mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 04:04:10 +01:00
More 1.4.0 Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@483 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
09fc5e317a
commit
07f66da156
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
42
Shorewall-docs/Forum.html
Normal file
42
Shorewall-docs/Forum.html
Normal file
@ -0,0 +1,42 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Support Forum</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Support Forum</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3><font color="#ff6633"></font></h3>
|
||||
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
|
||||
read the <a href="support.htm">Shorewall Support Guide</a>.</h1>
|
||||
<p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
|
||||
Forum</a><br>
|
||||
</p>
|
||||
|
||||
<p><font size="2">Updated 3/6/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
File diff suppressed because it is too large
Load Diff
549
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
Normal file
549
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
Normal file
@ -0,0 +1,549 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall and Aliased Interfaces</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
|
||||
<h2>Background</h2>
|
||||
The traditional net-tools contain a program called <i>ifconfig</i> which
|
||||
is used to configure network devices. ifconfig introduced the concept of
|
||||
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
|
||||
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
|
||||
treats them more or less like real interfaces.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
|
||||
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
|
||||
The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
|
||||
utility which is part of the <i>iproute </i>package. The ip utility does
|
||||
not use the concept of aliases or virtual interfaces but rather treats additional
|
||||
addresses on an interface as addresses. The ip utility does provide for interaction
|
||||
with ifconfig in that it allows addresses to be <i>labeled.</i> <br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
|
||||
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
|
||||
Note that one <u>cannot</u> type "ip addr show dev eth0:0"<br>
|
||||
|
||||
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
|
||||
The iptables program doesn't support virtual interfaces in either it's
|
||||
"-i" or "-o" command options; as a consequence, Shorewall does not allow
|
||||
them to be used in the /etc/shorewall/interfaces file.<br>
|
||||
<br>
|
||||
|
||||
<h2>So how do I handle more than one address on an interface?</h2>
|
||||
Depends on what you are trying to do with the interfaces. In the sub-sections
|
||||
that follow, we'll take a look at common scenarios.<br>
|
||||
|
||||
<h3>Separate Rules</h3>
|
||||
If you need to make a rule for traffic to/from the firewall itself only
|
||||
apply to a particular IP address, simply qualify the $FW zone with the IP
|
||||
address.<br>
|
||||
<br>
|
||||
Example (allow SSH from net to eth0:0 above):<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ACTION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PROTOCOL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ORIGINAL DESTINATION<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">DNAT<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">fw:206.124.146.178<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">22<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<h3>DNAT</h3>
|
||||
Suppose that I had set up eth0:0 as above and I wanted to port forward
|
||||
from that virtual interface to a web server running in my local zone at 192.168.1.3.
|
||||
That is accomplised by a single rule in the /etc/shorewall/rules file:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ACTION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PROTOCOL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ORIGINAL DESTINATION<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">DNAT<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">loc:192.168.1.3<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
<td valign="top">206.124.146.178<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<h3>SNAT</h3>
|
||||
If you wanted to use eth0:0 as the IP address for outbound connections
|
||||
from your local zone (eth1), then in /etc/shorewall/masq:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SUBNET<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ADDRESS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">eth0<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">206.124.146.178<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Shorewall can create the alias (additional address) for you if you set
|
||||
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
|
||||
1.3.14, Shorewall can actually create the "label" (virtual interface) so
|
||||
that you can see the created address using ifconfig. In addition to setting
|
||||
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
|
||||
column as follows:<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SUBNET<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ADDRESS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">eth0:0<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">206.124.146.178<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<h3>STATIC NAT</h3>
|
||||
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
|
||||
you would have the following in /etc/shorewall/nat:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>EXTERNAL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERNAL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ALL INTERFACES<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOCAL<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">206.124.146.178<br>
|
||||
</td>
|
||||
<td valign="top">eth0<br>
|
||||
</td>
|
||||
<td valign="top">192.168.1.3<br>
|
||||
</td>
|
||||
<td valign="top">no<br>
|
||||
</td>
|
||||
<td valign="top">no<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Shorewall can create the alias (additional address) for you if you set
|
||||
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
|
||||
1.3.14, Shorewall can actually create the "label" (virtual interface) so
|
||||
that you can see the created address using ifconfig. In addition to setting
|
||||
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
|
||||
column as follows:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>EXTERNAL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERNAL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ALL INTERFACES<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOCAL<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">206.124.146.178<br>
|
||||
</td>
|
||||
<td valign="top">eth0:0<br>
|
||||
</td>
|
||||
<td valign="top">192.168.1.3<br>
|
||||
</td>
|
||||
<td valign="top">no<br>
|
||||
</td>
|
||||
<td valign="top">no<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
In either case, to create rules that pertain only to this NAT pair, you
|
||||
simply qualify the local zone with the internal IP address.<br>
|
||||
<br>
|
||||
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ACTION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PROTOCOL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>SOURCE PORT(S)<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ORIGINAL DESTINATION<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">loc:192.168.1.3<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">22<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<h3>MULTIPLE SUBNETS</h3>
|
||||
Sometimes multiple IP addresses are used because there are multiple subnetworks
|
||||
configured on a LAN segment. This technique does not provide for any security
|
||||
between the subnetworks if the users of the systems have administrative privileges
|
||||
because in that case, the users can simply manipulate their system's routing
|
||||
table to bypass your firewall/router. Nevertheless, there are cases where
|
||||
you simply want to consider the LAN segment itself as a zone and allow your
|
||||
firewall/router to route between the two subnetworks.<br>
|
||||
<br>
|
||||
Example 1: Local interface eth1 interfaces to 192.168.1.0/24 and
|
||||
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
|
||||
is 192.168.20.254. You want to simply route all requests between the two
|
||||
subnetworks.<br>
|
||||
<br>
|
||||
In /etc/shorewall/interfaces:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BROADCAST<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>OPTIONS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">192.168.1.255,192.168.20.255<br>
|
||||
</td>
|
||||
<td valign="top">Note 1:<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
|
||||
the <b>multi</b> option.<br>
|
||||
<br>
|
||||
In /etc/shorewall/policy:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>POLICY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOG LEVEL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BURST:LIMIT<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
|
||||
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
|
||||
You want to make these subnetworks into separate zones and control the
|
||||
access between them (the users of the systems do not have administrative
|
||||
privileges).<br>
|
||||
<br>
|
||||
In /etc/shorewall/zones:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DISPLAY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESCRIPTION<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">Local<br>
|
||||
</td>
|
||||
<td valign="top">Local Zone 1<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc2<br>
|
||||
</td>
|
||||
<td valign="top">Local2<br>
|
||||
</td>
|
||||
<td valign="top">Local Zone 2<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
In /etc/shorewall/interfaces:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BROADCAST<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>OPTIONS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top">192.168.1.255,192.168.20.255<br>
|
||||
</td>
|
||||
<td valign="top">Note 1:<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
|
||||
the <b>multi</b> option.<br>
|
||||
<br>
|
||||
In /etc/shorewall/hosts:<br>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>HOSTS<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>OPTIONS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">eth0:192.168.1.0/24<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc2<br>
|
||||
</td>
|
||||
<td valign="top">eth0:192.168.20.0/24<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that
|
||||
you want to permit.<br>
|
||||
<br>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 3/5/2003 A - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> ©
