firewall has no record of having
so this ICMP doesn't appear to be related to anything that was sent. sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be
The final result is that the packet gets logged and dropped in the related to anything that was sent. The final result is that the packet
all2all chain. I have also seen cases where the source IP in the ICMP gets logged and dropped in the all2all chain. I have also seen cases
itself isn't set back to the external IP of the remote NAT gateway; that where the source IP in the ICMP itself isn't set back to the external
causes your firewall to log and drop the packet out of the rfc1918 chain IP of the remote NAT gateway; that causes your firewall to log and drop
because the source IP is reserved by RFC 1918.<br> the packet out of the rfc1918 chain because the source IP is reserved
by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that <h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do I put them I want to <b>run when Shorewall starts.</b> Which file do I put
in?</h4> them in?</h4>
You can place these commands in one of the <a You can place these commands in one of the
href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be <a href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
sure that you look at the contents of the chain(s) that you will be modifying Be sure that you look at the contents of the chain(s) that you will be modifying
with your commands to be sure that the commands will do what they with your commands to be sure that the commands will do what they
are intended. Many iptables commands published in HOWTOs and other are intended. Many iptables commands published in HOWTOs and other
instructional material use the -A command which adds the rules to the instructional material use the -A command which adds the rules to
end of the chain. Most chains that Shorewall constructs end with an the end of the chain. Most chains that Shorewall constructs end with
unconditional DROP, ACCEPT or REJECT rule and any rules that you add an unconditional DROP, ACCEPT or REJECT rule and any rules that you
after that will be ignored. Check "man iptables" and look at the -I (--insert) add after that will be ignored. Check "man iptables" and look at the
command.<br> -I (--insert) command.<br>
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your <h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4> web site?</h4>
@ -1275,8 +1263,8 @@ command.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say <h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the internet?</h4> the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
In the SOURCE column of the rule, follow "net" by a colon and In the SOURCE column of the rule, follow "net" by a colon
a list of the host/subnet addresses as a comma-separated list.<br> and a list of the host/subnet addresses as a comma-separated list.<br>
<pre> net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre> <pre> net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
Example:<br> Example:<br>
@ -1287,21 +1275,23 @@ command.<br>
<div align="left"> </div> <div align="left"> </div>
<h4><b><a name="faq25"></a>25. </b>How to I tell <b>which version of Shorewall</b> <h4><b><a name="faq25"></a>25. </b>How to I tell <b>which version of Shorewall</b>
I am <b>running</b>?<br> I am <b>running</b>?<br>
</h4> </h4>
At the shell prompt, type:<br> At the shell prompt, type:<br>
<br> <br>
<font color="#009900"><b>    /sbin/shorewall version</b></font><br> <font color="#009900"><b>    /sbin/shorewall version</b></font><br>
<br> <br>
<font size="2">Last updated 2/22/2003 - <a href="support.htm">Tom Eastep</a></font> <font size="2">Last updated 3/6/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <p><a href="copyright.htm"><font size="2">Copyright</font>
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
</body> </body>
</html> </html>

42
Shorewall-docs/Forum.html Normal file
View File

@ -0,0 +1,42 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Forum</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Support Forum</font></h1>
</td>
</tr>
</tbody>
</table>
<h3><font color="#ff6633"></font></h3>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="support.htm">Shorewall Support Guide</a>.</h1>
<p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a><br>
</p>
<p><font size="2">Updated 3/6/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a></p>
<br>
</body>
</html>

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,549 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall and Aliased Interfaces</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as addresses. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled.</i> <br>
<br>
Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0"<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.<br>
<br>
<h2>So how do I handle more than one address on an interface?</h2>
Depends on what you are trying to do with the interfaces. In the sub-sections
that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself only
apply to a particular IP address, simply qualify the $FW zone with the IP
address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">fw:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at 192.168.1.3.
That is accomplised by a single rule in the /etc/shorewall/rules file:<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>SNAT</h3>
If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0:0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
you would have the following in /etc/shorewall/nat:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0:0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks
configured on a LAN segment. This technique does not provide for any security
between the subnetworks if the users of the systems have administrative privileges
because in that case, the users can simply manipulate their system's routing
table to bypass your firewall/router. Nevertheless, there are cases where
you simply want to consider the LAN segment itself as a zone and allow your
firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br>
<br>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that
you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/5/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</p>
<br>
<br>
</body>
</html>

