More 1.4.0 Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@483 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-06 23:41:31 +00:00
parent 09fc5e317a
commit 07f66da156
16 changed files with 8519 additions and 7791 deletions

File diff suppressed because it is too large Load Diff

View File

@ -39,6 +39,7 @@
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td>
</tr>
@ -50,8 +51,9 @@
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5.
I've looked everywhere and can't find <b>how to do it</b>.</a></p>
port</b> 7777 to my my personal PC with IP address
192.168.1.5. I've looked everywhere and can't find <b>how
to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
@ -65,14 +67,14 @@
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests
to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5
in my local network. <b>External clients can browse</b>
http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone "Z" with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918
addresses to hosts in Z. Hosts in Z cannot communicate
with each other using their external (non-RFC1918 addresses)
so they <b>can't access each other using their DNS names.</b></a></p>
with each other using their external (non-RFC1918 addresses)
so they <b>can't access each other using their DNS names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting</b>
@ -108,23 +110,23 @@ so they <b>can't access each other using their DNS names.</b></a></p>
</p>
<p align="left"><b>6c. </b><a href="#faq6c">All day long I get a steady flow
of these <b>DROP messages from port 53</b> <b>to some high numbered port</b>.
They get dropped, but what the heck are they?</a><br>
of these <b>DROP messages from port 53</b> <b>to some high numbered
port</b>. They get dropped, but what the heck are they?</a><br>
</p>
<p align="left"><b>6d.</b> <a href="#faq6d">Why is the <b>MAC address</b>
in Shorewall log messages <b>so long</b>? I thought MAC addresses were only
6 bytes in length.</a><b><br>
in Shorewall log messages <b>so long</b>? I thought MAC addresses were
only 6 bytes in length.</a><b><br>
</b></p>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall
on RedHat</b> I get messages about insmod failing --
what's wrong?</a></p>
what's wrong?</a></p>
<p align="left"><b>9. </b><a href="FAQ.htm#faq9">Why can't Shorewall <b>detect
@ -136,7 +138,7 @@ what's wrong?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p>
support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Is there a <b>GUI?</b></a></p>
@ -147,15 +149,15 @@ what's wrong?</a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem
and it has an internel web server that allows me to
configure/monitor it but as expected if I enable <b> rfc1918
blocking</b> for my eth0 interface, it also blocks the <b>cable
modems web server</b></a>.</p>
configure/monitor it but as expected if I enable <b> rfc1918
blocking</b> for my eth0 interface, it also blocks the <b>cable
modems web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918
address. If I enable RFC 1918 filtering on my external
interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
address. If I enable RFC 1918 filtering on my external interface,
<b>my DHCP client cannot renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see
@ -166,16 +168,16 @@ interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
all over my console</b> making it unusable!<br>
</a></p>
<b>17</b>. <a
href="#faq17">How do I find out <b>why this traffic is</b> getting
<b>logged?</b></a><br>
href="#faq17">How do I find out <b>why this traffic is</b>
getting <b>logged?</b></a><br>
<br>
<b>18.</b> <a href="#faq18">Is there any
way to use <b>aliased ip addresses</b> with Shorewall, and
maintain separate rulesets for different IPs?</a><br>
<b>18.</b> <a href="#faq18">Is there
any way to use <b>aliased ip addresses</b> with Shorewall,
and maintain separate rulesets for different IPs?</a><br>
<br>
<b>19. </b><a href="#faq19">I have added <b>entries
to /etc/shorewall/tcrules</b> but they <b>don't </b>seem to <b>do
anything</b>. Why?</a><br>
<b>19. </b><a href="#faq19">I have added
<b>entries to /etc/shorewall/tcrules</b> but they <b>don't </b>seem
to <b>do anything</b>. Why?</a><br>
<br>
<b>20. </b><a href="#faq20">I have just set
up a server. <b>Do I have to change Shorewall to allow access
@ -184,19 +186,19 @@ to my server from the internet?<br>
</b></a><b>21. </b><a href="#faq21">I see these <b>strange
log entries </b>occasionally; what are they?<br>
</a><br>
<b>22. </b><a href="#faq22">I have some <b>iptables commands
</b>that I want to <b>run when Shorewall starts.</b> Which file do
I put them in?</a><br>
<b>22. </b><a href="#faq22">I have some <b>iptables
commands </b>that I want to <b>run when Shorewall starts.</b> Which
file do I put them in?</a><br>
<br>
<b>23. </b><a href="#faq23">Why do you use such <b>ugly
fonts</b> on your <b>web site</b>?</a><br>
fonts</b> on your <b>web site</b>?</a><br>
<br>
<b>24. </b><a href="#faq24">How can I <b>allow conections</b>
to let's say the ssh port only<b> from specific IP Addresses</b> on
the internet?</a><br>
to let's say the ssh port only<b> from specific IP Addresses</b>
on the internet?</a><br>
<br>
<b>25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
I am <b>running</b>?</a><br>
I am <b>running</b>?</a><br>
<br>
<hr>
@ -214,6 +216,7 @@ port-forwarding rule to a local system is as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -229,8 +232,8 @@ port-forwarding rule to a local system is as follows:</p>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local IP
address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td>loc:<i>&lt;local
IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td> <br>
@ -254,6 +257,7 @@ address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -288,12 +292,14 @@ address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<div align="left"> <font face="Courier"> </font>If
you want to forward requests directed to a particular address (
<i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</div>
you want to forward requests directed to a particular address
( <i>&lt;external IP&gt;</i> ) on your firewall to an internal
system:</div>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -309,8 +315,8 @@ address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local IP
address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td>loc:<i>&lt;local
IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td>-</td>
@ -336,13 +342,13 @@ address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<ul>
<li>You are trying to test from
inside your firewall (no, that won't work -- see <a
href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem
with your local system such as an incorrect default gateway
configured (it should be set to the IP address of your
firewall's internal interface).</li>
<li>You are trying to test
from inside your firewall (no, that won't work -- see
<a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic
problem with your local system such as an incorrect default
gateway configured (it should be set to the IP address of
your firewall's internal interface).</li>
</ul>
@ -351,37 +357,39 @@ firewall's internal interface).</li>
<h4 align="left"><a name="faq1b"></a>1b. I'm still having problems with port
forwarding</h4>
<b>Answer: </b>To further diagnose this
problem:<br>
problem:<br>
<ul>
<li>As root, type "iptables -t nat -Z".
This clears the NetFilter counters in the nat table.</li>
<li>Try to connect to the redirected port
from an external host.</li>
<li>As root, type "iptables -t nat
-Z". This clears the NetFilter counters in the nat table.</li>
<li>Try to connect to the redirected
port from an external host.</li>
