More 1.4.0 Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@483 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-06 23:41:31 +00:00
parent 09fc5e317a
commit 07f66da156
16 changed files with 8519 additions and 7791 deletions

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

42
Shorewall-docs/Forum.html Normal file
View File

@ -0,0 +1,42 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Support Forum</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Support Forum</font></h1>
</td>
</tr>
</tbody>
</table>
<h3><font color="#ff6633"></font></h3>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="support.htm">Shorewall Support Guide</a>.</h1>
<p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a><br>
</p>
<p><font size="2">Updated 3/6/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a></p>
<br>
</body>
</html>

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,549 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Shorewall and Aliased Interfaces</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as addresses. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled.</i> <br>
<br>
Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0"<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.<br>
<br>
<h2>So how do I handle more than one address on an interface?</h2>
Depends on what you are trying to do with the interfaces. In the sub-sections
that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself only
apply to a particular IP address, simply qualify the $FW zone with the IP
address.<br>
<br>
Example (allow SSH from net to eth0:0 above):<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">fw:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at 192.168.1.3.
That is accomplised by a single rule in the /etc/shorewall/rules file:<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>SNAT</h3>
If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0:0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
you would have the following in /etc/shorewall/nat:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0:0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.<br>
<br>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top"><b>ACTION<br>
</b></td>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>PROTOCOL<br>
</b></td>
<td valign="top"><b>PORT(S)<br>
</b></td>
<td valign="top"><b>SOURCE PORT(S)<br>
</b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks
configured on a LAN segment. This technique does not provide for any security
between the subnetworks if the users of the systems have administrative privileges
because in that case, the users can simply manipulate their system's routing
table to bypass your firewall/router. Nevertheless, there are cases where
you simply want to consider the LAN segment itself as a zone and allow your
firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br>
<br>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that
you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/5/2003 A - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
</p>
<br>
<br>
</body>
</html>

View File

@ -16,7 +16,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base
target="main">
<meta name="Microsoft Theme" content="none">
</head>
@ -25,77 +26,85 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%" bgcolor="#ffffff">
</td>
</tr>
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference
Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful
Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade
Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a
<li> <a href="Documentation.htm">Reference
Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful
Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li><a href="Forum.html">Support Forum</a> <img
src="images/new10.gif" alt="(New)" width="28" height="12">
<br>
</li>
<li> <a
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a
href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net"
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
</li>
</li>
</ul>
</li>
</li>
@ -106,44 +115,45 @@
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a
<li> <a href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from
Users</a></li>
<li> <a href="shoreline.htm">About the
Author</a></li>
<li> <a
<li> <a href="quotes.htm">Quotes
from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily
0200-0330 GMT.<br>
<strong></strong>
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -151,17 +161,11 @@ Author</a></li>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br>
<br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</a><br>
</p>
<br>
<br>
<br>
<br>
</body>
</html>

View File

@ -16,8 +16,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base
target="main">
<meta name="Microsoft Theme" content="none">
</head>
@ -26,77 +26,85 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<tbody>
<tr>
<td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%" bgcolor="#ffffff">
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<ul>
<li> <a
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
<li> <a
href="shorewall_features.htm">Features</a></li>
<li> <a
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference
Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful
Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade
Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li> <a
<li> <a
href="Documentation.htm">Reference Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Support</a></li>
<li><a href="Forum.html">Support Forum</a> <img
src="images/new10.gif" alt="(New)" width="28" height="12">
<br>
</li>
<li> <a
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a
href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a target="_top"
<li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net"
<li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br>
</li>
</li>
</ul>
</li>
</li>
@ -107,60 +115,51 @@
<ul>
<li> <a href="News.htm">News Archive</a></li>
<li> <a
<li> <a href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from
Users</a></li>
<li> <a href="shoreline.htm">About the
Author</a></li>
<li> <a
<li> <a href="quotes.htm">Quotes
from Users</a></li>
<li> <a href="shoreline.htm">About
the Author</a></li>
<li> <a
href="sourceforge_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<b>Note: </b></strong>Search is unavailable Daily
0200-0330 GMT.<br>
<strong></strong>
<strong><br>
<b>Note: </b></strong>Search is unavailable
Daily 0200-0330 GMT.<br>
<strong></strong>
<p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input
<font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input
<font face="Arial"> <input
type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>