View File

@ -16,7 +16,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base
target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
@ -31,6 +32,7 @@
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
@ -39,6 +41,7 @@
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
@ -51,8 +54,8 @@
<li> <a href="Install.htm">Installation/Upgrade/</a><br> <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br> <a href="Install.htm">Configuration</a><br>
</li> </li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart <li> <a
Guides (HOWTOs)</a><br> href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
@ -64,12 +67,17 @@
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade <li> <a
Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="support.htm">Support</a></li>
<li><a href="Forum.html">Support Forum</a> <img
src="images/new10.gif" alt="(New)" width="28" height="12">
<br>
</li>
<li> <a <li> <a
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li> href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a
href="shorewall_mirrors.htm">Mirrors</a>
@ -94,6 +102,7 @@
</ul> </ul>
</li> </li>
@ -109,10 +118,10 @@
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from <li> <a href="quotes.htm">Quotes
Users</a></li> from Users</a></li>
<li> <a href="shoreline.htm">About the <li> <a href="shoreline.htm">About
Author</a></li> the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
@ -129,8 +138,8 @@ Author</a></li>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily <b>Note: </b></strong>Search is unavailable
0200-0330 GMT.<br> Daily 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
@ -144,6 +153,7 @@ Author</a></li>
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -152,16 +162,10 @@ Author</a></li>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1" <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0"> src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br> </a><br>
<br>
</p> </p>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -16,8 +16,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base
target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
@ -32,11 +32,13 @@
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%"
bgcolor="#ffffff">
@ -57,20 +59,25 @@
</li> </li>
<li> <b><a <li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference <li> <a
Manual</a></li> href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful <li><a
Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade <li> <a
Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="support.htm">Support</a></li>
<li><a href="Forum.html">Support Forum</a> <img
src="images/new10.gif" alt="(New)" width="28" height="12">
<br>
</li>
<li> <a <li> <a
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li> href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a
href="shorewall_mirrors.htm">Mirrors</a>
@ -95,6 +102,7 @@
</ul> </ul>
</li> </li>
@ -110,10 +118,10 @@
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from <li> <a href="quotes.htm">Quotes
Users</a></li> from Users</a></li>
<li> <a href="shoreline.htm">About the <li> <a href="shoreline.htm">About
Author</a></li> the Author</a></li>
<li> <a <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li> href="sourceforge_index.htm#Donations">Donations</a></li>
@ -130,8 +138,8 @@ Users</a></li>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily <b>Note: </b></strong>Search is unavailable
0200-0330 GMT.<br> Daily 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
@ -145,20 +153,11 @@ Users</a></li>
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a></p> size="2">2001-2003 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>

View File

@ -42,10 +42,8 @@
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz <p>Once you've printed the appropriate QuickStart Guide, download <u>
packages below.</p> one</u> of the modules:</p>
<p> Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
@ -53,13 +51,13 @@ packages below.</p>
with a 2.4 kernel, you can use the RPM version (note: the with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that RPM should also work with other distributions that
store init scripts in /etc/init.d and that include chkconfig store init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you <li>If you are running LRP, download the .lrp file (you
might also want to download the .tgz so you will have a copy of might also want to download the .tgz so you will have a copy of
the documentation).</li> the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
@ -72,16 +70,21 @@ Unstable Branch</a>.</li>
</ul> </ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files <p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p> and there is an documentation .deb that also contains the documentation. The
.rpm will install the documentation in your default document directory which
can be obtained using the following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may release of a new version of Shorewall, the links below may
point to a newer or an older version than is shown below.</p> point to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name <li>TARBALL - "tar -ztf LATEST.tgz" (the directory
will contain the version)</li> name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" -zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li> </li>
@ -90,17 +93,18 @@ point to a newer or an older version than is shown below.</p>
<p>Once you have verified the version, check the <font <p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have if there are updates that apply to the version that you have
downloaded.</p> downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration IS REQUIRED BEFORE THE FIREWALL WILL START as described in the QuickStart
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p> Guides. Once you have completed configuration of your firewall, you
can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.14</b>): <b>Remember that updates <p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p> State site.</b></p>
<blockquote> <blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
@ -307,7 +311,7 @@ State site.</b></p>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge (Incomplete)<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
@ -373,20 +377,17 @@ State site.</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the each at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there Shorewall component. There's no guarantee that what you find there
will work at all.<br> will work at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 2/7/2003 - <a <p align="left"><font size="2">Last Updated 3/5/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

File diff suppressed because one or more lines are too long

View File

@ -32,8 +32,8 @@
<tr> <tr>
<td width="100%" height="90"> <td width="100%"
height="90">
@ -122,9 +122,9 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is a
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
firewall that can be used on a dedicated firewall system, a multi-function that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -150,7 +150,7 @@ firewall that can be used on a dedicated firewall system, a multi-functio
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
@ -158,7 +158,7 @@ PARTICULAR PURPOSE. See the GNU General Public License
You should have received You should have received
a copy of the GNU General Public License a copy of the GNU General Public License
along with this program; if not, write to along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass the Free Software Foundation, Inc., 675 Mass
Ave, Cambridge, MA 02139, USA</p> Ave, Cambridge, MA 02139, USA</p>
@ -196,8 +196,8 @@ the Free Software Foundation, Inc., 675 Mass
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of Bering
Bering 1.1!!!</b><br> 1.1!!!</b><br>
</p> </p>
@ -209,8 +209,8 @@ Bering 1.1!!!</b><br>
<h2>This is a mirror of the main Shorewall web site at SourceForge <h2>This is a mirror of the main Shorewall web site at SourceForge (<a
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -258,7 +258,7 @@ Bering 1.1!!!</b><br>
Shorewall 1.4 represents the next step in the evolution of Shorewall. Shorewall 1.4 represents the next step in the evolution of Shorewall.
The main thrust of the initial release is simply to remove the cruft that The main thrust of the initial release is simply to remove the cruft that
has accumulated in Shorewall over time.<br> has accumulated in Shorewall over time.<br>
 <br>  <br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br> ('ip' utility).</b><br>
<br> <br>
@ -283,8 +283,8 @@ no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOST
an error at startup if specified.<br> an error at startup if specified.<br>
<br> <br>
</li> </li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
no longer accepted.<br> is no longer accepted.<br>
<br> <br>
</li> </li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer <li>The ALLOWRELATED variable in shorewall.conf is no longer
@ -302,7 +302,7 @@ no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOST
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to <li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does or from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li> not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone <li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved to or from the destination zone including rules that use the 'all' reserved
@ -327,7 +327,7 @@ or from the destination zone. An explicit policy names both zones and does
<br> <br>
</li> </li>
<li>The firewall script and version file are now installed <li>The firewall script and version file are now installed
in /usr/share/shorewall.<br> in /usr/share/shorewall.<br>
<br> <br>
</li> </li>
<li>Late arriving DNS replies are now silently dropped in <li>Late arriving DNS replies are now silently dropped in
@ -335,12 +335,30 @@ the common chain by default.<br>
<br> <br>
</li> </li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want 1.4 no longer unconditionally accepts outbound ICMP packets. So if you
to 'ping' from the firewall, you will need the appropriate rule or policy.<br> want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br> <br>
</li> </li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br> now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
</li> </li>
</ol> </ol>
@ -440,11 +458,11 @@ the common chain by default.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free but
but if you try it and find it useful, please consider making a donation if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
@ -462,9 +480,10 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/28/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
</body> </body>
</html> </html>