|
||||
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -16,7 +16,8 @@
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
|
||||
<base target="main">
|
||||
<base
|
||||
target="main">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
@ -25,77 +26,85 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#4b017c" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a
|
||||
<li> <a
|
||||
href="shorewall_features.htm">Features</a></li>
|
||||
<li> <a
|
||||
<li> <a
|
||||
href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||
<li> <a href="Documentation.htm">Reference
|
||||
Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful
|
||||
Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade
|
||||
Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a
|
||||
<li> <a href="Documentation.htm">Reference
|
||||
Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful
|
||||
Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a
|
||||
href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li><a href="Forum.html">Support Forum</a> <img
|
||||
src="images/new10.gif" alt="(New)" width="28" height="12">
|
||||
<br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
<li> <a
|
||||
href="shorewall_mirrors.htm">Mirrors</a>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://germany.shorewall.net">Germany</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://france.shorewall.net">France</a></li>
|
||||
<li><a href="http://www.shorewall.net"
|
||||
<li><a href="http://www.shorewall.net"
|
||||
target="_top">Washington State, USA</a><br>
|
||||
</li>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
@ -106,44 +115,45 @@
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a
|
||||
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from
|
||||
Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the
|
||||
Author</a></li>
|
||||
<li> <a
|
||||
<li> <a href="quotes.htm">Quotes
|
||||
from Users</a></li>
|
||||
<li> <a href="shoreline.htm">About
|
||||
the Author</a></li>
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable Daily
|
||||
0200-0330 GMT.<br>
|
||||
<strong></strong>
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable
|
||||
Daily 0200-0330 GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
<p><strong>Quick Search</strong><br>
|
||||
<font face="Arial" size="-1"> <input
|
||||
<font face="Arial" size="-1"> <input
|
||||
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
||||
face="Arial" size="-1"> <input type="hidden" name="format"
|
||||
value="long"> <input type="hidden" name="method" value="and"> <input
|
||||
type="hidden" name="config" value="htdig"> <input type="submit"
|
||||
value="Search"></font> </p>
|
||||
<font face="Arial"> <input
|
||||
<font face="Arial"> <input
|
||||
type="hidden" name="exclude"
|
||||
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
||||
|
||||
|
||||
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
@ -151,17 +161,11 @@ Author</a></li>
|
||||
|
||||
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
|
||||
src="images/shorewall.jpg" width="119" height="38" hspace="0">
|
||||
</a><br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -16,8 +16,8 @@
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
|
||||
<base target="main">
|
||||
|
||||
<base
|
||||
target="main">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
@ -26,77 +26,85 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#4b017c" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%"
|
||||
bgcolor="#ffffff">
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a
|
||||
<li> <a
|
||||
href="shorewall_features.htm">Features</a></li>
|
||||
<li> <a
|
||||
<li> <a
|
||||
href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
</li>
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||
<li> <a href="Documentation.htm">Reference
|
||||
Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful
|
||||
Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade
|
||||
Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a
|
||||
<li> <a
|
||||
href="Documentation.htm">Reference Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a
|
||||
href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a
|
||||
href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li><a href="Forum.html">Support Forum</a> <img
|
||||
src="images/new10.gif" alt="(New)" width="28" height="12">
|
||||
<br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
<li> <a
|
||||
href="shorewall_mirrors.htm">Mirrors</a>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://germany.shorewall.net">Germany</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://france.shorewall.net">France</a></li>
|
||||
<li><a href="http://www.shorewall.net"
|
||||
<li><a href="http://www.shorewall.net"
|
||||
target="_top">Washington State, USA</a><br>
|
||||
</li>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
@ -107,60 +115,51 @@
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a
|
||||
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from
|
||||
Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the
|
||||
Author</a></li>
|
||||
<li> <a
|
||||
<li> <a href="quotes.htm">Quotes
|
||||
from Users</a></li>
|
||||
<li> <a href="shoreline.htm">About
|
||||
the Author</a></li>
|
||||
<li> <a
|
||||
href="sourceforge_index.htm#Donations">Donations</a></li>
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable Daily
|
||||
0200-0330 GMT.<br>
|
||||
<strong></strong>
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable
|
||||
Daily 0200-0330 GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
<p><strong>Quick Search</strong><br>
|
||||
<font face="Arial" size="-1"> <input
|
||||
<font face="Arial" size="-1"> <input
|
||||
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
||||
face="Arial" size="-1"> <input type="hidden" name="format"
|
||||
value="long"> <input type="hidden" name="method" value="and"> <input
|
||||
type="hidden" name="config" value="htdig"> <input type="submit"
|
||||
value="Search"></font> </p>
|
||||
<font face="Arial"> <input
|
||||
<font face="Arial"> <input
|
||||
type="hidden" name="exclude"
|
||||
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
||||
|
||||
|
||||
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001-2003 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -17,14 +17,14 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
@ -33,360 +33,361 @@
|
||||
<p><b>I strongly urge you to read and print a copy of the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.<br>
|
||||
</b></p>
|
||||
</b></p>
|
||||
|
||||
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
|
||||
|
||||
<p> <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
|
||||
</p>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
|
||||
</p>
|
||||
|
||||
<p>The documentation in HTML format is included in the .rpm and in the .tgz
|
||||
packages below.</p>
|
||||
|
||||
<p> Once you've done that, download <u> one</u> of the modules:</p>
|
||||
<p>Once you've printed the appropriate QuickStart Guide, download <u>
|
||||
one</u> of the modules:</p>
|
||||
|
||||
<ul>
|
||||
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
|
||||
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
|
||||
with a 2.4 kernel, you can use the RPM version (note: the
|
||||
RPM should also work with other distributions that
|
||||
store init scripts in /etc/init.d and that include chkconfig
|
||||
or insserv). If you find that it works in other cases, let <a
|
||||
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
|
||||
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
|
||||
with a 2.4 kernel, you can use the RPM version (note: the
|
||||
RPM should also work with other distributions that
|
||||
store init scripts in /etc/init.d and that include chkconfig
|
||||
or insserv). If you find that it works in other cases, let <a
|
||||
href="mailto:teastep@shorewall.net"> me</a> know so that
|
||||
I can mention them here. See the <a href="Install.htm">Installation
|
||||
Instructions</a> if you have problems installing the RPM.</li>
|
||||
<li>If you are running LRP, download the .lrp file (you
|
||||
might also want to download the .tgz so you will have a copy of
|
||||
the documentation).</li>
|
||||
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
|
||||
and would like a .deb package, Shorewall is included in both
|
||||
I can mention them here. See the <a href="Install.htm">Installation
|
||||
Instructions</a> if you have problems installing the RPM.</li>
|
||||
<li>If you are running LRP, download the .lrp file (you
|
||||
might also want to download the .tgz so you will have a copy of
|
||||
the documentation).</li>
|
||||
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
|
||||
and would like a .deb package, Shorewall is included in both
|
||||
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||||
Testing Branch</a> and the <a
|
||||
Testing Branch</a> and the <a
|
||||
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||||
Unstable Branch</a>.</li>
|
||||
<li>Otherwise, download the <i>shorewall</i>
|
||||
module (.tgz)</li>
|
||||
<li>Otherwise, download the <i>shorewall</i>
|
||||
module (.tgz)</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>The documentation in HTML format is included in the .tgz and .rpm files
|
||||
and there is an documentation .deb that also contains the documentation.</p>
|
||||
|
||||
and there is an documentation .deb that also contains the documentation. The
|
||||
.rpm will install the documentation in your default document directory which
|
||||
can be obtained using the following command:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p><font color="#009900"><b>rpm --eval '%{defaultdocdir}'</b></font></p>
|
||||
</blockquote>
|
||||
<p>Please verify the version that you have downloaded -- during the
|
||||
release of a new version of Shorewall, the links below may
|
||||
point to a newer or an older version than is shown below.</p>
|
||||
release of a new version of Shorewall, the links below may
|
||||
point to a newer or an older version than is shown below.</p>
|
||||
|
||||
<ul>
|
||||
<li>RPM - "rpm -qip LATEST.rpm"</li>
|
||||
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
|
||||
will contain the version)</li>
|
||||
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
|
||||
-zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
|
||||
</li>
|
||||
<li>RPM - "rpm -qip LATEST.rpm"</li>
|
||||
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory
|
||||
name will contain the version)</li>
|
||||
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
|
||||
-zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>Once you have verified the version, check the <font
|
||||
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
|
||||