<li>As root type "shorewall show nat"</li>
<li>Locate the appropriate DNAT rule.
It will be in a chain called <i>&lt;source zone&gt;</i>_dnat
('net_dnat' in the above examples).</li>
<li>Is the packet count in the first column
non-zero? If so, the connection request is reaching the firewall
and is being redirected to the server. In this case, the problem
is usually a missing or incorrect default gateway setting on
the server (the server's default gateway should be the IP address
of the firewall's interface to the server).</li>
It will be in a chain called <i>&lt;source zone&gt;</i>_dnat
('net_dnat' in the above examples).</li>
<li>Is the packet count in the first
column non-zero? If so, the connection request is reaching
the firewall and is being redirected to the server. In this
case, the problem is usually a missing or incorrect default
gateway setting on the server (the server's default gateway should
be the IP address of the firewall's interface to the server).</li>
<li>If the packet count is zero:</li>
<ul>
<li>the connection request is not reaching
your server (possibly it is being blocked by your ISP); or</li>
<li>you are trying to connect to a secondary
IP address on your firewall and your rule is only redirecting
the primary IP address (You need to specify the secondary IP address
in the "ORIG. DEST." column in your DNAT rule); or</li>
<li>your DNAT rule doesn't match the
connection request in some other way. In that case, you may
have to use a packet sniffer such as tcpdump or ethereal to further
diagnose the problem.<br>
<li>the connection request is not
reaching your server (possibly it is being blocked by your
ISP); or</li>
<li>you are trying to connect to
a secondary IP address on your firewall and your rule is
only redirecting the primary IP address (You need to specify
the secondary IP address in the "ORIG. DEST." column in your
DNAT rule); or</li>
<li>your DNAT rule doesn't match
the connection request in some other way. In that case, you
may have to use a packet sniffer such as tcpdump or ethereal
to further diagnose the problem.<br>
</li>
@ -412,8 +420,8 @@ diagnose the problem.<br>
href="shorewall_setup_guide.htm#DNS">Bind Version 9 "views"</a>
(or using a separate DNS server for local clients) such that www.mydomain.com
resolves to 130.141.100.69 externally and 192.168.1.5 internally.
That's what I do here at shorewall.net for my local systems that
use static NAT.</li>
That's what I do here at shorewall.net for my local systems
that use static NAT.</li>
</ul>
@ -422,9 +430,9 @@ diagnose the problem.<br>
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your
external interface is eth0 and your internal interface
is eth1 and that eth1 has IP address 192.168.1.254 with subnet
192.168.1.0/24, in /etc/shorewall/rules, add:</p>
external interface is eth0 and your internal interface
is eth1 and that eth1 has IP address 192.168.1.254 with subnet
192.168.1.0/24, in /etc/shorewall/rules, add:</p>
<div align="left">
@ -434,6 +442,7 @@ is eth1 and that eth1 has IP address 192.168.1.254 with subnet
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -470,7 +479,7 @@ is eth1 and that eth1 has IP address 192.168.1.254 with subnet
<p align="left">That rule only works of course if you have a static external
IP address. If you have a dynamic IP address and are
running Shorewall 1.3.4 or later then include this in
/etc/shorewall/params:</p>
/etc/shorewall/init:</p>
</div>
@ -487,6 +496,7 @@ is eth1 and that eth1 has IP address 192.168.1.254 with subnet
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber1">
<tbody>
@ -522,7 +532,7 @@ is eth1 and that eth1 has IP address 192.168.1.254 with subnet
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time
that you get a new IP address.</p>
that you get a new IP address.</p>
</div>
@ -540,13 +550,13 @@ that you get a new IP address.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have
non-RFC1918 addresses and can be accessed externally and
internally using the same address. </p>
static NAT to Proxy ARP. That way, the hosts in Z
have non-RFC1918 addresses and can be accessed externally
and internally using the same address. </p>
<p align="left">If you don't like those solutions and prefer routing all
Z-&gt;Z traffic through your firewall then:</p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">a) Set the Z-&gt;Z policy to ACCEPT.<br>
@ -565,6 +575,7 @@ Z-&gt;Z traffic through your firewall then:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber2">
<tbody>
@ -596,6 +607,7 @@ Z-&gt;Z traffic through your firewall then:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
@ -628,6 +640,7 @@ Z-&gt;Z traffic through your firewall then:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3" width="369">
<tbody>
@ -680,14 +693,14 @@ Z-&gt;Z traffic through your firewall then:</p>
also rejects TCP ports 135, 137 and 139 as well as UDP ports
137-139. These are ports that are used by Windows (Windows <u>can</u>
be configured to use the DCE cell locator on port 135). Rejecting
these connection requests rather than dropping them cuts down
these connection requests rather than dropping them cuts down
slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably
your ISP preventing you from running a web server
in violation of your Service Agreement.</p>
in violation of your Service Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
@ -731,12 +744,12 @@ in violation of your Service Agreement.</p>
and how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of
syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern)
facility (see "man openlog") and you get to choose the log level (again,
see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog
(see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility
(see "man openlog") and you get to choose the log level (again, see "man
syslog") in your <a href="Documentation.htm#Policy">policies</a> and <a
href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf").
When you have changed /etc/syslog.conf, be sure to restart
syslogd (on a RedHat system, "service syslog restart"). </p>
@ -744,7 +757,7 @@ see "man syslog") in your <a href="Documentation.htm#Policy">policies</a>
<p align="left">By default, older versions of Shorewall ratelimited log messages
through <a href="Documentation.htm#Conf">settings</a>
in /etc/shorewall/shorewall.conf -- If you want to log
all messages, set: </p>
all messages, set: </p>
<div align="left">
@ -775,8 +788,8 @@ all messages, set: </p>
</p>
</blockquote>
I personnaly use Logwatch. It emails me a report
each day from my various systems with each report summarizing the
logged activity on the corresponding system.
each day from my various systems with each report summarizing the
logged activity on the corresponding system.
<h4 align="left"><b><a name="faq6b"></a>6b. DROP messages</b> on port 10619
are <b>flooding the logs</b> with their connect requests. Can i exclude
@ -799,8 +812,8 @@ logged activity on the corresponding system.
</ol>
You can distinguish the difference by setting the <b>logunclean</b>
option (<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>)
on your external interface (eth0 in the above example). If they get logged
twice, they are corrupted. I solve this problem by using an /etc/shorewall/common
on your external interface (eth0 in the above example). If they get
logged twice, they are corrupted. I solve this problem by using an /etc/shorewall/common
file like this:<br>
<blockquote>
@ -812,9 +825,9 @@ logged activity on the corresponding system.
<h4 align="left"><a name="faq6d"></a><b>6d.</b> Why is the MAC address in
Shorewall log messages so long? I thought MAC addresses were only 6 bytes