View File

@ -17,6 +17,7 @@
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -31,7 +32,7 @@
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
Version 3.1</font></h1> Version 4.0</font></h1>
</td> </td>
</tr> </tr>
@ -52,11 +53,11 @@ must all first walk before we can run.<br>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System <li><a href="standalone.htm">Standalone</a> Linux
(<a href="standalone_fr.html">Version Française</a>)</li> System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a> Linux <li><a href="two-interface.htm">Two-interface</a>
System acting as a firewall/router for a small local network (<a Linux System acting as a firewall/router for a small local network
href="two-interface_fr.html">Version Française</a>)</li> (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a> <li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li> and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
@ -68,42 +69,43 @@ must all first walk before we can run.<br>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about Shorewall public IP addresses involved or if you want to learn more about
than is explained in the single-address guides above.</b></p> Shorewall than is explained in the single-address guides above.</b></p>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li> href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 <li><a href="shorewall_setup_guide.htm#Concepts">2.0
Shorewall Concepts</a></li> Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 <li><a
Network Interfaces</a></li> href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 <li><a
Addressing, Subnets and Routing</a> href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul> <ul>
<li><a <li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li> href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 <li><a
Routing</a></li> href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address <li><a href="shorewall_setup_guide.htm#ARP">4.4
Resolution Protocol</a></li> Address Resolution Protocol</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 <li><a
RFC 1918</a></li> href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 <li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a> Setting up your Network</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 <li><a href="shorewall_setup_guide.htm#Routed">5.1
@ -134,7 +136,7 @@ Setting up your Network</a>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 <li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li> Rules</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li> href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
@ -156,6 +158,10 @@ Rules</a></li>
to use this documentation directly.</p> to use this documentation directly.</p>
<ul> <ul>
<li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
@ -167,7 +173,7 @@ Rules</a></li>
</ul> </ul>
</li> </li>
<li><a href="configuration_file_basics.htm">Common <li><a href="configuration_file_basics.htm">Common
configuration file features</a> configuration file features</a>
<ul> <ul>
<li><a <li><a
@ -190,14 +196,14 @@ configuration file features</a>
<li><a <li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations href="configuration_file_basics.htm#Configs">Shorewall Configurations
(making a test configuration)</a></li> (making a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using <li><a
MAC Addresses in Shorewall</a></li> href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File <li><a href="Documentation.htm">Configuration File
Reference Manual</a> Reference Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li> <a href="Documentation.htm#Variables">params</a></li>
@ -246,7 +252,7 @@ Reference Manual</a>
<li><a href="MAC_Validation.html">MAC Verification</a><br> <li><a href="MAC_Validation.html">MAC Verification</a><br>
</li> </li>
<li><a href="myfiles.htm">My Shorewall Configuration <li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br> (How I personally use Shorewall)</a><br>
</li> </li>
<li><a href="ping.html">'Ping' Management</a><br> <li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
@ -272,7 +278,7 @@ Reference Manual</a>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static <li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li> NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a><br> with Shorewall</a><br>
</li> </li>
@ -299,16 +305,10 @@ NAT</a></font></li>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 2/26/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -121,8 +121,8 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is <p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system, based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone GNU/Linux a multi-function gateway/router/server or on a standalone
system.</p> GNU/Linux system.</p>
@ -137,26 +137,26 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms it under the
of <a href="http://www.gnu.org/licenses/gpl.html">Version terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software 2 of the GNU General Public License</a> as published by the Free
Foundation.<br> Software Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A warranty of MERCHANTABILITY or FITNESS FOR
PARTICULAR PURPOSE. See the GNU General Public License A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received You should have received
a copy of the GNU General Public License a copy of the GNU General Public License
along with this program; if not, write to along with this program; if not, write
the Free Software Foundation, Inc., 675 to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p> Mass Ave, Cambridge, MA 02139, USA</p>
@ -222,10 +222,10 @@ Eric on the recent release of Bering 1.1!!!</b><br>
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img <p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
Shorewall 1.4 represents the Shorewall 1.4 represents
next step in the evolution of Shorewall. The main thrust of the initial the next step in the evolution of Shorewall. The main thrust of the initial
release is simply to remove the cruft that has accumulated in Shorewall over release is simply to remove the cruft that has accumulated in Shorewall
time. <br> over time. <br>
<br> <br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package <b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br> ('ip' utility).</b><br>
@ -252,7 +252,7 @@ no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOS
<br> <br>
</li> </li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted.<br> no longer accepted.<br>
<br> <br>
</li> </li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer <li>The ALLOWRELATED variable in shorewall.conf is no longer
@ -271,12 +271,12 @@ no longer accepted.<br>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to <li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does or from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li> not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone <li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li> DESTINATION columns.</li>
</ul> </ul>
@ -297,20 +297,34 @@ DESTINATION columns.</li>
in /usr/share/shorewall.<br> in /usr/share/shorewall.<br>
<br> <br>
</li> </li>
<li>Late arriving DNS replies are now silently dropped in the <li>Late arriving DNS replies are now silently dropped in
common chain by default.<br> the common chain by default.<br>
<br> <br>
</li> </li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you 1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
want to 'ping' from the firewall, you will need the appropriate rule or to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
policy.<br> <br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br> <br>
</li> </li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br> now support the 'maclist' option.<br>
<br> <br>
</li> </li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.</li>
</ol> </ol>
@ -344,6 +358,7 @@ policy.<br>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
@ -384,6 +399,7 @@ policy.<br>
<h2>This site is hosted by the generous folks at <a <h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2> href="http://www.sf.net">SourceForge.net</a> </h2>
@ -457,11 +473,11 @@ policy.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
@ -479,9 +495,10 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/28/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
</body> </body>
</html> </html>