if there are updates that apply to the version that you have
|
||||
downloaded.</p>
|
||||
if there are updates that apply to the version that you have
|
||||
downloaded.</p>
|
||||
|
||||
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
|
||||
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
|
||||
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START as described in the QuickStart
|
||||
Guides. Once you have completed configuration of your firewall, you
|
||||
can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
|
||||
<p><b>Download Latest Version</b> (<b>1.3.14</b>): <b>Remember that updates
|
||||
to the mirrors occur 1-12 hours after an update to the Washington
|
||||
State site.</b></p>
|
||||
<p><b>Download Latest Version</b> (<b>1.4.0</b>): <b>Remember that updates
|
||||
to the mirrors occur 1-12 hours after an update to the Washington
|
||||
State site.</b></p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellspacing="3" cellpadding="3"
|
||||
style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">SourceForge<br>
|
||||
</td>
|
||||
<td valign="top">sf.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">SourceForge<br>
|
||||
</td>
|
||||
<td valign="top">sf.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
<td> <a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a> <br>
|
||||
<a target="_blank"
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a><br>
|
||||
<a
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
<td> <a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td> <a target="_blank"
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td> <a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Paris, France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Paris, France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
|
||||
<a
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
|
||||
<a
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="middle">Washington State, USA<br>
|
||||
</td>
|
||||
<td valign="middle">Shorewall.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="middle">Washington State, USA<br>
|
||||
</td>
|
||||
<td valign="middle">Shorewall.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a><br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
|
||||
Download .rpm</a> <br>
|
||||
<a
|
||||
Download .rpm</a> <br>
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a><br>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p><b>Browse Download Sites:</b></p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>SourceForge<br>
|
||||
</td>
|
||||
<td>sf.net</td>
|
||||
<td><a
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>SourceForge (Incomplete)<br>
|
||||
</td>
|
||||
<td>sf.net</td>
|
||||
<td><a
|
||||
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
|
||||
<td>N/A</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
<td>N/A</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
<td><a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
<td><a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td><a
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td><a
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
</tr>
|
||||
<tr>
|
||||
<td>France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Washington State, USA</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Washington State, USA</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a
|
||||
<td><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><b>CVS:</b></p>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">The <a target="_top"
|
||||
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
|
||||
at cvs.shorewall.net</a> contains the latest snapshots of the each
|
||||
Shorewall component. There's no guarantee that what you find there
|
||||
will work at all.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
at cvs.shorewall.net</a> contains the latest snapshots of the each
|
||||
Shorewall component. There's no guarantee that what you find there
|
||||
will work at all.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 2/7/2003 - <a
|
||||
<p align="left"><font size="2">Last Updated 3/5/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
File diff suppressed because one or more lines are too long
@ -15,7 +15,7 @@
|
||||
|
||||
|
||||
|
||||
<base
|
||||
<base
|
||||
target="_self">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
@ -28,12 +28,12 @@
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
|
||||
<td width="100%" height="90">
|
||||
<tr>
|
||||
|
||||
<td width="100%"
|
||||
height="90">
|
||||
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
|
||||
</a></i></font><font
|
||||
</a></i></font><font
|
||||
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
|
||||
made easy"</i></font></font></h1>
|
||||
|
||||
@ -66,13 +66,13 @@
|
||||
href="http://shorewall.sf.net/1.3/index.html" target="_top"><font
|
||||
color="#ffffff">Shorewall 1.3 Site here</font></a><br>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -93,11 +93,11 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="90%">
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
@ -122,10 +122,10 @@
|
||||
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||
firewall that can be used on a dedicated firewall system, a multi-function
|
||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||||
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
||||
that can be used on a dedicated firewall system, a multi-function
|
||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||
|
||||
|
||||
|
||||
@ -141,24 +141,24 @@ firewall that can be used on a dedicated firewall system, a multi-functio
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms
|
||||
of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||
2 of the GNU General Public License</a> as published by the Free Software
|
||||
2 of the GNU General Public License</a> as published by the Free Software
|
||||
Foundation.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
This program is distributed
|
||||
This program is distributed
|
||||
in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied
|
||||
warranty of MERCHANTABILITY or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. See the GNU General Public License
|
||||
for more details.<br>
|
||||
WITHOUT ANY WARRANTY; without even the implied
|
||||
warranty of MERCHANTABILITY or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. See the GNU General Public License
|
||||
for more details.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
You should have received
|
||||
a copy of the GNU General Public License
|
||||
along with this program; if not, write to
|
||||
the Free Software Foundation, Inc., 675 Mass
|
||||
You should have received
|
||||
a copy of the GNU General Public License
|
||||
along with this program; if not, write to
|
||||
the Free Software Foundation, Inc., 675 Mass
|
||||
Ave, Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
@ -188,17 +188,17 @@ the Free Software Foundation, Inc., 675 Mass
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
|
||||
</a>Jacques Nilo and
|
||||
</a>Jacques Nilo and
|
||||
Eric Wolzak have a LEAF (router/firewall/gateway
|
||||
on a floppy, CD or compact flash) distribution called
|
||||
on a floppy, CD or compact flash) distribution called
|
||||
<i>Bering</i> that features Shorewall-1.3.14
|
||||
and Kernel-2.4.20. You can find their work at:
|
||||
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
</a></p>
|
||||
and Kernel-2.4.20. You can find their work at:
|
||||
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
</a></p>
|
||||
|
||||
<p><b>Congratulations to Jacques and Eric on the recent release of
|
||||
Bering 1.1!!!</b><br>
|
||||
</p>
|
||||
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
|
||||
1.1!!!</b><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
@ -209,8 +209,8 @@ Bering 1.1!!!</b><br>
|
||||
|
||||
|
||||
|
||||
<h2>This is a mirror of the main Shorewall web site at SourceForge
|
||||
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||||
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
|
||||
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||||
|
||||
|
||||
|
||||
@ -251,97 +251,115 @@ Bering 1.1!!!</b><br>
|
||||
|
||||
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p></p>
|
||||
Shorewall 1.4 represents the next step in the evolution of Shorewall.
|
||||
Shorewall 1.4 represents the next step in the evolution of Shorewall.
|
||||
The main thrust of the initial release is simply to remove the cruft that
|
||||
has accumulated in Shorewall over time.<br>
|
||||
<br>
|
||||
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
||||
<br>
|
||||
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
||||
('ip' utility).</b><br>
|
||||
<br>
|
||||
Function from 1.3 that has been omitted from this version include:<br>
|
||||
<br>
|
||||
Function from 1.3 that has been omitted from this version include:<br>
|
||||
|
||||
<ol>
|
||||
<li>The MERGE_HOSTS variable in shorewall.conf is
|
||||
<li>The MERGE_HOSTS variable in shorewall.conf is
|
||||
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Interface names of the form <device>:<integer>
|
||||
in /etc/shorewall/interfaces now generate an error.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
||||
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
||||
of the 'noping' or 'filterping' interface options.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
||||
and /etc/shorewall/hosts files is no longer supported and will generate
|
||||
an error at startup if specified.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
|
||||
no longer accepted.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The ALLOWRELATED variable in shorewall.conf is no longer
|
||||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Interface names of the form <device>:<integer>
|
||||
in /etc/shorewall/interfaces now generate an error.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
||||
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
||||
of the 'noping' or 'filterping' interface options.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
||||
and /etc/shorewall/hosts files is no longer supported and will generate
|
||||
an error at startup if specified.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
|
||||
is no longer accepted.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The ALLOWRELATED variable in shorewall.conf is no longer
|
||||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The icmp.def file has been removed.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The icmp.def file has been removed.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li value="8">The 'multi' interface option is no longer supported.
|
||||
<li value="8">The 'multi' interface option is no longer supported.