in length. What is labeled as the MAC address in a Shorewall log message
is actually the Ethernet frame header. In contains:<br>
</h4>
in length.</h4>
What is labeled as the MAC address in a Shorewall log message is actually
the Ethernet frame header. IT contains:<br>
<ul>
<li>the destination MAC address (6 bytes)</li>
@ -835,7 +848,7 @@ logged activity on the corresponding system.
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that
command work?</h4>
command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into
@ -893,9 +906,9 @@ command work?</h4>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The
Net zone is defined as all hosts that are connected through eth0 and the
local zone is defined as all hosts connected through eth1</p>
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1</p>
</div>
@ -935,9 +948,9 @@ must more commonly used.</p>
<h4 align="left"> <a name="faq14"></a>14. I'm connected via a cable modem
and it has an internal web server that allows me to
configure/monitor it but as expected if I enable rfc1918
blocking for my eth0 interface (the internet one), it also
blocks the cable modems web server.</h4>
configure/monitor it but as expected if I enable rfc1918
blocking for my eth0 interface (the internet one), it also
blocks the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the rfc1918 blocking
@ -946,9 +959,8 @@ blocks the cable modems web server.</h4>
addresses?</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall
earlier than 1.3.1, create /etc/shorewall/start and in it, place the
following:</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier
than 1.3.1, create /etc/shorewall/start and in it, place the following:</p>
<div align="left">
@ -966,6 +978,7 @@ following:</p>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
@ -1036,10 +1049,10 @@ your firewall, then you would add two entries to /etc/shorewall/rfc
<div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public
IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable
RFC 1918 filtering on my external interface, my DHCP client cannot renew
its lease.</h4>
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC
1918 filtering on my external interface, my DHCP client cannot renew its
lease.</h4>
</div>
@ -1096,25 +1109,25 @@ to the internet.</p>
<p align="left"><b>Answer: </b>"man dmesg" -- add a suitable 'dmesg' command
to your startup scripts or place it in /etc/shorewall/start.
Under RedHat, the max log level that is sent to the
console is specified in /etc/sysconfig/init in the LOGLEVEL
variable.<br>
console is specified in /etc/sysconfig/init in the LOGLEVEL
variable.<br>
</p>
<h4><a name="faq17"></a>17. How do I find out why this traffic is getting
logged?</h4>
<b>Answer: </b>Logging occurs out of
a number of chains (as indicated in the log message) in
Shorewall:<br>
<b>Answer: </b>Logging occurs out
of a number of chains (as indicated in the log message)
in Shorewall:<br>
<ol>
<li><b>man1918 - </b>The destination
address is listed in /etc/shorewall/rfc1918 with a <b>logdrop
</b>target -- see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The source address
is listed in /etc/shorewall/rfc1918 with a <b>logdrop </b>target
-- see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>rfc1918</b> - The source
address is listed in /etc/shorewall/rfc1918 with a <b>logdrop
</b>target -- see <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918.</a></li>
<li><b>all2&lt;zone&gt;</b>, <b>&lt;zone&gt;2all</b>
or <b>all2all </b>- You have a<a
href="Documentation.htm#Policy"> policy</a> that specifies a log level
@ -1123,40 +1136,40 @@ intend to ACCEPT this traffic then you need a <a
href="Documentation.htm#Rules">rule</a> to that effect.<br>
</li>
<li><b>&lt;zone1&gt;2&lt;zone2&gt;
</b>- Either you have a<a href="Documentation.htm#Policy">
policy</a> for <b>&lt;zone1&gt; </b>to <b>&lt;zone2&gt;</b>
that specifies a log level and this packet is being logged
under that policy or this packet matches a <a
href="Documentation.htm#Rules">rule</a> that includes a log level.</li>
<li><b>&lt;interface&gt;_mac</b> - The packet
is being logged under the <b>maclist</b> <a
</b>- Either you have a<a
href="Documentation.htm#Policy"> policy</a> for <b>&lt;zone1&gt;
</b>to <b>&lt;zone2&gt;</b> that specifies a log level and
this packet is being logged under that policy or this packet
matches a <a href="Documentation.htm#Rules">rule</a> that includes
a log level.</li>
<li><b>&lt;interface&gt;_mac</b> - The
packet is being logged under the <b>maclist</b> <a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
<li><b>logpkt</b> - The packet is
being logged under the <b>logunclean</b> <a
<li><b>logpkt</b> - The packet
is being logged under the <b>logunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a>.</li>
<li><b>badpkt </b>- The packet is
being logged under the <b>dropunclean</b> <a
<li><b>badpkt </b>- The packet
is being logged under the <b>dropunclean</b> <a
href="Documentation.htm#Interfaces">interface option</a> as specified
in the <b>LOGUNCLEAN </b>setting in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
in the <b>LOGUNCLEAN </b>setting in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li><b>blacklst</b> - The packet
is being logged because the source IP is blacklisted in
is being logged because the source IP is blacklisted in
the<a href="Documentation.htm#Blacklist"> /etc/shorewall/blacklist
</a>file.</li>
<li><b>newnotsyn </b>- The packet
is being logged because it is a TCP packet that is not part
of any current connection yet it is not a syn packet. Options
affecting the logging of such packets include <b>NEWNOTSYN
is being logged because it is a TCP packet that is not
part of any current connection yet it is not a syn packet.
Options affecting the logging of such packets include <b>NEWNOTSYN
</b>and <b>LOGNEWNOTSYN </b>in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li><b>INPUT</b> or <b>FORWARD</b>
- The packet has a source IP address that isn't in any of
your defined zones ("shorewall check" and look at the printed
zone definitions) or the chain is FORWARD and the destination IP
isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet is being logged
because it failed the checks implemented by the <b>tcpflags
- The packet has a source IP address that isn't in any
of your defined zones ("shorewall check" and look at the
printed zone definitions) or the chain is FORWARD and the destination
IP isn't in any of your defined zones.</li>
<li><b>logflags </b>- The packet is being
logged because it failed the checks implemented by the <b>tcpflags
</b><a href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
@ -1166,49 +1179,23 @@ zone definitions) or the chain is FORWARD and the destination IP
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip addresses</b>
with Shorewall, and maintain separate rulesets for different
IPs?</h4>
<b>Answer: </b>Yes. You simply use the
IP address in your rules (or if you use NAT, use the local
IP address in your rules). <b>Note:</b> The ":n" notation (e.g.,
eth0:0) is deprecated and will disappear eventually. Neither
iproute (ip and tc) nor iptables supports that notation so neither
does Shorewall. <br>
<br>
<b>Example 1:</b><br>
<br>
/etc/shorewall/rules
<pre wrap=""><span class="moz-txt-citetags"></span> # Accept AUTH but only on address 192.0.2.125<br><span
class="moz-txt-citetags"></span><br><span class="moz-txt-citetags"></span> ACCEPT net fw:192.0.2.125 tcp auth<br><span
class="moz-txt-citetags"></span></pre>
<span class="moz-txt-citetags"></span><b>Example
2 (NAT):</b><br>
<br>
<span class="moz-txt-citetags"></span>/etc/shorewall/nat<br>
<pre wrap=""><span class="moz-txt-citetags"></span><span