View File

@ -17,14 +17,14 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
@ -33,360 +33,361 @@
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>
</b></p>
</b></p>
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p>
<p>The documentation in HTML format is included in the .rpm and in the .tgz
packages below.</p>
<p> Once you've done that, download <u> one</u> of the modules:</p>
<p>Once you've printed the appropriate QuickStart Guide, download <u>
one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that
store init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that
store init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you
might also want to download the .tgz so you will have a copy of
the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you
might also want to download the .tgz so you will have a copy of
the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a
Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
<li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files
and there is an documentation .deb that also contains the documentation.</p>
and there is an documentation .deb that also contains the documentation. The
.rpm will install the documentation in your default document directory which
can be obtained using the following command:<br>
</p>
<blockquote>
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
</blockquote>
<p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may
point to a newer or an older version than is shown below.</p>
release of a new version of Shorewall, the links below may
point to a newer or an older version than is shown below.</p>
<ul>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
<li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory
name will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li>
</ul>
<p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have
downloaded.</p>
if there are updates that apply to the version that you have
downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START as described in the QuickStart
Guides. Once you have completed configuration of your firewall, you
can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.14</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington
State site.</b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
<a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
.rpm</a>  <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
.tgz</a> <br>
<a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a><br>
<a
.rpm</a><br>
<a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br>
<a
.rpm</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
.tgz</a> <br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
.lrp</a><br>
<a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank"
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
<a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br>
<a
.lrp</a><br>
<a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br>
<a
.rpm</a><br>
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
<a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br>
<a target="_blank"
.rpm</a>  <br>
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
<a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
.md5sums</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
.rpm</a>  <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
.tgz</a> <br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
Download .lrp</a><br>
<a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
.md5sums</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
.rpm</a>  <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
.tgz</a> <br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br>
<a target="_blank"
Download .lrp</a><br>
<a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
.md5sums</a></td>
</tr>
<tr>
<td>Paris, France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a
<a
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
<a
<a
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
<a
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br>
<a target="_blank"
.rpm</a>  <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a target="_blank"
.tgz</a> <br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a target="_blank"
.lrp</a><br>
<a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
.md5sums</a></td>
</tr>
<tr>
<td valign="middle">Washington State, USA<br>
</td>
<td valign="middle">Shorewall.net<br>
</td>
<td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br>
<a
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br>
<a
<a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
<td valign="top"><a
</td>
<td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br>
<a
Download .rpm</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br>
<a
.tgz</a> <br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br>
<a target="_blank"
.lrp</a><br>
<a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p><b>Browse Download Sites:</b></p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge<br>
</td>
<td>sf.net</td>
<td><a
<tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>SourceForge (Incomplete)<br>
</td>
<td>sf.net</td>
<td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
<td>N/A</td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p align="left"><b>CVS:</b></p>
<blockquote>
<p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there
will work at all.<br>
</p>
</blockquote>
at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there
will work at all.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 2/7/2003 - <a
<p align="left"><font size="2">Last Updated 3/5/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</p>
</body>
</html>

File diff suppressed because one or more lines are too long

View File

@ -15,7 +15,7 @@
<base
<base
target="_self">
<meta name="author" content="Tom Eastep">
</head>
@ -28,12 +28,12 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<td width="100%" height="90">
<tr>
<td width="100%"
height="90">
@ -48,7 +48,7 @@
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
made easy"</i></font></font></h1>
@ -66,13 +66,13 @@
href="http://shorewall.sf.net/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a><br>
</div>
</div>
<br>
<br>
</td>
</td>
</tr>
</tr>
@ -93,11 +93,11 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody>
<tr>
<tr>
<td width="90%">
<td width="90%">
@ -122,10 +122,10 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -141,24 +141,24 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify
it under the terms
of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software
2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
<br>
This program is distributed
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br>
<br>
You should have received
a copy of the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass
You should have received
a copy of the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc., 675 Mass
Ave, Cambridge, MA 02139, USA</p>
@ -188,17 +188,17 @@ the Free Software Foundation, Inc., 675 Mass
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and
</a>Jacques Nilo and
Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called
on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.14
and Kernel-2.4.20. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
and Kernel-2.4.20. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!!</b><br>
</p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!!</b><br>
</p>
@ -209,8 +209,8 @@ Bering 1.1!!!</b><br>
<h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -251,97 +251,115 @@ Bering 1.1!!!</b><br>
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
</b></p>
<p></p>
Shorewall 1.4 represents the next step in the evolution of Shorewall.
Shorewall 1.4 represents the next step in the evolution of Shorewall.
The main thrust of the initial release is simply to remove the cruft that
has accumulated in Shorewall over time.<br>
 <br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
 <br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version include:<br>
<br>
Function from 1.3 that has been omitted from this version include:<br>
<ol>
<li>The MERGE_HOSTS variable in shorewall.conf is
<li>The MERGE_HOSTS variable in shorewall.conf is
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br>
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br>
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
<br>
</li>
<li value="8">The 'multi' interface option is no longer supported.
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same interface
that they arrived on in two cases:</li>
</ol>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.<br>
</li>
</li>
</ul>
<ol>
</ol>
Changes for 1.4 include:<br>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script and version file are now installed
in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script and version file are now installed
in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in
the common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
</li>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
</li>
</ol>
@ -379,13 +397,13 @@ the common chain by default.<br>
<h2><a name="Donations"></a>Donations</h2>
</td>
</td>
<td width="88"
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr>
</tr>
@ -396,9 +414,9 @@ the common chain by default.<br>
</table>
</center>
</center>
</div>
</div>
@ -407,11 +425,11 @@ the common chain by default.<br>
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="100%"
<td width="100%"
style="margin-top: 1px;">
@ -427,7 +445,7 @@ the common chain by default.<br>
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
  </a></p>
  </a></p>
@ -440,15 +458,15 @@ the common chain by default.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td>
</td>
</tr>
</tr>
@ -462,9 +480,10 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/28/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</p>
<br>
</body>
</html>