|
||||
Shorewall will generate rules for sending packets back out the same interface
|
||||
that they arrived on in two cases:</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<ul>
|
||||
<li>There is an <u>explicit</u> policy for the source zone to
|
||||
or from the destination zone. An explicit policy names both zones and does
|
||||
<li>There is an <u>explicit</u> policy for the source zone to
|
||||
or from the destination zone. An explicit policy names both zones and does
|
||||
not use the 'all' reserved word.</li>
|
||||
<li>There are one or more rules for traffic for the source zone
|
||||
to or from the destination zone including rules that use the 'all' reserved
|
||||
<li>There are one or more rules for traffic for the source zone
|
||||
to or from the destination zone including rules that use the 'all' reserved
|
||||
word. Exception: if the source zone and destination zone are the same then
|
||||
the rule must be explicit - it must name the zone in both the SOURCE and
|
||||
DESTINATION columns.<br>
|
||||
</li>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ol>
|
||||
|
||||
</ol>
|
||||
Changes for 1.4 include:<br>
|
||||
Changes for 1.4 include:<br>
|
||||
|
||||
<ol>
|
||||
<li>The /etc/shorewall/shorewall.conf file has been completely
|
||||
reorganized into logical sections.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The firewall script and version file are now installed
|
||||
in /usr/share/shorewall.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Late arriving DNS replies are now silently dropped in
|
||||
<li>The /etc/shorewall/shorewall.conf file has been completely
|
||||
reorganized into logical sections.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The firewall script and version file are now installed
|
||||
in /usr/share/shorewall.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Late arriving DNS replies are now silently dropped in
|
||||
the common chain by default.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
||||
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
|
||||
to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>802.11b devices with names of the form wlan<i><n></i>
|
||||
now support the 'maclist' option.<br>
|
||||
</li>
|
||||
<br>
|
||||
</li>
|
||||
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
||||
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
|
||||
want to 'ping' from the firewall, you will need the appropriate rule or
|
||||
policy.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>802.11b devices with names of the form wlan<i><n></i>
|
||||
now support the 'maclist' option.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
|
||||
now be turned off on a host or network basis using the new /etc/shorewall/ecn
|
||||
file. To use this facility:<br>
|
||||
<br>
|
||||
a) You must be running kernel 2.4.20<br>
|
||||
b) You must have applied the patch in<br>
|
||||
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
|
||||
c) You must have iptables 1.2.7a installed.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The /etc/shorewall/params file is now processed first so that
|
||||
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
@ -379,13 +397,13 @@ the common chain by default.<br>
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
<td width="88"
|
||||
<td width="88"
|
||||
bgcolor="#4b017c" valign="top" align="center"> <a
|
||||
href="http://sourceforge.net">M</a></td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -396,9 +414,9 @@ the common chain by default.<br>
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
</center>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
@ -407,11 +425,11 @@ the common chain by default.<br>
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%"
|
||||
<td width="100%"
|
||||
style="margin-top: 1px;">
|
||||
|
||||
|
||||
@ -427,7 +445,7 @@ the common chain by default.<br>
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
@ -440,15 +458,15 @@ the common chain by default.<br>
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||||
if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||||
Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -462,9 +480,10 @@ Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font size="2">Updated 2/28/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -17,6 +17,7 @@
|
||||
<title>Shorewall QuickStart Guide</title>
|
||||
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
@ -24,16 +25,16 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
|
||||
(HOWTO's)<br>
|
||||
Version 3.1</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
(HOWTO's)<br>
|
||||
Version 4.0</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
@ -41,274 +42,273 @@
|
||||
|
||||
<p align="center">With thanks to Richard who reminded me once again that we
|
||||
must all first walk before we can run.<br>
|
||||
The French Translations are courtesy of Patrice Vetsel<br>
|
||||
</p>
|
||||
The French Translations are courtesy of Patrice Vetsel<br>
|
||||
</p>
|
||||
|
||||
<h2>The Guides</h2>
|
||||
|
||||
<p>These guides provide step-by-step instructions for configuring Shorewall
|
||||
in common firewall setups.</p>
|
||||
in common firewall setups.</p>
|
||||
|
||||
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="standalone.htm">Standalone</a> Linux System
|
||||
(<a href="standalone_fr.html">Version Française</a>)</li>
|
||||
<li><a href="two-interface.htm">Two-interface</a> Linux
|
||||
System acting as a firewall/router for a small local network (<a
|
||||
href="two-interface_fr.html">Version Française</a>)</li>
|
||||
<li><a href="three-interface.htm">Three-interface</a>
|
||||
Linux System acting as a firewall/router for a small local network
|
||||
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
|
||||
<li><a href="standalone.htm">Standalone</a> Linux
|
||||
System (<a href="standalone_fr.html">Version Française</a>)</li>
|
||||
<li><a href="two-interface.htm">Two-interface</a>
|
||||
Linux System acting as a firewall/router for a small local network
|
||||
(<a href="two-interface_fr.html">Version Française</a>)</li>
|
||||
<li><a href="three-interface.htm">Three-interface</a>
|
||||
Linux System acting as a firewall/router for a small local network
|
||||
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>The above guides are designed to get your first firewall up and running
|
||||
quickly in the three most common Shorewall configurations.</p>
|
||||
quickly in the three most common Shorewall configurations.</p>
|
||||
|
||||
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
|
||||
the steps necessary to set up a firewall where <b>there are multiple
|
||||
public IP addresses involved or if you want to learn more about Shorewall
|
||||
than is explained in the single-address guides above.</b></p>
|
||||
the steps necessary to set up a firewall where <b>there are multiple
|
||||
public IP addresses involved or if you want to learn more about
|
||||
Shorewall than is explained in the single-address guides above.</b></p>
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Concepts">2.0
|
||||
Shorewall Concepts</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0
|
||||
Network Interfaces</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Addressing">4.0
|
||||
Addressing, Subnets and Routing</a>
|
||||
<li><a href="shorewall_setup_guide.htm#Concepts">2.0
|
||||
Shorewall Concepts</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets
|
||||
and Routing</a>
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
|
||||
<li><a
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routing">4.3
|
||||
Routing</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
||||
Resolution Protocol</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4
|
||||
Address Resolution Protocol</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5
|
||||
RFC 1918</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Options">5.0
|
||||
Setting up your Network</a>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Options">5.0
|
||||
Setting up your Network</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Routed">5.1
|
||||
Routed</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routed">5.1
|
||||
Routed</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
|
||||
SNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
|
||||
DNAT</a></li>
|
||||
<li><a
|
||||
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
|
||||
SNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
|
||||
DNAT</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
|
||||
Static NAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
|
||||
Static NAT</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Rules">5.3
|
||||
Rules</a></li>
|
||||
<li><a
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Rules">5.3
|
||||
Rules</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
|
||||
<li><a
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
|
||||
Stopping the Firewall</a></li>
|
||||
Stopping the Firewall</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="Documentation"></a>Documentation Index</h2>
|
||||
|
||||
<p>The following documentation covers a variety of topics and <b>supplements
|
||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
|
||||
described above</b>. Please review the appropriate guide before trying
|
||||
to use this documentation directly.</p>
|
||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
|
||||
described above</b>. Please review the appropriate guide before trying
|
||||
to use this documentation directly.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||
<li><a
|
||||
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
|
||||
(e.g., eth0:0)</a><br>
|
||||
</li>
|
||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="configuration_file_basics.htm">Common
|
||||
configuration file features</a>
|
||||
</li>
|
||||
<li><a href="configuration_file_basics.htm">Common
|
||||
configuration file features</a>
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Comments">Comments in configuration
|
||||
files</a></li>
|
||||
<li><a
|
||||
files</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
|
||||
<li><a
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
|
||||
<li><a
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
|
||||
<li><a
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
|
||||
<li><a
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
|
||||
</li>
|
||||
<li><a
|
||||
</li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Compliment">Complementing an IP address
|
||||
or Subnet</a></li>
|
||||
<li><a
|
||||
or Subnet</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Configs">Shorewall Configurations
|
||||
(making a test configuration)</a></li>
|
||||
<li><a href="configuration_file_basics.htm#MAC">Using
|
||||
MAC Addresses in Shorewall</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="Documentation.htm">Configuration File
|
||||
Reference Manual</a>
|
||||
</li>
|
||||
<li><a href="Documentation.htm">Configuration File
|
||||
Reference Manual</a>
|
||||
|
||||
<ul>
|
||||
<li> <a href="Documentation.htm#Variables">params</a></li>
|
||||
<li><font color="#000099"><a
|
||||