View File

@ -41,13 +41,13 @@
<p> If you have a permanent internet connection such as DSL or Cable, <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once I recommend that you start the firewall automatically at boot.
you have installed "firewall" in your init.d directory, simply type Once you have installed "firewall" in your init.d directory, simply
"chkconfig --add firewall". This will start the firewall in run type "chkconfig --add firewall". This will start the firewall
levels 2-5 and stop it in run levels 1 and 6. If you want to configure in run levels 2-5 and stop it in run levels 1 and 6. If you want
your firewall differently from this default, you can use the "--level" to configure your firewall differently from this default, you can
option in chkconfig (see "man chkconfig") or using your favorite use the "--level" option in chkconfig (see "man chkconfig") or using
graphical run-level editor.</p> your favorite graphical run-level editor.</p>
@ -67,7 +67,7 @@ edit /etc/default/shorewall and set 'startup=1'.<br>
</li> </li>
<li>If you use dialup, you may want to start the firewall <li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing in your /etc/ppp/ip-up.local script. I recommend just placing
"shorewall restart" in that script.</li> "shorewall restart" in that script.</li>
</ol> </ol>
@ -105,8 +105,8 @@ edit /etc/default/shorewall and set 'startup=1'.<br>
<p>The above command would trace the 'start' command and place the trace information <p>The above command would trace the 'start' command and place the trace
in the file /tmp/trace<br> information in the file /tmp/trace<br>
</p> </p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the <p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
@ -120,7 +120,7 @@ in the file /tmp/trace<br>
<li>shorewall status - produce a verbose report about the <li>shorewall status - produce a verbose report about the
firewall (iptables -L -n -v)</li> firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report <li>shorewall show <i>chain</i> - produce a verbose report
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li> about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the <li>shorewall show nat - produce a verbose report about the
nat table (iptables -t nat -L -n -v)</li> nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the <li>shorewall show tos - produce a verbose report about the
@ -131,10 +131,10 @@ about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall <li>shorewall
show show
tc - displays tc - displays
information about the traffic control/shaping configuration.</li> information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the <li>shorewall monitor [ delay ] - Continuously display the
firewall status, last 20 log entries and nat. When the log entry firewall status, last 20 log entries and nat. When the log
display changes, an audible alarm is sounded.</li> entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall <li>shorewall hits - Produces several reports about the Shorewall
packet log messages in the current /var/log/messages file.</li> packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version <li>shorewall version - Displays the installed version
@ -143,24 +143,25 @@ display changes, an audible alarm is sounded.</li>
zones, interfaces, hosts, rules and policy files.<br> zones, interfaces, hosts, rules and policy files.<br>
<br> <br>
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored <font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
and does not parse and validate the generated iptables commands. and does not parse and validate the generated iptables commands. Even
Even though the "check" command completes successfully, the configuration though the "check" command completes successfully, the configuration
may fail to start. Problem reports that complain about errors that the 'check' may fail to start. Problem reports that complain about errors that the 'check'
command does not detect will not be accepted.<br> command does not detect will not be accepted.<br>
<br> <br>
See the recommended way to make configuration changes described below.</b></font><br> See the recommended way to make configuration changes described below.</b></font><br>
<br>
</li> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if ] - Restart shorewall using the specified configuration and if an
an error occurs or if the<i> timeout </i> option is given and the error occurs or if the<i> timeout </i> option is given and the new
new configuration has been up for that many seconds then shorewall configuration has been up for that many seconds then shorewall is
is restarted using the standard configuration.</li> restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and <li>shorewall deny, shorewall reject, shorewall accept and
shorewall save implement <a href="blacklisting_support.htm">dynamic shorewall save implement <a href="blacklisting_support.htm">dynamic
blacklisting</a>.</li> blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors <li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
new Shorewall messages are logged.</li> new Shorewall messages are logged.</li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter Finally, the "shorewall" program may be used to dynamically alter
@ -168,7 +169,8 @@ new Shorewall messages are logged.</li>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified zone.</li> Adds the specified interface (and host if included) to the specified
zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the specified Deletes the specified interface (and host if included) from the specified
zone.</li> zone.</li>
@ -228,14 +230,15 @@ used.</p>
<li><font color="#009900"><b>/sbin/shorewall <li><font color="#009900"><b>/sbin/shorewall
try .</b></font></li> try .</b></font></li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall restart" <p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to to restore the old configuration. If the new configuration fails
start, the "try" command will automatically start the old one for you.</p> to start, the "try" command will automatically start the old one for
you.</p>
@ -271,8 +274,7 @@ try .</b></font></li>
You will note that the commands that result in state transitions You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the actual use the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
on Debian); /sbin/shorewall runs 'firewall" according to the following on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
table:<br>
<br> <br>
<table cellpadding="2" cellspacing="2" border="1"> <table cellpadding="2" cellspacing="2" border="1">
@ -333,6 +335,7 @@ table:<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
</body> </body>
</html> </html>