View File

@ -17,6 +17,7 @@
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -24,16 +25,16 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br>
Version 3.1</font></h1>
</td>
</tr>
(HOWTO's)<br>
Version 4.0</font></h1>
</td>
</tr>
</tbody>
@ -41,274 +42,273 @@
<p align="center">With thanks to Richard who reminded me once again that we
must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul>
<li><a href="standalone.htm">Standalone</a> Linux System
(<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a> Linux
System acting as a firewall/router for a small local network (<a
href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
<li><a href="standalone.htm">Standalone</a> Linux
System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local network
(<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about Shorewall
than is explained in the single-address guides above.</b></p>
the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about
Shorewall than is explained in the single-address guides above.</b></p>
<ul>
<li><a
<li><a
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0
Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0
Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0
Addressing, Subnets and Routing</a>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0
Shorewall Concepts</a></li>
<li><a
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
and Routing</a>
<ul>
<li><a
<li><a
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a
<li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3
Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol</a></li>
<li><a
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4
Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5
RFC 1918</a></li>
<li><a
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0
Setting up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1
Routed</a></li>
<li><a href="shorewall_setup_guide.htm#Routed">5.1
Routed</a></li>
</ul>
<ul>
<li><a
<li><a
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3
Rules</a></li>
<li><a
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p>
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
</li>
<li><a href="configuration_file_basics.htm">Common
configuration file features</a>
<ul>
<li><a
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li>
<li><a
files</a></li>
<li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a
<li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a
<li><a
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a
<li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a
<li><a
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
</li>
<li><a
</li>
<li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a
or Subnet</a></li>
<li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations
(making a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using
MAC Addresses in Shorewall</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File
Reference Manual</a>
</li>
<li><a href="Documentation.htm">Configuration File
Reference Manual</a>
<ul>
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
<li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel
Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel
Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<li><a href="myfiles.htm">My Shorewall Configuration
(How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br>
</li>
</ul>
<li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN
<li><font color="#000099"><a href="NAT.htm">Static
NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
with Shorewall</a><br>
</li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
behind your firewall to a remote network.</li>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
behind your firewall to a remote network.</li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White
List Creation</a></li>
</li>
<li><a href="whitelisting_under_shorewall.htm">White
List Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 2/26/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
Eastep</font></a><br>
</p>
</body>
</html>

View File

@ -17,7 +17,7 @@
<base target="_self">
<base target="_self">
<meta name="author" content="Tom Eastep">
</head>
<body>
@ -29,11 +29,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="100%"
<td width="100%"
height="90">
@ -50,7 +50,7 @@
alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0">
</a></i></font><font
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1>
@ -68,8 +68,8 @@
<div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</td>
</tr>
</td>
</tr>
@ -88,11 +88,11 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody>
<tr>
<tr>
<td width="90%">
<td width="90%">
@ -119,10 +119,10 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone GNU/Linux
system.</p>
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p>
@ -137,27 +137,27 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms
of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br>
it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br>
<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br>
<br>
You should have received
You should have received
a copy of the GNU General Public License
along with this program; if not, write to
the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
along with this program; if not, write
to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p>
@ -188,19 +188,19 @@
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
</a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>
</b>
<b>
</b>
<b>Congratulations to Jacques and
<b>Congratulations to Jacques and
Eric on the recent release of Bering 1.1!!!</b><br>
<h2>News</h2>
@ -221,102 +221,116 @@ Eric on the recent release of Bering 1.1!!!</b><br>
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
Shorewall 1.4 represents the
next step in the evolution of Shorewall. The main thrust of the initial
release is simply to remove the cruft that has accumulated in Shorewall over
time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
</b></p>
Shorewall 1.4 represents
the next step in the evolution of Shorewall. The main thrust of the initial
release is simply to remove the cruft that has accumulated in Shorewall
over time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version include:<br>
<br>
Function from 1.3 that has been omitted from this version include:<br>
<ol>
<li>The MERGE_HOSTS variable in shorewall.conf is
<li>The MERGE_HOSTS variable in shorewall.conf is
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br>
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
<br>
</li>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same interface
that they arrived on in two cases:</li>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same interface
that they arrived on in two cases:</li>
</ol>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to
<li>There is an <u>explicit</u> policy for the source zone to
or from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone
not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
</ul>
<ul>
</ul>
Changes for 1.4 include:<br>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script and version file are now installed
<br>
</li>
<li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script and version file are now installed
in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
<br>
</li>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in
the common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.</li>
</ol>
<p></p>
<b> </b>
<b> </b>
@ -344,6 +358,7 @@ policy.<br>
<p><a href="News.htm">More News</a></p>
@ -369,7 +384,7 @@ policy.<br>
<h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1>
</a></h1>
@ -384,6 +399,7 @@ policy.<br>
<h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2>
@ -396,13 +412,13 @@ policy.<br>
<h2><a name="Donations"></a>Donations</h2>
</td>
</td>
<td width="88"
<td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</td>
</tr>
</tr>
@ -413,9 +429,9 @@ policy.<br>
</table>
</center>
</center>
</div>
</div>
@ -424,11 +440,11 @@ policy.<br>
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
<tbody>
<tbody>
<tr>
<tr>
<td width="100%"
<td width="100%"
style="margin-top: 1px;">
@ -444,7 +460,7 @@ policy.<br>
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10">
</a></p>
</a></p>
@ -457,15 +473,15 @@ policy.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</td>
</td>
</tr>
</tr>
@ -479,9 +495,10 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/28/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</p>
<br>
</body>
</html>