<li> <a href="Documentation.htm#Variables">params</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Zones">zones</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Interfaces">interfaces</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Hosts">hosts</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Policy">policy</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Rules">rules</a></font></li>
|
||||
<li><a href="Documentation.htm#Common">common</a></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><a href="Documentation.htm#Common">common</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Masq">masq</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#NAT">nat</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Tunnels">tunnels</a></font></li>
|
||||
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
|
||||
<li><a href="Documentation.htm#modules">modules</a></li>
|
||||
<li><a href="Documentation.htm#TOS">tos</a> </li>
|
||||
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
|
||||
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
|
||||
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
|
||||
<li><a href="Documentation.htm#modules">modules</a></li>
|
||||
<li><a href="Documentation.htm#TOS">tos</a> </li>
|
||||
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
|
||||
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
|
||||
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="dhcp.htm">DHCP</a></li>
|
||||
<li><font color="#000099"><a
|
||||
</li>
|
||||
<li><a href="dhcp.htm">DHCP</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
|
||||
(How to extend Shorewall without modifying Shorewall code)</li>
|
||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||
<li><a href="shorewall_firewall_structure.htm">Firewall
|
||||
Structure</a></li>
|
||||
<li><font color="#000099"><a href="kernel.htm">Kernel
|
||||
Configuration</a></font></li>
|
||||
<li><a href="shorewall_logging.html">Logging</a><br>
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">MAC Verification</a><br>
|
||||
</li>
|
||||
<li><a href="myfiles.htm">My Shorewall Configuration
|
||||
(How I personally use Shorewall)</a><br>
|
||||
</li>
|
||||
<li><a href="ping.html">'Ping' Management</a><br>
|
||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||
<li><a href="shorewall_firewall_structure.htm">Firewall
|
||||
Structure</a></li>
|
||||
<li><font color="#000099"><a href="kernel.htm">Kernel
|
||||
Configuration</a></font></li>
|
||||
<li><a href="shorewall_logging.html">Logging</a><br>
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">MAC Verification</a><br>
|
||||
</li>
|
||||
<li><a href="ports.htm">Port Information</a>
|
||||
<li><a href="myfiles.htm">My Shorewall Configuration
|
||||
(How I personally use Shorewall)</a><br>
|
||||
</li>
|
||||
<li><a href="ping.html">'Ping' Management</a><br>
|
||||
</li>
|
||||
<li><a href="ports.htm">Port Information</a>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Which applications use which ports</li>
|
||||
<li>Ports used by Trojans</li>
|
||||
<li>Which applications use which ports</li>
|
||||
<li>Ports used by Trojans</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||
<li><a href="samba.htm">Samba</a></li>
|
||||
<li><font color="#000099"><a
|
||||
</li>
|
||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||
<li><a href="samba.htm">Samba</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
|
||||
|
||||
<ul>
|
||||
<li>Description of all /sbin/shorewall commands</li>
|
||||
<li>How to safely test a Shorewall configuration change<br>
|
||||
</li>
|
||||
<li>Description of all /sbin/shorewall commands</li>
|
||||
<li>How to safely test a Shorewall configuration change<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
<li><font color="#000099"><a href="NAT.htm">Static
|
||||
NAT</a></font></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
|
||||
with Shorewall</a><br>
|
||||
</li>
|
||||
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
|
||||
<li>VPN
|
||||
<li><font color="#000099"><a href="NAT.htm">Static
|
||||
NAT</a></font></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
|
||||
with Shorewall</a><br>
|
||||
</li>
|
||||
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
|
||||
<li>VPN
|
||||
|
||||
<ul>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||
<li><a href="OPENVPN.html">OpenVPN</a><br>
|
||||
</li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
|
||||
behind your firewall to a remote network.</li>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||
<li><a href="OPENVPN.html">OpenVPN</a><br>
|
||||
</li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
|
||||
behind your firewall to a remote network.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White
|
||||
List Creation</a></li>
|
||||
</li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White
|
||||
List Creation</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>If you use one of these guides and have a suggestion for improvement <a
|
||||
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
||||
|
||||
<p><font size="2">Last modified 2/26/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font size="2">Last modified 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
|
||||
Eastep</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
Eastep</font></a><br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
|
||||
<base target="_self">
|
||||
<base target="_self">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
@ -29,11 +29,11 @@
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%"
|
||||
<td width="100%"
|
||||
height="90">
|
||||
|
||||
|
||||
@ -50,7 +50,7 @@
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
|
||||
</a></i></font><font
|
||||
</a></i></font><font
|
||||
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
|
||||
made easy"</i></font></font><a
|
||||
href="http://www.sf.net"> </a></h1>
|
||||
@ -68,8 +68,8 @@
|
||||
<div align="center"><a href="/1.3/index.html" target="_top"><font
|
||||
color="#ffffff">Shorewall 1.3 Site here</font></a></div>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -88,11 +88,11 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="90%">
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
@ -119,10 +119,10 @@
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
|
||||
based firewall that can be used on a dedicated firewall system,
|
||||
a multi-function gateway/router/server or on a standalone GNU/Linux
|
||||
system.</p>
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
|
||||
based firewall that can be used on a dedicated firewall system,
|
||||
a multi-function gateway/router/server or on a standalone
|
||||
GNU/Linux system.</p>
|
||||
|
||||
|
||||
|
||||
@ -137,27 +137,27 @@
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms
|
||||
of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||
2 of the GNU General Public License</a> as published by the Free Software
|
||||
Foundation.<br>
|
||||
it under the
|
||||
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||
2 of the GNU General Public License</a> as published by the Free
|
||||
Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
This program is distributed
|
||||
in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied
|
||||
warranty of MERCHANTABILITY or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. See the GNU General Public License
|
||||
This program is distributed
|
||||
in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied
|
||||
warranty of MERCHANTABILITY or FITNESS FOR
|
||||
A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
for more details.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
You should have received
|
||||
You should have received
|
||||
a copy of the GNU General Public License
|
||||
along with this program; if not, write to
|
||||
the Free Software Foundation, Inc., 675
|
||||
Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
along with this program; if not, write
|
||||
to the Free Software Foundation, Inc., 675
|
||||
Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
|
||||
@ -188,19 +188,19 @@
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
|
||||
</a>Jacques Nilo
|
||||
and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||
on a floppy, CD or compact flash) distribution
|
||||
called <i>Bering</i> that features
|
||||
Shorewall-1.3.14 and Kernel-2.4.20. You can find
|
||||
their work at: <a
|
||||
</a>Jacques Nilo
|
||||
and Eric Wolzak have a LEAF (router/firewall/gateway
|
||||
on a floppy, CD or compact flash) distribution
|
||||
called <i>Bering</i> that features
|
||||
Shorewall-1.3.14 and Kernel-2.4.20. You can find
|
||||
their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
||||
<b>
|
||||
</b>
|
||||
<b>
|
||||
</b>
|
||||
|
||||
|
||||
|
||||
<b>Congratulations to Jacques and
|
||||
<b>Congratulations to Jacques and
|
||||
Eric on the recent release of Bering 1.1!!!</b><br>
|
||||
|
||||
<h2>News</h2>
|
||||
@ -221,102 +221,116 @@ Eric on the recent release of Bering 1.1!!!</b><br>
|
||||
|
||||
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
Shorewall 1.4 represents the
|
||||
next step in the evolution of Shorewall. The main thrust of the initial
|
||||
release is simply to remove the cruft that has accumulated in Shorewall over
|
||||
time. <br>
|
||||
<br>
|
||||
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
||||
</b></p>
|
||||
Shorewall 1.4 represents
|
||||
the next step in the evolution of Shorewall. The main thrust of the initial
|
||||
release is simply to remove the cruft that has accumulated in Shorewall
|
||||
over time. <br>
|
||||
<br>
|
||||
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
|
||||
('ip' utility).</b><br>
|
||||
<br>
|
||||
Function from 1.3 that has been omitted from this version include:<br>
|
||||
<br>
|
||||
Function from 1.3 that has been omitted from this version include:<br>
|
||||
|
||||
<ol>
|
||||
<li>The MERGE_HOSTS variable in shorewall.conf is
|
||||
<li>The MERGE_HOSTS variable in shorewall.conf is
|
||||
no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Interface names of the form <device>:<integer>
|
||||
<br>
|
||||
</li>
|
||||
<li>Interface names of the form <device>:<integer>
|
||||
in /etc/shorewall/interfaces now generate an error.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
||||
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
||||
of the 'noping' or 'filterping' interface options.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
|
||||
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
|
||||
of the 'noping' or 'filterping' interface options.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The 'routestopped' option in the /etc/shorewall/interfaces
|
||||
and /etc/shorewall/hosts files is no longer supported and will generate
|
||||
an error at startup if specified.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
|
||||
no longer accepted.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The ALLOWRELATED variable in shorewall.conf is no longer
|
||||
<br>
|
||||
</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
|
||||
no longer accepted.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The ALLOWRELATED variable in shorewall.conf is no longer
|
||||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The icmp.def file has been removed.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The icmp.def file has been removed.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li value="8">The 'multi' interface option is no longer supported.