class="moz-txt-citetags"></span> 192.0.2.126 eth0 10.1.1.126</pre>
/etc/shorewall/rules
<pre wrap=""><span class="moz-txt-citetags"></span> # Accept HTTP on 192.0.2.126 (a.k.a. 10.1.1.126)<br><span
class="moz-txt-citetags"></span><br> <span class="moz-txt-citetags"></span>ACCEPT net loc:10.1.1.126 tcp www<span
class="moz-txt-citetags"></span><br></pre>
<b>Example 3 (DNAT):<br>
</b>
<pre> # Forward SMTP on external address 192.0.2.127 to local system 10.1.1.127<br><br> DNAT net loc:10.1.1.127 tcp smtp - 192.0.2.127<br></pre>
<b>Answer: </b>Yes. See <a
href="Shorewall_and_Aliased_Interfaces.html">Shorewall and Aliased Interfaces</a>.
<h4><b><a name="faq19"></a>19. </b>I have added entries to /etc/shorewall/tcrules
but they don't seem to do anything. Why?</h4>
You probably haven't set TC_ENABLED=Yes in
/etc/shorewall/shorewall.conf so the contents of the tcrules
file are simply being ignored.<br>
You probably haven't set TC_ENABLED=Yes
in /etc/shorewall/shorewall.conf so the contents of the tcrules
file are simply being ignored.<br>
<h4><a name="faq20"></a><b>20. </b>I have just set up a server. <b>Do I have
to change Shorewall to allow access to my server from the internet?</b><br>
to change Shorewall to allow access to my server from the
internet?</b><br>
</h4>
Yes. Consult the <a
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that you
used during your initial setup for information about how to set up
rules for your server.<br>
href="shorewall_quickstart_guide.htm">QuickStart guide</a> that
you used during your initial setup for information about how to set
up rules for your server.<br>
<h4><a name="faq21"></a><b>21. </b>I see these <b>strange log entries </b>occasionally;
what are they?<br>
@ -1221,50 +1208,51 @@ rules for your server.<br>
192.0.2.3 is external on my firewall... 172.16.0.0/24
is my internal LAN<br>
<br>
<b>Answer: </b>While most people associate the
Internet Control Message Protocol (ICMP) with 'ping', ICMP is
a key piece of the internet. ICMP is used to report problems back
to the sender of a packet; this is what is happening here. Unfortunately,
where NAT is involved (including SNAT, DNAT and Masquerade), there
are a lot of broken implementations. That is what you are seeing with
these messages.<br>
<b>Answer: </b>While most people associate
the Internet Control Message Protocol (ICMP) with 'ping', ICMP
is a key piece of the internet. ICMP is used to report problems
back to the sender of a packet; this is what is happening here.
Unfortunately, where NAT is involved (including SNAT, DNAT and Masquerade),
there are a lot of broken implementations. That is what you are seeing
with these messages.<br>
<br>
Here is my interpretation of what is happening
-- to confirm this analysis, one would have to have packet sniffers
-- to confirm this analysis, one would have to have packet sniffers
placed a both ends of the connection.<br>
<br>
Host 172.16.1.10 behind NAT gateway 206.124.146.179
sent a UDP DNS query to 192.0.2.3 and your DNS server tried to
send a response (the response information is in the brackets -- note
source port 53 which marks this as a DNS reply). When the response was
returned to to 206.124.146.179, it rewrote the destination IP TO 172.16.1.10
and forwarded the packet to 172.16.1.10 who no longer had a connection
on UDP port 2857. This causes a port unreachable (type 3, code 3)
to be generated back to 192.0.2.3. As this packet is sent back through
206.124.146.179, that box correctly changes the source address in
the packet to 206.124.146.179 but doesn't reset the DST IP in the original
DNS response similarly. When the ICMP reaches your firewall (192.0.2.3),
your firewall has no record of having sent a DNS reply to 172.16.1.10
so this ICMP doesn't appear to be related to anything that was sent.
The final result is that the packet gets logged and dropped in the
all2all chain. I have also seen cases where the source IP in the ICMP
itself isn't set back to the external IP of the remote NAT gateway; that
causes your firewall to log and drop the packet out of the rfc1918 chain
because the source IP is reserved by RFC 1918.<br>
sent a UDP DNS query to 192.0.2.3 and your DNS server tried
to send a response (the response information is in the brackets --
note source port 53 which marks this as a DNS reply). When the response
was returned to to 206.124.146.179, it rewrote the destination IP
TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer
had a connection on UDP port 2857. This causes a port unreachable
(type 3, code 3) to be generated back to 192.0.2.3. As this packet is
sent back through 206.124.146.179, that box correctly changes the
source address in the packet to 206.124.146.179 but doesn't reset
the DST IP in the original DNS response similarly. When the ICMP
reaches your firewall (192.0.2.3), your firewall has no record of having
sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be
related to anything that was sent. The final result is that the packet
gets logged and dropped in the all2all chain. I have also seen cases
where the source IP in the ICMP itself isn't set back to the external
IP of the remote NAT gateway; that causes your firewall to log and drop
the packet out of the rfc1918 chain because the source IP is reserved
by RFC 1918.<br>
<h4><a name="faq22"></a><b>22. </b>I have some <b>iptables commands </b>that
I want to <b>run when Shorewall starts.</b> Which file do I put them
in?</h4>
You can place these commands in one of the <a
href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>. Be
sure that you look at the contents of the chain(s) that you will be modifying
I want to <b>run when Shorewall starts.</b> Which file do I put
them in?</h4>
You can place these commands in one of the
<a href="shorewall_extension_scripts.htm">Shorewall Extension Scripts</a>.
Be sure that you look at the contents of the chain(s) that you will be modifying
with your commands to be sure that the commands will do what they
are intended. Many iptables commands published in HOWTOs and other
instructional material use the -A command which adds the rules to the
end of the chain. Most chains that Shorewall constructs end with an
unconditional DROP, ACCEPT or REJECT rule and any rules that you add
after that will be ignored. Check "man iptables" and look at the -I (--insert)
command.<br>
instructional material use the -A command which adds the rules to
the end of the chain. Most chains that Shorewall constructs end with
an unconditional DROP, ACCEPT or REJECT rule and any rules that you
add after that will be ignored. Check "man iptables" and look at the
-I (--insert) command.<br>
<h4><a name="faq23"></a><b>23. </b>Why do you use such ugly fonts on your
web site?</h4>
@ -1275,8 +1263,8 @@ command.<br>
<h4><a name="faq24"></a>24. How can I <b>allow conections</b> to let's say
the ssh port only<b> from specific IP Addresses</b> on the internet?</h4>
In the SOURCE column of the rule, follow "net" by a colon and
a list of the host/subnet addresses as a comma-separated list.<br>
In the SOURCE column of the rule, follow "net" by a colon
and a list of the host/subnet addresses as a comma-separated list.<br>
<pre> net:&lt;ip1&gt;,&lt;ip2&gt;,...<br></pre>
Example:<br>
@ -1287,21 +1275,23 @@ command.<br>
<div align="left"> </div>
<h4><b><a name="faq25"></a>25. </b>How to I tell <b>which version of Shorewall</b>
I am <b>running</b>?<br>
I am <b>running</b>?<br>
</h4>
At the shell prompt, type:<br>
<br>
<font color="#009900"><b>    /sbin/shorewall version</b></font><br>
<br>
<font size="2">Last updated 2/22/2003 - <a href="support.htm">Tom Eastep</a></font>
<font size="2">Last updated 3/6/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