View File

@ -3,18 +3,22 @@
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title> <title>Shorewall Support Guide</title>
@ -34,47 +38,49 @@
<h1 align="center"><font color="#ffffff">Shorewall Support<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions <p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
emailed directly to me, I try to spend some time each day answering questions emailed directly to me, I try to spend some time each day answering questions
on the Shorewall Users Mailing List.</font></big><span on the Shorewall Users Mailing List and on the Support Forum.</font></big><span
style="font-weight: 400;"></span></big></b></p> style="font-weight: 400;"></span></big></b></p>
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2> <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h1>Before Reporting a Problem</h1> <h1>Before Reporting a Problem</h1>
<i>"Well at least you tried to read the documentation, which is a lot more <i>"Well at least you tried to read the documentation, which is a lot
than some people on this list appear to do.</i>"<br> more than some people on this list appear to do.</i>"<br>
<br> <br>
<div align="center">- Wietse Venema - On the Postfix mailing list<br> <div align="center">- Wietse Venema - On the Postfix mailing list<br>
</div> </div>
<br> <br>
There are a number of sources for There are a number of sources
problem solution information. Please try these before you post. for problem solution information. Please try these before you
post.
<h3> </h3> <h3> </h3>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>More than half of the questions posted on the support <li>More than half of the questions posted on the
list have answers directly accessible from the <a support list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br> <br>
</li> </li>
<li> The <a href="FAQ.htm">FAQ</a> <li> The <a
has solutions to more than 20 common problems. </li> href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li>
</ul> </ul>
@ -99,9 +105,9 @@
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> The Mailing List <li> The Mailing
Archives search facility can locate posts about similar List Archives search facility can locate posts about similar
problems: </li> problems: </li>
</ul> </ul>
@ -121,12 +127,14 @@ problems: </li>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -139,21 +147,22 @@ problems: </li>
name="config" value="htdig"> <input type="hidden" name="restrict" name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text"
name="words" value=""> <input type="submit" value="Search"> </p> size="30" name="words" value=""> <input type="submit" value="Search">
</p>
</form> </form>
<h2>Problem Reporting Guidelines </h2> <h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a real-world <i>"Let me see if I can translate your message into a
example. It would be like saying that you have three rooms at home, real-world example. It would be like saying that you have three
and when you walk into one of the rooms, you detect this strange smell. rooms at home, and when you walk into one of the rooms, you detect
Can anyone tell you what that strange smell is?<br> this strange smell. Can anyone tell you what that strange smell is?<br>
<br> <br>
Now, all of us could do some wonderful guessing as to the Now, all of us could do some wonderful guessing as to
smell and even what's causing it. You would be absolutely amazed the smell and even what's causing it. You would be absolutely amazed
at the range and variety of smells we could come up with. Even more at the range and variety of smells we could come up with. Even more
amazing is that all of the explanations for the smells would be completely amazing is that all of the explanations for the smells would be completely
plausible."<br> plausible."<br>
</i><br> </i><br>
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br> <div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
@ -166,25 +175,25 @@ plausible."<br>
<ul> <ul>
<li>Please remember we only know what is posted in your message. <li>Please remember we only know what is posted in your message.
Do not leave out any information that appears to be correct, or was Do not leave out any information that appears to be correct, or was
mentioned in a previous post. There have been countless posts by people mentioned in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct when it who were sure that some part of their configuration was correct when
actually contained a small error. We tend to be skeptics where detail it actually contained a small error. We tend to be skeptics where detail
is lacking.<br> is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're asking for <strong>free</strong> <li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not an technical support. Any help we offer is an act of generosity, not
obligation. Try to make it easy for us to help you. Follow good, courteous an obligation. Try to make it easy for us to help you. Follow good,
practices in writing and formatting your e-mail. Provide details that courteous practices in writing and formatting your e-mail. Provide
we need if you expect good answers. <em>Exact quoting </em> of error messages, details that we need if you expect good answers. <em>Exact quoting </em>
log entries, command output, and other output is better than a paraphrase of error messages, log entries, command output, and other output is better
or summary.<br> than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> Please don't describe <li> Please don't describe
your environment and then ask us to send you custom your environment and then ask us to send you custom
configuration files. We're here to answer your questions but we configuration files. We're here to answer your questions but
can't do your job for you.<br> we can't do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> include <li>When reporting a problem, <strong>ALWAYS</strong> include
@ -241,7 +250,7 @@ configuration files. We're here to answer your questions but we
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart Guides, <li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br> please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake <li><b>If you are running Shorewall under Mandrake using the Mandrake
@ -257,22 +266,22 @@ please indicate which one. <br>
<li><b>NEVER </b>include the output of "<b><font <li><b>NEVER </b>include the output of "<b><font
color="#009900">iptables -L</font></b>". Instead,<font color="#009900">iptables -L</font></b>". Instead,<font
color="#ff0000"><u><i><big> <b>if you are having connection problems of color="#ff0000"><u><i><big> <b>if you are having connection problems of
any kind then:</b></big></i></u></font><br> any kind then:</b></big></i></u></font><br>
<br> <br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br> 1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br> 3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