View File

@ -20,18 +20,18 @@
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<tbody>
<tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1>
the Firewall</font></h1>
</td>
</td>
</tr>
</tr>
</tbody>
@ -41,13 +41,13 @@
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once
you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run
levels 2-5 and stop it in run levels 1 and 6. If you want to configure
your firewall differently from this default, you can use the "--level"
option in chkconfig (see "man chkconfig") or using your favorite
graphical run-level editor.</p>
I recommend that you start the firewall automatically at boot.
Once you have installed "firewall" in your init.d directory, simply
type "chkconfig --add firewall". This will start the firewall
in run levels 2-5 and stop it in run levels 1 and 6. If you want
to configure your firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
@ -57,22 +57,22 @@
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have
<li>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the file
/etc/shorewall/startup_disabled. Note: Users of the .deb package must
edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing
"shorewall restart" in that script.</li>
</li>
<li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing
"shorewall restart" in that script.</li>
</ol>
<p>
</p>
</p>
@ -82,22 +82,22 @@ edit /etc/default/shorewall and set 'startup=1'.<br>
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li>
</ul>
If you include the keyword <i>debug</i> as the first argument, then
If you include the keyword <i>debug</i> as the first argument, then
a shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
@ -105,71 +105,73 @@ edit /etc/default/shorewall and set 'startup=1'.<br>
<p>The above command would trace the 'start' command and place the trace information
in the file /tmp/trace<br>
</p>
<p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace<br>
</p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
bottom of this page.<br>
</p>
</p>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul>
<li>shorewall status - produce a verbose report about the
<li>shorewall status - produce a verbose report about the
firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the
<li>shorewall show <i>chain</i> - produce a verbose report
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the
nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the
<li>shorewall show tos - produce a verbose report about the
mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall
show
tc - displays
information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the
firewall status, last 20 log entries and nat. When the log entry
display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall
<li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall
show
tc - displays
information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the
firewall status, last 20 log entries and nat. When the log
entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall
packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version
<li>shorewall version - Displays the installed version
number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
and does not parse and validate the generated iptables commands.
Even though the "check" command completes successfully, the configuration
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
and does not parse and validate the generated iptables commands. Even
though the "check" command completes successfully, the configuration
may fail to start. Problem reports that complain about errors that the 'check'
command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described below.</b></font><br>
<br>
See the recommended way to make configuration changes described below.</b></font><br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if
an error occurs or if the<i> timeout </i> option is given and the
new configuration has been up for that many seconds then shorewall
is restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and
shorewall save implement <a href="blacklisting_support.htm">dynamic
blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
new Shorewall messages are logged.</li>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if an
error occurs or if the<i> timeout </i> option is given and the new
configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and
shorewall save implement <a href="blacklisting_support.htm">dynamic
blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
new Shorewall messages are logged.</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter
Finally, the "shorewall" program may be used to dynamically alter
the contents of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified
zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the specified
zone.</li>
@ -178,12 +180,12 @@ Adds the specified interface (and host if included) to the specified zone.</l
<blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
from zone vpn1<br>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
@ -196,8 +198,8 @@ from zone vpn1<br>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
@ -210,32 +212,33 @@ used.</p>
<p> When changing the configuration of a production firewall, I recommend
the following:</p>
the following:</p>
<ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from
<li>&lt;copy any files that you need to change from
/etc/shorewall to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>/sbin/shorewall
try .</b></font></li>
<li><font color="#009900"><b>/sbin/shorewall
try .</b></font></li>
</ul>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to
start, the "try" command will automatically start the old one for you.</p>
to restore the old configuration. If the new configuration fails
to start, the "try" command will automatically start the old one for
you.</p>
@ -247,11 +250,11 @@ try .</b></font></li>
<ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul>
@ -259,72 +262,71 @@ try .</b></font></li>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</p>
</p>
<div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle">
<br>
</div>
<br>
</div>
<p>  <br>
</p>
You will note that the commands that result in state transitions
</p>
You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
on Debian); /sbin/shorewall runs 'firewall" according to the following
table:<br>
<br>
on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
</tr>
<tbody>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<p><font size="2"> Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -332,7 +334,8 @@ table:<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
</body>
</html>