|
||||
Shorewall will generate rules for sending packets back out the same interface
|
||||
that they arrived on in two cases:</li>
|
||||
<li value="8">The 'multi' interface option is no longer supported.
|
||||
Shorewall will generate rules for sending packets back out the same interface
|
||||
that they arrived on in two cases:</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<ul>
|
||||
<li>There is an <u>explicit</u> policy for the source zone to
|
||||
<li>There is an <u>explicit</u> policy for the source zone to
|
||||
or from the destination zone. An explicit policy names both zones and does
|
||||
not use the 'all' reserved word.</li>
|
||||
<li>There are one or more rules for traffic for the source zone
|
||||
not use the 'all' reserved word.</li>
|
||||
<li>There are one or more rules for traffic for the source zone
|
||||
to or from the destination zone including rules that use the 'all' reserved
|
||||
word. Exception: if the source zone and destination zone are the same then
|
||||
the rule must be explicit - it must name the zone in both the SOURCE and
|
||||
DESTINATION columns.</li>
|
||||
word. Exception: if the source zone and destination zone are the same then
|
||||
the rule must be explicit - it must name the zone in both the SOURCE and
|
||||
DESTINATION columns.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
Changes for 1.4 include:<br>
|
||||
Changes for 1.4 include:<br>
|
||||
|
||||
<ol>
|
||||
<li>The /etc/shorewall/shorewall.conf file has been completely
|
||||
<li>The /etc/shorewall/shorewall.conf file has been completely
|
||||
reorganized into logical sections.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The firewall script and version file are now installed
|
||||
<br>
|
||||
</li>
|
||||
<li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The firewall script and version file are now installed
|
||||
in /usr/share/shorewall.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Late arriving DNS replies are now silently dropped in the
|
||||
common chain by default.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
||||
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
|
||||
want to 'ping' from the firewall, you will need the appropriate rule or
|
||||
policy.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>802.11b devices with names of the form wlan<i><n></i>
|
||||
now support the 'maclist' option.<br>
|
||||
<br>
|
||||
</li>
|
||||
<br>
|
||||
</li>
|
||||
<li>Late arriving DNS replies are now silently dropped in
|
||||
the common chain by default.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
|
||||
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
|
||||
to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>802.11b devices with names of the form wlan<i><n></i>
|
||||
now support the 'maclist' option.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li value="8">Explicit Congestion Notification (ECN - RFC 3168) may
|
||||
now be turned off on a host or network basis using the new /etc/shorewall/ecn
|
||||
file. To use this facility:<br>
|
||||
<br>
|
||||
a) You must be running kernel 2.4.20<br>
|
||||
b) You must have applied the patch in<br>
|
||||
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
|
||||
c) You must have iptables 1.2.7a installed.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The /etc/shorewall/params file is now processed first so that
|
||||
variables may be used in the /etc/shorewall/shorewall.conf file.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
|
||||
<p></p>
|
||||
<b> </b>
|
||||
<b> </b>
|
||||
|
||||
|
||||
|
||||
@ -344,6 +358,7 @@ policy.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
@ -369,7 +384,7 @@ policy.<br>
|
||||
<h1 align="center"><a href="http://www.sf.net"><img align="left"
|
||||
alt="SourceForge Logo"
|
||||
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3">
|
||||
</a></h1>
|
||||
</a></h1>
|
||||
|
||||
|
||||
|
||||
@ -384,6 +399,7 @@ policy.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<h2>This site is hosted by the generous folks at <a
|
||||
href="http://www.sf.net">SourceForge.net</a> </h2>
|
||||
|
||||
@ -396,13 +412,13 @@ policy.<br>
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
<td width="88"
|
||||
<td width="88"
|
||||
bgcolor="#4b017c" valign="top" align="center"> <br>
|
||||
</td>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -413,9 +429,9 @@ policy.<br>
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
</center>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
@ -424,11 +440,11 @@ policy.<br>
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%"
|
||||
<td width="100%"
|
||||
style="margin-top: 1px;">
|
||||
|
||||
|
||||
@ -444,7 +460,7 @@ policy.<br>
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
@ -457,15 +473,15 @@ policy.<br>
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||||
if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||||
Foundation.</font></a> Thanks!</font></p>
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
@ -479,9 +495,10 @@ Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font size="2">Updated 2/28/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -20,18 +20,18 @@
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
|
||||
<td width="100%">
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
|
||||
the Firewall</font></h1>
|
||||
the Firewall</font></h1>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
@ -41,13 +41,13 @@
|
||||
|
||||
|
||||
<p> If you have a permanent internet connection such as DSL or Cable,
|
||||
I recommend that you start the firewall automatically at boot. Once
|
||||
you have installed "firewall" in your init.d directory, simply type
|
||||
"chkconfig --add firewall". This will start the firewall in run
|
||||
levels 2-5 and stop it in run levels 1 and 6. If you want to configure
|
||||
your firewall differently from this default, you can use the "--level"
|
||||
option in chkconfig (see "man chkconfig") or using your favorite
|
||||
graphical run-level editor.</p>
|
||||
I recommend that you start the firewall automatically at boot.
|
||||
Once you have installed "firewall" in your init.d directory, simply
|
||||
type "chkconfig --add firewall". This will start the firewall
|
||||
in run levels 2-5 and stop it in run levels 1 and 6. If you want
|
||||
to configure your firewall differently from this default, you can
|
||||
use the "--level" option in chkconfig (see "man chkconfig") or using
|
||||
your favorite graphical run-level editor.</p>
|
||||
|
||||
|
||||
|
||||
@ -57,22 +57,22 @@
|
||||
|
||||
|
||||
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>Shorewall startup is disabled by default. Once you have
|
||||
<li>Shorewall startup is disabled by default. Once you have
|
||||
configured your firewall, you can enable startup by removing the file
|
||||
/etc/shorewall/startup_disabled. Note: Users of the .deb package must
|
||||
edit /etc/default/shorewall and set 'startup=1'.<br>
|
||||
</li>
|
||||
<li>If you use dialup, you may want to start the firewall
|
||||
in your /etc/ppp/ip-up.local script. I recommend just placing
|
||||
"shorewall restart" in that script.</li>
|
||||
</li>
|
||||
<li>If you use dialup, you may want to start the firewall
|
||||
in your /etc/ppp/ip-up.local script. I recommend just placing
|
||||
"shorewall restart" in that script.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
@ -82,22 +82,22 @@ edit /etc/default/shorewall and set 'startup=1'.<br>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>shorewall start - starts the firewall</li>
|
||||
<li>shorewall stop - stops the firewall</li>
|
||||
<li>shorewall restart - stops the firewall (if it's
|
||||
running) and then starts it again</li>
|
||||
<li>shorewall reset - reset the packet and byte counters
|
||||
in the firewall</li>
|
||||
<li>shorewall clear - remove all rules and chains
|
||||
installed by Shoreline Firewall</li>
|
||||
<li>shorewall refresh - refresh the rules involving the broadcast
|
||||
<li>shorewall start - starts the firewall</li>
|
||||
<li>shorewall stop - stops the firewall</li>
|
||||
<li>shorewall restart - stops the firewall (if it's
|
||||
running) and then starts it again</li>
|
||||
<li>shorewall reset - reset the packet and byte counters
|
||||
in the firewall</li>
|
||||
<li>shorewall clear - remove all rules and chains
|
||||
installed by Shoreline Firewall</li>
|
||||
<li>shorewall refresh - refresh the rules involving the broadcast
|
||||
addresses of firewall interfaces, <a
|
||||
href="blacklisting_support.htm">the black list</a>, <a
|
||||
href="traffic_shaping.htm">traffic control rules</a> and <a
|
||||
href="ECN.html">ECN control rules</a>.</li>
|
||||
|
||||
</ul>
|
||||
If you include the keyword <i>debug</i> as the first argument, then
|
||||
If you include the keyword <i>debug</i> as the first argument, then
|
||||
a shell trace of the command is produced as in:<br>
|
||||
|
||||
<pre> <font color="#009900"><b>shorewall debug start 2> /tmp/trace</b></font><br></pre>
|
||||
@ -105,71 +105,73 @@ edit /etc/default/shorewall and set 'startup=1'.<br>
|
||||
|
||||
|
||||
|
||||
<p>The above command would trace the 'start' command and place the trace information
|
||||
in the file /tmp/trace<br>
|
||||
</p>
|
||||
<p>The above command would trace the 'start' command and place the trace
|
||||
information in the file /tmp/trace<br>
|
||||
</p>
|
||||
|