<li>As a general matter, please <strong>do not edit the diagnostic <li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask, information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and concealing nameserver addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them them often misleads us (and 80% of the time, a hacker could derive
anyway from information contained in the SMTP headers of your post).<strong></strong></li> them anyway from information contained in the SMTP headers of your post).<strong></strong></li>
</ul> </ul>
@ -289,18 +298,19 @@ any kind then:</b></big></i></u></font><br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> Do you see any <li> Do you see
"Shorewall" messages ("<b><font color="#009900">/sbin/shorewall show any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
log</font></b>") when you exercise the function that is giving show log</font></b>") when you exercise the function that
you problems? If so, include the message(s) in your post along with a is giving you problems? If so, include the message(s) in your post
copy of your /etc/shorewall/interfaces file.<br> along with a copy of your /etc/shorewall/interfaces file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have modified (especially the /etc/shorewall/hosts file if you have
that file) that you think are relevant. If you include /etc/shorewall/rules, modified that file) that you think are relevant. If you
please include /etc/shorewall/policy as well (rules are meaningless unless include /etc/shorewall/rules, please include /etc/shorewall/policy
one also knows the policies). </li> as well (rules are meaningless unless one also knows the policies).
</li>
</ul> </ul>
@ -346,29 +356,36 @@ allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need one list subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to rid the to get a <i>(expletive deleted)</i> life instead of trying to rid the planet
planet of HTML based e-mail". Nevertheless, to allow subscribers to receive of HTML based e-mail". Nevertheless, to allow subscribers to receive list
list posts as must as possible, I have now configured the list server posts as must as possible, I have now configured the list server at shorewall.net
at shorewall.net to strip all HTML from outgoing posts.<br> to strip all HTML from outgoing posts.<br>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
mailing list</a>.</span></h4> mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network <b>If you run Shorewall under MandrakeSoft Multi Network
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft
then you can post non MNF-specific Shorewall questions to the </b><a then you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a> <b>Do not expect to get free MNF support on the list.</b><br> list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a></p> list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.</p>
</blockquote> </blockquote>
@ -379,7 +396,7 @@ then you can post non MNF-specific Shorewall questions to the </b><a
.</p> .</p>
<p align="left"><font size="2">Last Updated 2/22/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 3/4/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -387,10 +404,5 @@ then you can post non MNF-specific Shorewall questions to the </b><a
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -21,6 +21,7 @@
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1> <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td> </td>
</tr> </tr>
@ -29,32 +30,32 @@
</table> </table>
<p align="left">Shorewall has limited support for traffic shaping/control. <p align="left">Shorewall has limited support for traffic shaping/control.
In order to use traffic shaping under Shorewall, it is essential that In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later.</p> and Shaping HOWTO</a>, version 0.3.0 or later.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p> <p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul> <ul>
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf. <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li> Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
setting of this variable determines whether Shorewall clears the traffic the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br> shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li> </li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can <li><b>/etc/shorewall/tcrules</b> - A file where you can
specify firewall marking of packets. The firewall mark value may specify firewall marking of packets. The firewall mark value may
be used to classify packets for traffic shaping/control.<br> be used to classify packets for traffic shaping/control.<br>
</li> </li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file <li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which that is sourced by Shorewall during "shorewall start" and which
you can use to define your traffic shaping disciplines and classes. you can use to define your traffic shaping disciplines and classes.
I have provided a <a I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections table-driven CBQ shaping but if you read the traffic shaping sections
of the HOWTO mentioned above, you can probably code your own faster of the HOWTO mentioned above, you can probably code your own faster
than you can learn how to use my sample. I personally use <a than you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall HTB support may eventually become an integral part of Shorewall
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20, since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
@ -62,28 +63,29 @@ since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
order to use it.<br> order to use it.<br>
<br> <br>
In tcstart, when you want to run the 'tc' utility, use In tcstart, when you want to run the 'tc' utility, use
the run_tc function supplied by shorewall if you want tc errors the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br> to stop the firewall.<br>
<br> <br>
You can generally use off-the-shelf traffic shaping scripts by simply You can generally use off-the-shelf traffic shaping scripts by
copying them to /etc/shorewall/tcstart. I use <a simply copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
modified it according to the Wonder Shaper README). <b>WARNING: </b>If and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address) you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied script won't work. Traffic shaping occurs after SNAT has already been
so when traffic shaping happens, all outbound traffic will have as a source applied so when traffic shaping happens, all outbound traffic will have
address the IP addresss of your firewall's external interface.<br> as a source address the IP addresss of your firewall's external interface.<br>