View File

@ -3,18 +3,22 @@
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title>
<title>Shorewall Support Guide</title>
@ -27,18 +31,19 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support<img
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</font></h1>
</td>
</tr>
</tbody>
@ -46,62 +51,63 @@
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
emailed directly to me, I try to spend some time each day answering questions
on the Shorewall Users Mailing List.</font></big><span
emailed directly to me, I try to spend some time each day answering questions
on the Shorewall Users Mailing List and on the Support Forum.</font></big><span
style="font-weight: 400;"></span></big></b></p>
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h1>Before Reporting a Problem</h1>
<i>"Well at least you tried to read the documentation, which is a lot more
than some people on this list appear to do.</i>"<br>
<br>
<i>"Well at least you tried to read the documentation, which is a lot
more than some people on this list appear to do.</i>"<br>
<br>
<div align="center">- Wietse Venema - On the Postfix mailing list<br>
</div>
<br>
There are a number of sources for
problem solution information. Please try these before you post.
</div>
<br>
There are a number of sources
for problem solution information. Please try these before you
post.
<h3> </h3>
<h3> </h3>
<ul>
<li>More than half of the questions posted on the support
list have answers directly accessible from the <a
<li>More than half of the questions posted on the
support list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br>
</li>
<li> The <a href="FAQ.htm">FAQ</a>
has solutions to more than 20 common problems. </li>
<br>
</li>
<li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li>
</ul>
<h3> </h3>
<ul>
<li> The <a
<li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. </li>
a number of tips to help you solve common problems. </li>
</ul>
<h3> </h3>
<ul>
<li> The <a
<li> The <a
href="errata.htm"> Errata</a> has links to download updated
components. </li>
components. </li>
</ul>
<h3> </h3>
<ul>
<li> The Mailing List
Archives search facility can locate posts about similar
problems: </li>
<li> The Mailing
List Archives search facility can locate posts about similar
problems: </li>
</ul>
@ -119,13 +125,15 @@ problems: </li>
<option value="or">Any </option>
<option value="boolean">Boolean </option>
</select>
Format:
Format:
<select name="format">
<option value="builtin-long">Long </option>
<option value="builtin-short">Short </option>
</select>
Sort by:
Sort by:
<select name="sort">
<option value="score">Score </option>
@ -135,144 +143,145 @@ problems: </li>
<option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option>
</select>
</font> <input type="hidden"
</font> <input type="hidden"
name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br>
Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p>
</form>
Search: <input type="text"
size="30" name="words" value=""> <input type="submit" value="Search">
</p>
</form>
<h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a real-world
example. It would be like saying that you have three rooms at home,
and when you walk into one of the rooms, you detect this strange smell.
Can anyone tell you what that strange smell is?<br>
<br>
Now, all of us could do some wonderful guessing as to the
smell and even what's causing it. You would be absolutely amazed
at the range and variety of smells we could come up with. Even more
amazing is that all of the explanations for the smells would be completely
plausible."<br>
</i><br>
<i>"Let me see if I can translate your message into a
real-world example. It would be like saying that you have three
rooms at home, and when you walk into one of the rooms, you detect
this strange smell. Can anyone tell you what that strange smell is?<br>
<br>
Now, all of us could do some wonderful guessing as to
the smell and even what's causing it. You would be absolutely amazed
at the range and variety of smells we could come up with. Even more
amazing is that all of the explanations for the smells would be completely
plausible."<br>
</i><br>
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
</div>
<br>
</div>
<br>
<h3> </h3>
<ul>
<li>Please remember we only know what is posted in your message.
Do not leave out any information that appears to be correct, or was
mentioned in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct when it
actually contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not an
obligation. Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of error messages,
log entries, command output, and other output is better than a paraphrase
or summary.<br>
<br>
</li>
<li> Please don't describe
your environment and then ask us to send you custom
configuration files. We're here to answer your questions but we
can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include
this information:</li>
<li>Please remember we only know what is posted in your message.
Do not leave out any information that appears to be correct, or was
mentioned in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct when
it actually contained a small error. We tend to be skeptics where detail
is lacking.<br>
<br>
</li>
<li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not
an obligation. Try to make it easy for us to help you. Follow good,
courteous practices in writing and formatting your e-mail. Provide
details that we need if you expect good answers. <em>Exact quoting </em>
of error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
<br>
</li>
<li> Please don't describe
your environment and then ask us to send you custom
configuration files. We're here to answer your questions but