||||
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
|
||||
bottom of this page.<br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<p>The "shorewall" program may also be used to monitor the firewall.</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>shorewall status - produce a verbose report about the
|
||||
<li>shorewall status - produce a verbose report about the
|
||||
firewall (iptables -L -n -v)</li>
|
||||
<li>shorewall show <i>chain</i> - produce a verbose report
|
||||
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
|
||||
<li>shorewall show nat - produce a verbose report about the
|
||||
<li>shorewall show <i>chain</i> - produce a verbose report
|
||||
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
|
||||
<li>shorewall show nat - produce a verbose report about the
|
||||
nat table (iptables -t nat -L -n -v)</li>
|
||||
<li>shorewall show tos - produce a verbose report about the
|
||||
<li>shorewall show tos - produce a verbose report about the
|
||||
mangle table (iptables -t mangle -L -n -v)</li>
|
||||
<li>shorewall show log - display the last 20 packet log entries.</li>
|
||||
<li>shorewall show connections - displays the IP connections
|
||||
currently being tracked by the firewall.</li>
|
||||
<li>shorewall
|
||||
show
|
||||
tc - displays
|
||||
information about the traffic control/shaping configuration.</li>
|
||||
<li>shorewall monitor [ delay ] - Continuously display the
|
||||
firewall status, last 20 log entries and nat. When the log entry
|
||||
display changes, an audible alarm is sounded.</li>
|
||||
<li>shorewall hits - Produces several reports about the Shorewall
|
||||
<li>shorewall show log - display the last 20 packet log entries.</li>
|
||||
<li>shorewall show connections - displays the IP connections
|
||||
currently being tracked by the firewall.</li>
|
||||
<li>shorewall
|
||||
show
|
||||
tc - displays
|
||||
information about the traffic control/shaping configuration.</li>
|
||||
<li>shorewall monitor [ delay ] - Continuously display the
|
||||
firewall status, last 20 log entries and nat. When the log
|
||||
entry display changes, an audible alarm is sounded.</li>
|
||||
<li>shorewall hits - Produces several reports about the Shorewall
|
||||
packet log messages in the current /var/log/messages file.</li>
|
||||
<li>shorewall version - Displays the installed version
|
||||
<li>shorewall version - Displays the installed version
|
||||
number.</li>
|
||||
<li>shorewall check - Performs a <u>cursory</u> validation of the
|
||||
<li>shorewall check - Performs a <u>cursory</u> validation of the
|
||||
zones, interfaces, hosts, rules and policy files.<br>
|
||||
<br>
|
||||
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
|
||||
and does not parse and validate the generated iptables commands.
|
||||
Even though the "check" command completes successfully, the configuration
|
||||
<br>
|
||||
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
|
||||
and does not parse and validate the generated iptables commands. Even
|
||||
though the "check" command completes successfully, the configuration
|
||||
may fail to start. Problem reports that complain about errors that the 'check'
|
||||
command does not detect will not be accepted.<br>
|
||||
<br>
|
||||
See the recommended way to make configuration changes described below.</b></font><br>
|
||||
<br>
|
||||
See the recommended way to make configuration changes described below.</b></font><br>
|
||||
</li>
|
||||
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
|
||||
] - Restart shorewall using the specified configuration and if
|
||||
an error occurs or if the<i> timeout </i> option is given and the
|
||||
new configuration has been up for that many seconds then shorewall
|
||||
is restarted using the standard configuration.</li>
|
||||
<li>shorewall deny, shorewall reject, shorewall accept and
|
||||
shorewall save implement <a href="blacklisting_support.htm">dynamic
|
||||
blacklisting</a>.</li>
|
||||
<li>shorewall logwatch (added in version 1.3.2) - Monitors
|
||||
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
|
||||
new Shorewall messages are logged.</li>
|
||||
</li>
|
||||
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
|
||||
] - Restart shorewall using the specified configuration and if an
|
||||
error occurs or if the<i> timeout </i> option is given and the new
|
||||
configuration has been up for that many seconds then shorewall is
|
||||
restarted using the standard configuration.</li>
|
||||
<li>shorewall deny, shorewall reject, shorewall accept and
|
||||
shorewall save implement <a href="blacklisting_support.htm">dynamic
|
||||
blacklisting</a>.</li>
|
||||
<li>shorewall logwatch (added in version 1.3.2) - Monitors
|
||||
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
|
||||
new Shorewall messages are logged.</li>
|
||||
|
||||
</ul>
|
||||
Finally, the "shorewall" program may be used to dynamically alter
|
||||
Finally, the "shorewall" program may be used to dynamically alter
|
||||
the contents of a zone.<br>
|
||||
|
||||
<ul>
|
||||
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
|
||||
Adds the specified interface (and host if included) to the specified zone.</li>
|
||||
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
|
||||
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
|
||||
Adds the specified interface (and host if included) to the specified
|
||||
zone.</li>
|
||||
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
|
||||
Deletes the specified interface (and host if included) from the specified
|
||||
zone.</li>
|
||||
|
||||
@ -178,12 +180,12 @@ Adds the specified interface (and host if included) to the specified zone.</l
|
||||
<blockquote>Examples:<br>
|
||||
|
||||
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
|
||||
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
|
||||
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
|
||||
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
|
||||
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
|
||||
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
|
||||
from zone vpn1<br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check, </b>and
|
||||
@ -196,8 +198,8 @@ from zone vpn1<br>
|
||||
|
||||
|
||||
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
|
||||
shorewall try <i>configuration-directory</i></p>
|
||||
</blockquote>
|
||||
shorewall try <i>configuration-directory</i></p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
|
||||
@ -210,32 +212,33 @@ used.</p>
|
||||
|
||||
|
||||
<p> When changing the configuration of a production firewall, I recommend
|
||||
the following:</p>
|
||||
the following:</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
|
||||
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
|
||||
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
|
||||
|
||||
<li><font color="#009900"><b>cd /etc/test</b></font></li>
|
||||
<li><font color="#009900"><b>cd /etc/test</b></font></li>
|
||||
|
||||
<li><copy any files that you need to change from
|
||||
<li><copy any files that you need to change from
|
||||
/etc/shorewall to . and change them here></li>
|
||||
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
|
||||
<li><correct any errors found by check and check again></li>
|
||||
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
|
||||
<li><correct any errors found by check and check again></li>
|
||||
|
||||
|
||||
<li><font color="#009900"><b>/sbin/shorewall
|
||||
try .</b></font></li>
|
||||
<li><font color="#009900"><b>/sbin/shorewall
|
||||
try .</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p> If the configuration starts but doesn't work, just "shorewall restart"
|
||||
to restore the old configuration. If the new configuration fails to
|
||||
start, the "try" command will automatically start the old one for you.</p>
|
||||
to restore the old configuration. If the new configuration fails
|
||||
to start, the "try" command will automatically start the old one for
|
||||
you.</p>
|
||||
|
||||
|
||||
|
||||
@ -247,11 +250,11 @@ try .</b></font></li>
|
||||
|
||||
<ul>
|
||||
|
||||
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
|
||||
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
|
||||
|
||||
<li><font color="#009900"><b>cd</b></font></li>
|
||||
<li><font color="#009900"><b>cd</b></font></li>
|
||||
|
||||
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
|
||||
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -259,72 +262,71 @@ try .</b></font></li>
|
||||
|
||||
|
||||
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<div align="center"><img src="images/State_Diagram.png"
|
||||
alt="(State Diagram)" width="747" height="714" align="middle">
|
||||
<br>
|
||||
</div>
|
||||
<br>
|
||||
</div>
|
||||
|
||||
<p> <br>
|
||||
</p>
|
||||
You will note that the commands that result in state transitions
|
||||
</p>
|
||||
You will note that the commands that result in state transitions
|
||||
use the word "firewall" rather than "shorewall". That is because the actual
|
||||
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
|
||||
on Debian); /sbin/shorewall runs 'firewall" according to the following
|
||||
table:<br>
|
||||
<br>
|
||||
on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
|
||||
<br>
|
||||
|
||||
<table cellpadding="2" cellspacing="2" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">shorewall start<br>
|
||||