</li> </li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file <li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping. that is sourced by Shorewall when it is clearing traffic shaping.
This file is normally not required as Shorewall's method of clearing This file is normally not required as Shorewall's method of clearing
qdisc and filter definitions is pretty general.</li> qdisc and filter definitions is pretty general.</li>
</ul> </ul>
Shorewall allows you to start traffic shaping when Shorewall itself starts Shorewall allows you to start traffic shaping when Shorewall itself
or it allows you to bring up traffic shaping when you bring up your interfaces.<br> starts or it allows you to bring up traffic shaping when you bring up your
interfaces.<br>
<br> <br>
To start traffic shaping when Shorewall starts:<br> To start traffic shaping when Shorewall starts:<br>
@ -93,21 +95,21 @@ qdisc and filter definitions is pretty general.</li>
shaping rules.</li> shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic <li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li> shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can mark <li>If your tcstart script uses the 'fwmark' classifier, you can
packets using entries in /etc/shorewall/tcrules.</li> mark packets using entries in /etc/shorewall/tcrules.</li>
</ol> </ol>
To start traffic shaping when you bring up your network interfaces, you To start traffic shaping when you bring up your network interfaces,
will have to arrange for your traffic shaping configuration script to be you will have to arrange for your traffic shaping configuration script to
run at that time. How you do that is distribution dependent and will not be be run at that time. How you do that is distribution dependent and will not
covered here. You then should:<br> be covered here. You then should:<br>
<ol> <ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li> <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
scripts.</li> scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier, <li value="4">If your tcstart script uses the 'fwmark' classifier,
you can mark packets using entries in /etc/shorewall/tcrules.</li> you can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol> </ol>
@ -128,17 +130,17 @@ you can mark packets using entries in /etc/shorewall/tcrules.</li>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before <p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are packets based on their destination address when SNAT or Masquerading
being used. Beginning with Shorewall 1.3.12, you can cause packet marking are being used. Beginning with Shorewall 1.3.12, you can cause packet
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br> option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p> </p>
<p align="left">Columns in the file are as follows:</p> <p align="left">Columns in the file are as follows:</p>
<ul> <ul>
<li>MARK - Specifies the mark value is to be assigned in <li>MARK - Specifies the mark value is to be assigned in
case of a match. This is an integer in the range 1-255. Beginning case of a match. This is an integer in the range 1-255. Beginning
with Shorewall version 1.3.14, this value may be optionally followed by with Shorewall version 1.3.14, this value may be optionally followed by
":" and either 'F' or 'P' to designate that the marking will occur in the ":" and either 'F' or 'P' to designate that the marking will occur in the
FORWARD or PREROUTING chains respectively. If this additional specification FORWARD or PREROUTING chains respectively. If this additional specification
@ -150,22 +152,22 @@ of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewa
<li>SOURCE - The source of the packet. If the packet originates <li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses comma-separated list of interface names, IP addresses, MAC addresses
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br> in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br> <br>
Examples<br> Examples<br>
    eth0<br>     eth0<br>
    192.168.2.4,192.168.1.0/24<br>     192.168.2.4,192.168.1.0/24<br>
</li> </li>
<li>DEST -- Destination of the packet. Comma-separated list <li>DEST -- Destination of the packet. Comma-separated
of IP addresses and/or subnets.<br> list of IP addresses and/or subnets.<br>
</li> </li>
<li>PROTO - Protocol - Must be the name of a protocol from <li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br> /etc/protocol, a number or "all"<br>
</li> </li>
<li>PORT(S) - Destination Ports. A comma-separated list of <li>PORT(S) - Destination Ports. A comma-separated list
Port names (from /etc/services), port numbers or port ranges (e.g., of Port names (from /etc/services), port numbers or port ranges (e.g.,
21:22); if the protocol is "icmp", this column is interpreted as 21:22); if the protocol is "icmp", this column is interpreted
the destination icmp type(s).<br> as the destination icmp type(s).<br>
</li> </li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. <li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate If omitted, any source port is acceptable. Specified as a comma-separate
@ -175,8 +177,8 @@ in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<p align="left">Example 1 - All packets arriving on eth1 should be marked <p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked with 2. All packets originating on the firewall itself should be marked with
3.</p> 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
@ -287,7 +289,7 @@ in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<p>While I am currently using the HTB version of <a <p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of in the Wondershaper README), I have also run with the following set of
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br> hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p> </p>
@ -308,7 +310,8 @@ hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</blockquote> </blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1 <p>My tcrules file that went with this tcstart file is shown in Example 1
above.<br> above. You can look at <a href="myfiles.htm">my configuration</a> to
see why I wanted shaping of this type.<br>
</p> </p>
<ol> <ol>
@ -317,17 +320,20 @@ hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
can use all available bandwidth if there is no traffic from the local can use all available bandwidth if there is no traffic from the local
systems or from my laptop or firewall).</li> systems or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li> <li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.<br> <li>My firewall could use up to 20kbits/second.</li>
</li>
</ol> </ol>
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
to see how this fit in. <br>
<p><font size="2">Last Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