42
Shorewall-docs/Forum.html Normal file
View File

@ -0,0 +1,42 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Forum</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Support Forum</font></h1>
</td>
</tr>
</tbody>
</table>
<h3><font color="#ff6633"></font></h3>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="support.htm">Shorewall Support Guide</a>.</h1>
<p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a><br>
</p>
<p><font size="2">Updated 3/6/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a></p>
<br>
</body>
</html>

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,549 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall and Aliased Interfaces</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as addresses. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled.</i> <br>
<br>
Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0"<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.<br>
<br>
<h2>So how do I handle more than one address on an interface?</h2>
Depends on what you are trying to do with the interfaces. In the sub-sections
that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself only
apply to a particular IP address, simply qualify the $FW zone with the IP
address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">fw:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at 192.168.1.3.
That is accomplised by a single rule in the /etc/shorewall/rules file:<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>SNAT</h3>
If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0:0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
you would have the following in /etc/shorewall/nat:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0:0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks
configured on a LAN segment. This technique does not provide for any security
between the subnetworks if the users of the systems have administrative privileges
because in that case, the users can simply manipulate their system's routing
table to bypass your firewall/router. Nevertheless, there are cases where
you simply want to consider the LAN segment itself as a zone and allow your
firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br>
<br>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that
you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/5/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</p>
<br>
<br>
</body>
</html>

View File

@ -16,7 +16,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base
target="main">
<meta name="Microsoft Theme" content="none">
</head>
@ -31,6 +32,7 @@
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
@ -39,6 +41,7 @@
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
@ -51,8 +54,8 @@
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
@ -64,12 +67,17 @@
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade
Issues</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li><a href="Forum.html">Support Forum</a> <img
src="images/new10.gif" alt="(New)" width="28" height="12">
<br>
</li>
<li> <a
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a
href="shorewall_mirrors.htm">Mirrors</a>
@ -94,6 +102,7 @@
</ul>
</li>
@ -109,10 +118,10 @@
<li> <a href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from
Users</a></li>
<li> <a href="shoreline.htm">About the
Author</a></li>
<li> <a href="quotes.htm">Quotes
from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
@ -129,8 +138,8 @@ Author</a></li>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily
0200-0330 GMT.<br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
@ -144,6 +153,7 @@ Author</a></li>
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -152,16 +162,10 @@ Author</a></li>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br>
<br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -16,8 +16,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base
target="main">
<meta name="Microsoft Theme" content="none">
</head>
@ -32,11 +32,13 @@
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%" bgcolor="#ffffff">
<td width="100%"
bgcolor="#ffffff">
@ -57,20 +59,25 @@
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference
Manual</a></li>
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful
Links</a><br>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade
Issues</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li><a href="Forum.html">Support Forum</a> <img
src="images/new10.gif" alt="(New)" width="28" height="12">
<br>
</li>
<li> <a
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a
href="shorewall_mirrors.htm">Mirrors</a>
@ -95,6 +102,7 @@
</ul>
</li>
@ -110,10 +118,10 @@
<li> <a href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from
Users</a></li>
<li> <a href="shoreline.htm">About the
Author</a></li>
<li> <a href="quotes.htm">Quotes
from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
href="sourceforge_index.htm#Donations">Donations</a></li>
@ -130,8 +138,8 @@ Users</a></li>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily
0200-0330 GMT.<br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
@ -145,20 +153,11 @@ Users</a></li>
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>

View File

@ -42,10 +42,8 @@
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
packages below.</p>
<p> Once you've done that, download <u> one</u> of the modules:</p>
<p>Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
@ -53,13 +51,13 @@ packages below.</p>
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that
store init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you
might also want to download the .tgz so you will have a copy of
the documentation).</li>
might also want to download the .tgz so you will have a copy of
the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
@ -72,16 +70,21 @@ Unstable Branch</a>.</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p>
and there is an documentation .deb that also contains the documentation. The
.rpm will install the documentation in your default document directory which
can be obtained using the following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote>
<p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may
point to a newer or an older version than is shown below.</p>
point to a newer or an older version than is shown below.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
will contain the version)</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory
name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
@ -90,17 +93,18 @@ point to a newer or an older version than is shown below.</p>
<p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have
downloaded.</p>
if there are updates that apply to the version that you have
downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START as described in the QuickStart
Guides. Once you have completed configuration of your firewall, you
can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.14</b>): <b>Remember that updates
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
State site.</b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
@ -307,7 +311,7 @@ State site.</b></p>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
<td>SourceForge (Incomplete)<br>
</td>
<td>sf.net</td>
<td><a
@ -373,20 +377,17 @@ State site.</b></p>
<blockquote>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the each
at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there
will work at all.<br>
will work at all.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 2/7/2003 - <a
<p align="left"><font size="2">Last Updated 3/5/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</p>
</body>
</html>