we can't do your job for you.<br>
<br>
</li>
<li>When reporting a problem, <strong>ALWAYS</strong> include
this information:</li>
</ul>
<ul>
<ul>
<li>the exact version of Shorewall you are running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
</b> <br>
</li>
<li>the exact version of Shorewall you are running.<br>
<br>
<b><font color="#009900">shorewall version</font><br>
</b> <br>
</li>
</ul>
<ul>
<li>the exact kernel version you are running<br>
<br>
<font color="#009900"><b>uname -a<br>
<br>
</b></font></li>
<li>the exact kernel version you are running<br>
<br>
<font color="#009900"><b>uname -a<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<br>
</b></font></li>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip addr show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip route show<br>
<br>
</b></font></li>
<li>the complete, exact output of<br>
<br>
<font color="#009900"><b>ip route show<br>
<br>
</b></font></li>
</ul>
<ul>
<li>If your kernel is modularized, the exact output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
<br>
</li>
<li>the exact wording of any <code
<li>If your kernel is modularized, the exact output from<br>
<br>
<font color="#009900"><b>lsmod</b></font><br>
<br>
</li>
<li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake
installation of Shorewall, please say so.</b><br>
<br>
</li>
<br>
</li>
<li>If you installed Shorewall using one of the QuickStart Guides,
please indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake
installation of Shorewall, please say so.</b><br>
<br>
</li>
</ul>
</ul>
<ul>
<li><b>NEVER </b>include the output of "<b><font
<li><b>NEVER </b>include the output of "<b><font
color="#009900">iptables -L</font></b>". Instead,<font
color="#ff0000"><u><i><big> <b>if you are having connection problems of
any kind then:</b></big></i></u></font><br>
<br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<strong></strong></li>
any kind then:</b></big></i></u></font><br>
<br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br>
2. Try the connection that is failing.<br>
<br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br>
4. Post the /tmp/status.txt file as an attachment.<br>
<br>
</li>
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address, netmask,
nameserver addresses, domain name, etc. These aren't secrets, and concealing
them often misleads us (and 80% of the time, a hacker could derive
them anyway from information contained in the SMTP headers of your post).<strong></strong></li>
</ul>
@ -289,18 +298,19 @@ any kind then:</b></big></i></u></font><br>
<h3> </h3>
<ul>
<li> Do you see any
"Shorewall" messages ("<b><font color="#009900">/sbin/shorewall show
log</font></b>") when you exercise the function that is giving
you problems? If so, include the message(s) in your post along with a
copy of your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have modified
that file) that you think are relevant. If you include /etc/shorewall/rules,
please include /etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies). </li>
<li> Do you see
any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
show log</font></b>") when you exercise the function that
is giving you problems? If so, include the message(s) in your post
along with a copy of your /etc/shorewall/interfaces file.<br>
<br>
</li>
<li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).
</li>
</ul>
@ -313,83 +323,85 @@ copy of your /etc/shorewall/interfaces file.<br>
<h3> </h3>
<ul>
<li> If an error occurs
when you try to "<font color="#009900"><b>shorewall start</b></font>",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions). </li>
<li> If an error occurs
when you try to "<font color="#009900"><b>shorewall start</b></font>",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions). </li>
</ul>
<h3> </h3>
<ul>
<li>
<li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc. to the Mailing List -- your
post will be rejected.</b></h3>
</li>
your network layout, etc. to the Mailing List -- your
post will be rejected.</b></h3>
</li>
</ul>
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
<h2>Please post in plain text</h2>
<blockquote> </blockquote>
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy to
allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to rid the
planet of HTML based e-mail". Nevertheless, to allow subscribers to receive
list posts as must as possible, I have now configured the list server
at shorewall.net to strip all HTML from outgoing posts.<br>
<br>
I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the
list subscribers whose MTAs are bouncing all shorewall.net mail. As
one list subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to rid the planet
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
posts as must as possible, I have now configured the list server at shorewall.net
to strip all HTML from outgoing posts.<br>
<h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote>
<h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft
then you can post non MNF-specific Shorewall questions to the </b><a
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft
then you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a> <b>Do not expect to get free MNF support on the list.</b><br>
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a></p>
</blockquote>
list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.</p>
</blockquote>
<p>To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
.</p>
<p align="left"><font size="2">Last Updated 2/22/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 3/4/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
<br>
</p>
<br>
<br>
</body>