View File

@ -35,23 +35,23 @@
<h3> </h3> <h3> </h3>
<h3>Version &gt;= 1.4.0</h3> <h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package <b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package
('ip' utility).</b><br> ('ip' utility).</b><br>
<br> <br>
If you are upgrading from a version &lt; 1.4.0, then:<br> If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul> <ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options are no <li>The <b>noping </b>and <b>forwardping</b> interface options are
longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf. no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li> request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in /etc/shorewall/interfaces <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
now generate a Shorewall error at startup (they always have produced warnings /etc/shorewall/interfaces now generate a Shorewall error at startup (they
in iptables).</li> always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. Shorewall <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents are Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
determined by BOTH the interfaces and hosts files when there are entries for are determined by BOTH the interfaces and hosts files when there are entries
the zone in both files.</li> for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts file <li>The <b>routestopped</b> option in the interfaces and hosts file
has been eliminated; use entries in the routestopped file instead.</li> has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
@ -63,8 +63,8 @@ there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li> logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have been <li value="6">The 'firewall', 'functions' and 'version' file have been
moved to /usr/share/shorewall.</li> moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include it from <li value="6">The icmp.def file has been removed. If you include it
/etc/shorewall/icmpdef, you will need to modify that file.</li> from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall <li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li> they arrived on in two cases:</li>
@ -75,19 +75,22 @@ they arrived on in two cases:</li>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to or from <li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not use the destination zone. An explicit policy names both zones and does not use
the 'all' reserved word.</li> the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone to or <li>There are one or more rules for traffic for the source zone to
from the destination zone including rules that use the 'all' reserved word. or from the destination zone including rules that use the 'all' reserved
Exception: if the source zone and destination zone are the same then the word. Exception: if the source zone and destination zone are the same then
rule must be explicit - it must name the zone in both the SOURCE and DESTINATION the rule must be explicit - it must name the zone in both the SOURCE and
columns.</li> DESTINATION columns.</li>
</ul> </ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</ul> </ul>
@ -109,8 +112,9 @@ rule must be explicit - it must name the zone in both the SOURCE and DESTINATION
their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT
applied.</li> applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface. routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT applied.</li> Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li>
</ul> </ul>
You will need to make a change to your configuration if:<br> You will need to make a change to your configuration if:<br>
@ -150,8 +154,8 @@ Traffic originating in ANY of those subnets is masqueraded or has SNAT applied
See the <a href="ping.html">'Ping' handling documentation</a> for details.<br> See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
version 1.3.10, you will need to use the '--force' option:<br> to version 1.3.10, you will need to use the '--force' option:<br>
<br> <br>
<blockquote> <blockquote>
@ -159,8 +163,8 @@ Traffic originating in ANY of those subnets is masqueraded or has SNAT applied
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.9</h3> <h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. If The 'functions' file has moved to /usr/lib/shorewall/functions.
you have an application that uses functions from that file, your application If you have an application that uses functions from that file, your application
will need to be changed to reflect this change of location.<br> will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3> <h3>Version &gt;= 1.3.8</h3>
@ -193,13 +197,13 @@ Traffic originating in ANY of those subnets is masqueraded or has SNAT applied
<ol> <ol>
<li>Be sure you have a backup <li>Be sure you have a backup
-- you will need to transcribe any Shorewall -- you will need to transcribe any Shorewall
configuration changes that you have made configuration changes that you have
to the new configuration.</li> made to the new configuration.</li>
<li>Replace the shorwall.lrp package <li>Replace the shorwall.lrp
provided on the Bering floppy with the package provided on the Bering floppy
later one. If you did not obtain the later with the later one. If you did not obtain
version from Jacques's site, see additional the later version from Jacques's site,
instructions below.</li> see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall file and remove the /var/lib/shorewall
entry if present. Then do not forget entry if present. Then do not forget
@ -209,8 +213,8 @@ to backup root.lrp !</li>
<p>The .lrp that I release isn't set up for a two-interface firewall like <p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to for setting up a two-interface firewall</a> plus you also need to add
add the following two Bering-specific rules to /etc/shorewall/rules:</p> the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote> <blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre> <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
@ -240,8 +244,9 @@ packets after takeover.<br>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags <font face="Courier">run_iptables -A common -p tcp
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br> --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild
connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
@ -289,8 +294,8 @@ packets after takeover.<br>
If you have applications that access these files, those applications If you have applications that access these files, those applications
should be modified accordingly.</p> should be modified accordingly.</p>
<p><font size="2"> Last updated 2/14/2003 - <p><font size="2"> Last updated 3/6/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
@ -301,5 +306,6 @@ packets after takeover.<br>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>