File diff suppressed because one or more lines are too long

View File

@ -32,8 +32,8 @@
<tr>
<td width="100%" height="90">
<td width="100%"
height="90">
@ -122,9 +122,9 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -150,7 +150,7 @@ firewall that can be used on a dedicated firewall system, a multi-functio
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License
PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br>
@ -158,7 +158,7 @@ PARTICULAR PURPOSE. See the GNU General Public License
You should have received
a copy of the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass
the Free Software Foundation, Inc., 675 Mass
Ave, Cambridge, MA 02139, USA</p>
@ -196,8 +196,8 @@ the Free Software Foundation, Inc., 675 Mass
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!!</b><br>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!!</b><br>
</p>
@ -209,8 +209,8 @@ Bering 1.1!!!</b><br>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -258,7 +258,7 @@ Bering 1.1!!!</b><br>
Shorewall 1.4 represents the next step in the evolution of Shorewall.
The main thrust of the initial release is simply to remove the cruft that
has accumulated in Shorewall over time.<br>
 <br>
 <br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
<br>
@ -283,8 +283,8 @@ no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOST
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted.<br>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
@ -302,7 +302,7 @@ no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOST
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does
or from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
@ -327,7 +327,7 @@ or from the destination zone. An explicit policy names both zones and does
<br>
</li>
<li>The firewall script and version file are now installed
in /usr/share/shorewall.<br>
in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in
@ -335,12 +335,30 @@ the common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
</li>
</ol>
@ -440,11 +458,11 @@ the common chain by default.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
@ -462,9 +480,10 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/28/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</p>
<br>
</body>
</html>

View File

@ -17,6 +17,7 @@
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -31,7 +32,7 @@
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br>
Version 3.1</font></h1>
Version 4.0</font></h1>
</td>
</tr>
@ -52,11 +53,11 @@ must all first walk before we can run.<br>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux System
(<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a> Linux
System acting as a firewall/router for a small local network (<a
href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="standalone.htm">Standalone</a> Linux
System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local network
(<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
@ -68,42 +69,43 @@ must all first walk before we can run.<br>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about Shorewall
than is explained in the single-address guides above.</b></p>
public IP addresses involved or if you want to learn more about
Shorewall than is explained in the single-address guides above.</b></p>
<ul>
<li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0
Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0
Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0
Addressing, Subnets and Routing</a>
<li><a
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul>
<li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3
Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol</a></li>
<li><a
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5
RFC 1918</a></li>
<li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a>
Setting up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1
@ -134,7 +136,7 @@ Setting up your Network</a>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
@ -156,6 +158,10 @@ Rules</a></li>
to use this documentation directly.</p>
<ul>
<li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
@ -167,7 +173,7 @@ Rules</a></li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
configuration file features</a>
<ul>
<li><a
@ -190,14 +196,14 @@ configuration file features</a>
<li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations
(making a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using
MAC Addresses in Shorewall</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File
Reference Manual</a>
Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
@ -246,7 +252,7 @@ Reference Manual</a>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br>
(How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
@ -272,7 +278,7 @@ Reference Manual</a>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li>
NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a><br>
</li>
@ -299,16 +305,10 @@ NAT</a></font></li>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 2/26/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
</p>
</body>
</html>

View File

@ -121,8 +121,8 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone GNU/Linux
system.</p>
a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p>
@ -137,26 +137,26 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms
of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br>
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc., 675
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
@ -222,10 +222,10 @@ Eric on the recent release of Bering 1.1!!!</b><br>
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
Shorewall 1.4 represents the
next step in the evolution of Shorewall. The main thrust of the initial
release is simply to remove the cruft that has accumulated in Shorewall over
time. <br>
Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the initial
release is simply to remove the cruft that has accumulated in Shorewall
over time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
@ -252,7 +252,7 @@ no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOS
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted.<br>
no longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
@ -271,12 +271,12 @@ no longer accepted.<br>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
DESTINATION columns.</li>
</ul>
@ -297,20 +297,34 @@ DESTINATION columns.</li>
in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<li>Late arriving DNS replies are now silently dropped in
the common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.</li>
</ol>
@ -344,6 +358,7 @@ policy.<br>
<p><a href="News.htm">More News</a></p>
@ -384,6 +399,7 @@ policy.<br>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
@ -457,11 +473,11 @@ policy.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
@ -479,9 +495,10 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/28/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</p>
<br>
</body>
</html>

View File

@ -41,13 +41,13 @@
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once
you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run
levels 2-5 and stop it in run levels 1 and 6. If you want to configure
your firewall differently from this default, you can use the "--level"
option in chkconfig (see "man chkconfig") or using your favorite
graphical run-level editor.</p>
I recommend that you start the firewall automatically at boot.
Once you have installed "firewall" in your init.d directory, simply
type "chkconfig --add firewall". This will start the firewall
in run levels 2-5 and stop it in run levels 1 and 6. If you want
to configure your firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
@ -67,7 +67,7 @@ edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing
"shorewall restart" in that script.</li>
"shorewall restart" in that script.</li>
</ol>
@ -105,8 +105,8 @@ edit /etc/default/shorewall and set 'startup=1'.<br>
<p>The above command would trace the 'start' command and place the trace information
in the file /tmp/trace<br>
<p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace<br>
</p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
@ -120,7 +120,7 @@ in the file /tmp/trace<br>
<li>shorewall status - produce a verbose report about the
firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the
nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the
@ -131,10 +131,10 @@ about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall
show
tc - displays
information about the traffic control/shaping configuration.</li>
information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the
firewall status, last 20 log entries and nat. When the log entry
display changes, an audible alarm is sounded.</li>
firewall status, last 20 log entries and nat. When the log
entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall
packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version
@ -143,24 +143,25 @@ display changes, an audible alarm is sounded.</li>
zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
and does not parse and validate the generated iptables commands.
Even though the "check" command completes successfully, the configuration
and does not parse and validate the generated iptables commands. Even
though the "check" command completes successfully, the configuration
may fail to start. Problem reports that complain about errors that the 'check'
command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described below.</b></font><br>
See the recommended way to make configuration changes described below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if
an error occurs or if the<i> timeout </i> option is given and the
new configuration has been up for that many seconds then shorewall
is restarted using the standard configuration.</li>
] - Restart shorewall using the specified configuration and if an
error occurs or if the<i> timeout </i> option is given and the new
configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and
shorewall save implement <a href="blacklisting_support.htm">dynamic
blacklisting</a>.</li>
shorewall save implement <a href="blacklisting_support.htm">dynamic
blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
new Shorewall messages are logged.</li>
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
new Shorewall messages are logged.</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter
@ -168,7 +169,8 @@ new Shorewall messages are logged.</li>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified zone.</li>
Adds the specified interface (and host if included) to the specified
zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the specified
zone.</li>
@ -228,14 +230,15 @@ used.</p>
<li><font color="#009900"><b>/sbin/shorewall
try .</b></font></li>
try .</b></font></li>
</ul>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to
start, the "try" command will automatically start the old one for you.</p>
to restore the old configuration. If the new configuration fails
to start, the "try" command will automatically start the old one for
you.</p>
@ -271,8 +274,7 @@ try .</b></font></li>
You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
on Debian); /sbin/shorewall runs 'firewall" according to the following
table:<br>
on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1">
@ -333,6 +335,7 @@ table:<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
</body>
</html>