View File

@ -17,97 +17,99 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
<p align="left">Shorewall has limited support for traffic shaping/control.
In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later.</p>
In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul>
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in
Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the
setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can
specify firewall marking of packets. The firewall mark value may
be used to classify packets for traffic shaping/control.<br>
</li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which
you can use to define your traffic shaping disciplines and classes.
I have provided a <a
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can
specify firewall marking of packets. The firewall mark value may
be used to classify packets for traffic shaping/control.<br>
</li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which
you can use to define your traffic shaping disciplines and classes.
I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections
of the HOWTO mentioned above, you can probably code your own faster
than you can learn how to use my sample. I personally use <a
of the HOWTO mentioned above, you can probably code your own faster
than you can learn how to use my sample. I personally use <a
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
HTB is a standard part of the kernel but iproute2 must be patched in
order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use
the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br>
<br>
You can generally use off-the-shelf traffic shaping scripts by simply
copying them to /etc/shorewall/tcstart. I use <a
<br>
In tcstart, when you want to run the 'tc' utility, use
the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br>
<br>
You can generally use off-the-shelf traffic shaping scripts by
simply copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br>
</li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping.
This file is normally not required as Shorewall's method of clearing
qdisc and filter definitions is pretty general.</li>
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been
applied so when traffic shaping happens, all outbound traffic will have
as a source address the IP addresss of your firewall's external interface.<br>
</li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping.
This file is normally not required as Shorewall's method of clearing
qdisc and filter definitions is pretty general.</li>
</ul>
Shorewall allows you to start traffic shaping when Shorewall itself starts
or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
Shorewall allows you to start traffic shaping when Shorewall itself
starts or it allows you to bring up traffic shaping when you bring up your
interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can mark
packets using entries in /etc/shorewall/tcrules.</li>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can
mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
To start traffic shaping when you bring up your network interfaces, you
will have to arrange for your traffic shaping configuration script to be
run at that time. How you do that is distribution dependent and will not be
covered here. You then should:<br>
To start traffic shaping when you bring up your network interfaces,
you will have to arrange for your traffic shaping configuration script to
be run at that time. How you do that is distribution dependent and will not
be covered here. You then should:<br>
<ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier,
you can mark packets using entries in /etc/shorewall/tcrules.</li>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier,
you can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol>
@ -117,179 +119,179 @@ you can mark packets using entries in /etc/shorewall/tcrules.</li>
<p align="center"><img border="0" src="images/QoS.png" width="590"
height="764">
</p>
</p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br>
</p>
packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br>
</p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading
are being used. Beginning with Shorewall 1.3.12, you can cause packet
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
<p align="left">Columns in the file are as follows:</p>
<ul>
<li>MARK - Specifies the mark value is to be assigned in
case of a match. This is an integer in the range 1-255. Beginning
<li>MARK - Specifies the mark value is to be assigned in
case of a match. This is an integer in the range 1-255. Beginning
with Shorewall version 1.3.14, this value may be optionally followed by
":" and either 'F' or 'P' to designate that the marking will occur in the
FORWARD or PREROUTING chains respectively. If this additional specification
is omitted, the chain used to mark packets will be determined by the setting
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br>
Examples<br>
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated list
of IP addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list of
Port names (from /etc/services), port numbers or port ranges (e.g.,
21:22); if the protocol is "icmp", this column is interpreted as
the destination icmp type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li>
<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br>
Examples<br>
    eth0<br>
    192.168.2.4,192.168.1.0/24<br>
</li>
<li>DEST -- Destination of the packet. Comma-separated
list of IP addresses and/or subnets.<br>
</li>
<li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list
of Port names (from /etc/services), port numbers or port ranges (e.g.,
21:22); if the protocol is "icmp", this column is interpreted
as the destination icmp type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li>
</ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked with
3.</p>
with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked with
3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>1</td>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">2<br>
</td>
<td valign="top">eth3<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">all<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>1</td>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">2<br>
</td>
<td valign="top">eth3<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">all<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with
12.</p>
on the firewall and destined for 155.186.235.151 should be marked with
12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>12</td>
<td>0.0.0.0/0</td>
<td>155.186.235.151</td>
<td>47</td>
<td> </td>
<td> </td>
</tr>
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>12</td>
<td>0.0.0.0/0</td>
<td>155.186.235.151</td>
<td>47</td>
<td> </td>
<td> </td>
</tr>
</tbody>
</table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p>
and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>22</td>
<td>192.168.1.0/24</td>
<td>155.186.235.151</td>
<td>tcp</td>
<td>22</td>
<td> </td>
</tr>
<tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td>22</td>
<td>192.168.1.0/24</td>
<td>155.186.235.151</td>
<td>tcp</td>
<td>22</td>
<td> </td>
</tr>
</tbody>
</table>
<h3>My Setup<br>
</h3>
</h3>
<p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p>
</p>
<blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
@ -305,28 +307,32 @@ hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre>
</blockquote>
</blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1
above.<br>
</p>
above. You can look at <a href="myfiles.htm">my configuration</a> to
see why I wanted shaping of this type.<br>
</p>
<ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
<li>I wanted to allow up to 140kbits/second for traffic outbound
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
can use all available bandwidth if there is no traffic from the local
systems or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.<br>
</li>
<li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.</li>
</ol>
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
to see how this fit in. <br>
<p><font size="2">Last Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<br>
</body>