View File

@ -3,18 +3,22 @@
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title>
<title>Shorewall Support Guide</title>
@ -34,47 +38,49 @@
<h1 align="center"><font color="#ffffff">Shorewall Support<img
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
</table>
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
emailed directly to me, I try to spend some time each day answering questions
on the Shorewall Users Mailing List.</font></big><span
on the Shorewall Users Mailing List and on the Support Forum.</font></big><span
style="font-weight: 400;"></span></big></b></p>
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h1>Before Reporting a Problem</h1>
<i>"Well at least you tried to read the documentation, which is a lot more
than some people on this list appear to do.</i>"<br>
<i>"Well at least you tried to read the documentation, which is a lot
more than some people on this list appear to do.</i>"<br>
<br>
<div align="center">- Wietse Venema - On the Postfix mailing list<br>
</div>
<br>
There are a number of sources for
problem solution information. Please try these before you post.
There are a number of sources
for problem solution information. Please try these before you
post.
<h3> </h3>
<h3> </h3>
<ul>
<li>More than half of the questions posted on the support
list have answers directly accessible from the <a
<li>More than half of the questions posted on the
support list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br>
</li>
<li> The <a href="FAQ.htm">FAQ</a>
has solutions to more than 20 common problems. </li>
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li>
</ul>
@ -99,9 +105,9 @@
<h3> </h3>
<ul>
<li> The Mailing List
Archives search facility can locate posts about similar
problems: </li>
<li> The Mailing
List Archives search facility can locate posts about similar
problems: </li>
</ul>
@ -121,12 +127,14 @@ problems: </li>
</select>
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
<select name="sort">
<option value="score">Score </option>
<option value="time">Time </option>
@ -139,21 +147,22 @@ problems: </li>
name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p>
Search: <input type="text"
size="30" name="words" value=""> <input type="submit" value="Search">
</p>
</form>
<h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a real-world
example. It would be like saying that you have three rooms at home,
and when you walk into one of the rooms, you detect this strange smell.
Can anyone tell you what that strange smell is?<br>
<i>"Let me see if I can translate your message into a
real-world example. It would be like saying that you have three
rooms at home, and when you walk into one of the rooms, you detect
this strange smell. Can anyone tell you what that strange smell is?<br>
<br>
Now, all of us could do some wonderful guessing as to the
smell and even what's causing it. You would be absolutely amazed
at the range and variety of smells we could come up with. Even more
amazing is that all of the explanations for the smells would be completely
plausible."<br>
Now, all of us could do some wonderful guessing as to
the smell and even what's causing it. You would be absolutely amazed
at the range and variety of smells we could come up with. Even more
amazing is that all of the explanations for the smells would be completely
plausible."<br>
</i><br>
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
@ -166,25 +175,25 @@ plausible."<br>
<ul>
<li>Please remember we only know what is posted in your message.
Do not leave out any information that appears to be correct, or was
mentioned in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct when it
actually contained a small error. We tend to be skeptics where detail
is lacking.<br>
mentioned in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct when
it actually contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not an
obligation. Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of error messages,
log entries, command output, and other output is better than a paraphrase
or summary.<br>
technical support. Any help we offer is an act of generosity, not
an obligation. Try to make it easy for us to help you. Follow good,
courteous practices in writing and formatting your e-mail. Provide
details that we need if you expect good answers. <em>Exact quoting </em>
of error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br>
</li>
<li> Please don't describe
your environment and then ask us to send you custom
configuration files. We're here to answer your questions but we
can't do your job for you.<br>
your environment and then ask us to send you custom
configuration files. We're here to answer your questions but
we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include
@ -241,7 +250,7 @@ configuration files. We're here to answer your questions but we
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br>
please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake
@ -257,22 +266,22 @@ please indicate which one. <br>
<li><b>NEVER </b>include the output of "<b><font
color="#009900">iptables -L</font></b>". Instead,<font
color="#ff0000"><u><i><big> <b>if you are having connection problems of
any kind then:</b></big></i></u></font><br>
any kind then:</b></big></i></u></font><br>
<br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br>
2. Try the connection that is failing.<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<strong></strong></li>
them often misleads us (and 80% of the time, a hacker could derive
them anyway from information contained in the SMTP headers of your post).<strong></strong></li>
</ul>
@ -289,18 +298,19 @@ any kind then:</b></big></i></u></font><br>
<h3> </h3>
<ul>
<li> Do you see any
"Shorewall" messages ("<b><font color="#009900">/sbin/shorewall show
log</font></b>") when you exercise the function that is giving
you problems? If so, include the message(s) in your post along with a
copy of your /etc/shorewall/interfaces file.<br>
<li> Do you see
any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
show log</font></b>") when you exercise the function that
is giving you problems? If so, include the message(s) in your post
along with a copy of your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have modified
that file) that you think are relevant. If you include /etc/shorewall/rules,
please include /etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies). </li>
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).
</li>
</ul>
@ -346,29 +356,36 @@ allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to rid the
planet of HTML based e-mail". Nevertheless, to allow subscribers to receive
list posts as must as possible, I have now configured the list server
at shorewall.net to strip all HTML from outgoing posts.<br>
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to rid the planet
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts.<br>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft
then you can post non MNF-specific Shorewall questions to the </b><a
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft
then you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a> <b>Do not expect to get free MNF support on the list.</b><br>
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a></p>
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.</p>
</blockquote>
@ -379,7 +396,7 @@ then you can post non MNF-specific Shorewall questions to the </b><a
.</p>
<p align="left"><font size="2">Last Updated 2/22/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 3/4/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -387,10 +404,5 @@ then you can post non MNF-specific Shorewall questions to the </b><a
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -21,6 +21,7 @@
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
@ -29,32 +30,32 @@
</table>
<p align="left">Shorewall has limited support for traffic shaping/control.
In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later.</p>
In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul>
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in
Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the
setting of this variable determines whether Shorewall clears the traffic
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can
specify firewall marking of packets. The firewall mark value may
be used to classify packets for traffic shaping/control.<br>
specify firewall marking of packets. The firewall mark value may
be used to classify packets for traffic shaping/control.<br>
</li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which
you can use to define your traffic shaping disciplines and classes.
I have provided a <a
that is sourced by Shorewall during "shorewall start" and which
you can use to define your traffic shaping disciplines and classes.
I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections
of the HOWTO mentioned above, you can probably code your own faster
than you can learn how to use my sample. I personally use <a
of the HOWTO mentioned above, you can probably code your own faster
than you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
@ -62,28 +63,29 @@ since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use
the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br>
the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br>
<br>
You can generally use off-the-shelf traffic shaping scripts by simply
copying them to /etc/shorewall/tcstart. I use <a
You can generally use off-the-shelf traffic shaping scripts by
simply copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br>
script won't work. Traffic shaping occurs after SNAT has already been
applied so when traffic shaping happens, all outbound traffic will have
as a source address the IP addresss of your firewall's external interface.<br>
</li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping.
This file is normally not required as Shorewall's method of clearing
qdisc and filter definitions is pretty general.</li>
that is sourced by Shorewall when it is clearing traffic shaping.
This file is normally not required as Shorewall's method of clearing
qdisc and filter definitions is pretty general.</li>
</ul>
Shorewall allows you to start traffic shaping when Shorewall itself starts
or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
Shorewall allows you to start traffic shaping when Shorewall itself
starts or it allows you to bring up traffic shaping when you bring up your
interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
@ -93,21 +95,21 @@ qdisc and filter definitions is pretty general.</li>
shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can mark
packets using entries in /etc/shorewall/tcrules.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can
mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
To start traffic shaping when you bring up your network interfaces, you
will have to arrange for your traffic shaping configuration script to be
run at that time. How you do that is distribution dependent and will not be
covered here. You then should:<br>
To start traffic shaping when you bring up your network interfaces,
you will have to arrange for your traffic shaping configuration script to
be run at that time. How you do that is distribution dependent and will not
be covered here. You then should:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
scripts.</li>
scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier,
you can mark packets using entries in /etc/shorewall/tcrules.</li>
you can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
@ -128,17 +130,17 @@ you can mark packets using entries in /etc/shorewall/tcrules.</li>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
packets based on their destination address when SNAT or Masquerading
are being used. Beginning with Shorewall 1.3.12, you can cause packet
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
<p align="left">Columns in the file are as follows:</p>
<ul>
<li>MARK - Specifies the mark value is to be assigned in
case of a match. This is an integer in the range 1-255. Beginning
case of a match. This is an integer in the range 1-255. Beginning
with Shorewall version 1.3.14, this value may be optionally followed by
":" and either 'F' or 'P' to designate that the marking will occur in the
FORWARD or PREROUTING chains respectively. If this additional specification
@ -150,22 +152,22 @@ of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewa
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br>
Examples<br>
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated list
of IP addresses and/or subnets.<br>
<li>DEST -- Destination of the packet. Comma-separated
list of IP addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list of
Port names (from /etc/services), port numbers or port ranges (e.g.,
21:22); if the protocol is "icmp", this column is interpreted as
the destination icmp type(s).<br>
<li>PORT(S) - Destination Ports. A comma-separated list
of Port names (from /etc/services), port numbers or port ranges (e.g.,
21:22); if the protocol is "icmp", this column is interpreted
as the destination icmp type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate
@ -175,8 +177,8 @@ in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked with
3.</p>
2. All packets originating on the firewall itself should be marked with
3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -287,7 +289,7 @@ in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of
in the Wondershaper README), I have also run with the following set of
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p>
@ -308,7 +310,8 @@ hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1
above.<br>
above. You can look at <a href="myfiles.htm">my configuration</a> to
see why I wanted shaping of this type.<br>
</p>
<ol>
@ -317,17 +320,20 @@ hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
can use all available bandwidth if there is no traffic from the local
systems or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.<br>
</li>
<li>My firewall could use up to 20kbits/second.</li>
</ol>
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
to see how this fit in. <br>
<p><font size="2">Last Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -35,23 +35,23 @@
<h3> </h3>
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package
<b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package
('ip' utility).</b><br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options are no
longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
<li>The <b>noping </b>and <b>forwardping</b> interface options are
no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in /etc/shorewall/interfaces
now generate a Shorewall error at startup (they always have produced warnings
in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. Shorewall
1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents are
determined by BOTH the interfaces and hosts files when there are entries for
the zone in both files.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
/etc/shorewall/interfaces now generate a Shorewall error at startup (they
always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
are determined by BOTH the interfaces and hosts files when there are entries
for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts file
has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
@ -63,8 +63,8 @@ there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have been
moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include it from
/etc/shorewall/icmpdef, you will need to modify that file.</li>
<li value="6">The icmp.def file has been removed. If you include it
from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li>
@ -75,19 +75,22 @@ they arrived on in two cases:</li>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not use
the 'all' reserved word.</li>
the destination zone. An explicit policy names both zones and does not use
the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone to or
from the destination zone including rules that use the 'all' reserved word.
Exception: if the source zone and destination zone are the same then the
rule must be explicit - it must name the zone in both the SOURCE and DESTINATION
columns.</li>
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</ul>
@ -109,8 +112,9 @@ rule must be explicit - it must name the zone in both the SOURCE and DESTINATION
their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT
applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT applied.</li>
routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li>
</ul>
You will need to make a change to your configuration if:<br>
@ -150,8 +154,8 @@ Traffic originating in ANY of those subnets is masqueraded or has SNAT applied
See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to
version 1.3.10, you will need to use the '--force' option:<br>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
@ -159,8 +163,8 @@ Traffic originating in ANY of those subnets is masqueraded or has SNAT applied
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. If
you have an application that uses functions from that file, your application
The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your application
will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
@ -193,13 +197,13 @@ Traffic originating in ANY of those subnets is masqueraded or has SNAT applied
<ol>
<li>Be sure you have a backup
-- you will need to transcribe any Shorewall
configuration changes that you have made
to the new configuration.</li>
<li>Replace the shorwall.lrp package
provided on the Bering floppy with the
later one. If you did not obtain the later
version from Jacques's site, see additional
instructions below.</li>
configuration changes that you have
made to the new configuration.</li>
<li>Replace the shorwall.lrp
package provided on the Bering floppy
with the later one. If you did not obtain
the later version from Jacques's site,
see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not forget
@ -209,8 +213,8 @@ to backup root.lrp !</li>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to
add the following two Bering-specific rules to /etc/shorewall/rules:</p>
for setting up a two-interface firewall</a> plus you also need to add
the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
@ -240,8 +244,9 @@ packets after takeover.<br>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
<font face="Courier">run_iptables -A common -p tcp
--tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild
connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
@ -289,8 +294,8 @@ packets after takeover.<br>
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 2/14/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2"> Last updated 3/6/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
@ -301,5 +306,6 @@ packets after takeover.<br>
<br>
<br>
<br>
<br>
</body>
</html>