View File

@ -18,13 +18,13 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td>
</tr>
</td>
</tr>
</tbody>
</table>
@ -35,37 +35,37 @@
<h3> </h3>
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package
<b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package
('ip' utility).</b><br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options are no
longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
<li>The <b>noping </b>and <b>forwardping</b> interface options are
no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in /etc/shorewall/interfaces
now generate a Shorewall error at startup (they always have produced warnings
in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. Shorewall
1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents are
determined by BOTH the interfaces and hosts files when there are entries for
the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts file
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
/etc/shorewall/interfaces now generate a Shorewall error at startup (they
always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
are determined by BOTH the interfaces and hosts files when there are entries
for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts file
has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are not dropped by default;
<li value="6">The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are not dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have been
moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include it from
/etc/shorewall/icmpdef, you will need to modify that file.</li>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
<li value="6">The 'firewall', 'functions' and 'version' file have been
moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include it
from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li>
@ -74,20 +74,23 @@ they arrived on in two cases:</li>
<ul>
<ul>
<li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not use
the 'all' reserved word.</li>
<li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not use
the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source zone to or
from the destination zone including rules that use the 'all' reserved word.
Exception: if the source zone and destination zone are the same then the
rule must be explicit - it must name the zone in both the SOURCE and DESTINATION
columns.</li>
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</ul>
@ -96,52 +99,53 @@ rule must be explicit - it must name the zone in both the SOURCE and DESTINATION
</ul>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
<b>column</b>:<br>
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
<b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
interface (as shown by "ip addr show <i>interface</i>") and would masquerade
traffic from that subnet. Any other subnets that routed through eth1 needed
their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT
applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li>
</ul>
You will need to make a change to your configuration if:<br>
You will need to make a change to your configuration if:<br>
<ol>
<li>You have one or more entries in /etc/shorewall/masq with an interface
name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
<li>You have one or more entries in /etc/shorewall/masq with an interface
name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
</ol>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>
   <br>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is like this?<br>
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br>
</blockquote>
to:<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request (ping)
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request (ping)
handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be used
(If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
@ -150,27 +154,27 @@ Traffic originating in ANY of those subnets is masqueraded or has SNAT applied
See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to
version 1.3.10, you will need to use the '--force' option:<br>
<br>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. If
you have an application that uses functions from that file, your application
The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your application
will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8,
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
/etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
@ -185,22 +189,22 @@ Traffic originating in ANY of those subnets is masqueraded or has SNAT applied
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup
<li>Be sure you have a backup
-- you will need to transcribe any Shorewall
configuration changes that you have made
to the new configuration.</li>
<li>Replace the shorwall.lrp package
provided on the Bering floppy with the
later one. If you did not obtain the later
version from Jacques's site, see additional
instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
configuration changes that you have
made to the new configuration.</li>
<li>Replace the shorwall.lrp
package provided on the Bering floppy
with the later one. If you did not obtain
the later version from Jacques's site,
see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not forget
to backup root.lrp !</li>
@ -209,92 +213,94 @@ to backup root.lrp !</li>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to
add the following two Bering-specific rules to /etc/shorewall/rules:</p>
for setting up a two-interface firewall</a> plus you also need to add
the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote>
</blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
<ol>
<li>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN
# So that the connection tracking table can be rebuilt<br>
                                    # from non-SYN
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN
# So that the connection tracking table can be rebuilt<br>
                                    # from non-SYN
packets after takeover.<br>
 </font> </p>
</li>
<li>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
                                                                   
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp
--tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild
connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
. /etc/shorewall/common.def</font> </p>
</li>
</ol>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
longer supported. </p>
<p align="left">Example 1:</p>
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
</div>
<p align="left">Must be replaced with:</p>
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
</div>
<div align="left">
<p align="left">Example 2:</p>
</div>
</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
</div>
<div align="left">
<p align="left">Must be replaced with:</p>
</div>
</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
</div>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications
should be modified accordingly.</p>
<p><font size="2"> Last updated 2/14/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2"> Last updated 3/6/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
<br>
<br>
<br>