</td>
|
||||
<td valign="top">firewall start<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall stop<br>
|
||||
</td>
|
||||
<td valign="top">firewall stop<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall restart<br>
|
||||
</td>
|
||||
<td valign="top">firewall restart<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall add<br>
|
||||
</td>
|
||||
<td valign="top">firewall add<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall delete<br>
|
||||
</td>
|
||||
<td valign="top">firewall delete<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall refresh<br>
|
||||
</td>
|
||||
<td valign="top">firewall refresh<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall try<br>
|
||||
</td>
|
||||
<td valign="top">firewall -c <new configuration> restart<br>
|
||||
If unsuccessful then firewall start (standard configuration)<br>
|
||||
If timeout then firewall restart (standard configuration)<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">shorewall start<br>
|
||||
</td>
|
||||
<td valign="top">firewall start<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall stop<br>
|
||||
</td>
|
||||
<td valign="top">firewall stop<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall restart<br>
|
||||
</td>
|
||||
<td valign="top">firewall restart<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall add<br>
|
||||
</td>
|
||||
<td valign="top">firewall add<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall delete<br>
|
||||
</td>
|
||||
<td valign="top">firewall delete<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall refresh<br>
|
||||
</td>
|
||||
<td valign="top">firewall refresh<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall try<br>
|
||||
</td>
|
||||
<td valign="top">firewall -c <new configuration> restart<br>
|
||||
If unsuccessful then firewall start (standard configuration)<br>
|
||||
If timeout then firewall restart (standard configuration)<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
<p><font size="2"> Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
@ -332,7 +334,8 @@ table:<br>
|
||||
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -3,18 +3,22 @@
|
||||
<head>
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Support</title>
|
||||
<title>Shorewall Support Guide</title>
|
||||
|
||||
|
||||
|
||||
@ -27,18 +31,19 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Support<img
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
|
||||
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
@ -46,62 +51,63 @@
|
||||
|
||||
|
||||
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall questions
|
||||
emailed directly to me, I try to spend some time each day answering questions
|
||||
on the Shorewall Users Mailing List.</font></big><span
|
||||
emailed directly to me, I try to spend some time each day answering questions
|
||||
on the Shorewall Users Mailing List and on the Support Forum.</font></big><span
|
||||
style="font-weight: 400;"></span></big></b></p>
|
||||
|
||||
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
|
||||
|
||||
<h1>Before Reporting a Problem</h1>
|
||||
<i>"Well at least you tried to read the documentation, which is a lot more
|
||||
than some people on this list appear to do.</i>"<br>
|
||||
<br>
|
||||
<i>"Well at least you tried to read the documentation, which is a lot
|
||||
more than some people on this list appear to do.</i>"<br>
|
||||
<br>
|
||||
|
||||
<div align="center">- Wietse Venema - On the Postfix mailing list<br>
|
||||
</div>
|
||||
<br>
|
||||
There are a number of sources for
|
||||
problem solution information. Please try these before you post.
|
||||
|
||||
</div>
|
||||
<br>
|
||||
There are a number of sources
|
||||
for problem solution information. Please try these before you
|
||||
post.
|
||||
<h3> </h3>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>More than half of the questions posted on the support
|
||||
list have answers directly accessible from the <a
|
||||
<li>More than half of the questions posted on the
|
||||
support list have answers directly accessible from the <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
|
||||
<br>
|
||||
</li>
|
||||
<li> The <a href="FAQ.htm">FAQ</a>
|
||||
has solutions to more than 20 common problems. </li>
|
||||
<br>
|
||||
</li>
|
||||
<li> The <a
|
||||
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li> The <a
|
||||
<li> The <a
|
||||
href="troubleshoot.htm">Troubleshooting</a> Information contains
|
||||
a number of tips to help you solve common problems. </li>
|
||||
a number of tips to help you solve common problems. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li> The <a
|
||||
<li> The <a
|
||||
href="errata.htm"> Errata</a> has links to download updated
|
||||
components. </li>
|
||||
components. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li> The Mailing List
|
||||
Archives search facility can locate posts about similar
|
||||
problems: </li>
|
||||
<li> The Mailing
|
||||
List Archives search facility can locate posts about similar
|
||||
problems: </li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -119,13 +125,15 @@ problems: </li>
|
||||
<option value="or">Any </option>
|
||||
<option value="boolean">Boolean </option>
|
||||
</select>
|
||||
Format:
|
||||
Format:
|
||||
|
||||
|
||||
<select name="format">
|
||||
<option value="builtin-long">Long </option>
|
||||
<option value="builtin-short">Short </option>
|
||||
</select>
|
||||
Sort by:
|
||||
Sort by:
|
||||
|
||||
|
||||
<select name="sort">
|
||||
<option value="score">Score </option>
|
||||
@ -135,144 +143,145 @@ problems: </li>
|
||||
<option value="revtime">Reverse Time </option>
|
||||
<option value="revtitle">Reverse Title </option>
|
||||
</select>
|
||||
</font> <input type="hidden"
|
||||
</font> <input type="hidden"
|
||||
name="config" value="htdig"> <input type="hidden" name="restrict"
|
||||
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
name="exclude" value=""> <br>
|
||||
Search: <input type="text" size="30"
|
||||
name="words" value=""> <input type="submit" value="Search"> </p>
|
||||
</form>
|
||||
Search: <input type="text"
|
||||
size="30" name="words" value=""> <input type="submit" value="Search">
|
||||
</p>
|
||||
</form>
|
||||
|
||||
<h2>Problem Reporting Guidelines </h2>
|
||||
<i>"Let me see if I can translate your message into a real-world
|
||||
example. It would be like saying that you have three rooms at home,
|
||||
and when you walk into one of the rooms, you detect this strange smell.
|
||||
Can anyone tell you what that strange smell is?<br>
|
||||
<br>
|
||||
Now, all of us could do some wonderful guessing as to the
|
||||
smell and even what's causing it. You would be absolutely amazed
|
||||
at the range and variety of smells we could come up with. Even more
|
||||
amazing is that all of the explanations for the smells would be completely
|
||||
plausible."<br>
|
||||
</i><br>
|
||||
<i>"Let me see if I can translate your message into a
|
||||
real-world example. It would be like saying that you have three
|
||||
rooms at home, and when you walk into one of the rooms, you detect
|
||||
this strange smell. Can anyone tell you what that strange smell is?<br>
|
||||
<br>
|
||||
Now, all of us could do some wonderful guessing as to
|
||||
the smell and even what's causing it. You would be absolutely amazed
|
||||
at the range and variety of smells we could come up with. Even more
|
||||
amazing is that all of the explanations for the smells would be completely
|
||||
plausible."<br>
|
||||
</i><br>
|
||||
|
||||
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
|
||||
</div>
|
||||
<br>
|
||||
</div>
|
||||
<br>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>Please remember we only know what is posted in your message.
|
||||
Do not leave out any information that appears to be correct, or was
|
||||
mentioned in a previous post. There have been countless posts by people
|
||||
who were sure that some part of their configuration was correct when it
|
||||
actually contained a small error. We tend to be skeptics where detail
|
||||
is lacking.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please keep in mind that you're asking for <strong>free</strong>
|
||||
technical support. Any help we offer is an act of generosity, not an
|
||||
obligation. Try to make it easy for us to help you. Follow good, courteous
|
||||
practices in writing and formatting your e-mail. Provide details that
|
||||
we need if you expect good answers. <em>Exact quoting </em> of error messages,
|
||||
log entries, command output, and other output is better than a paraphrase
|
||||
or summary.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li> Please don't describe
|
||||
your environment and then ask us to send you custom
|
||||
configuration files. We're here to answer your questions but we
|
||||
can't do your job for you.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>When reporting a problem, <strong>ALWAYS</strong> include
|
||||
this information:</li>
|
||||
<li>Please remember we only know what is posted in your message.
|
||||
Do not leave out any information that appears to be correct, or was
|
||||
mentioned in a previous post. There have been countless posts by people
|
||||
who were sure that some part of their configuration was correct when
|
||||
it actually contained a small error. We tend to be skeptics where detail
|
||||
is lacking.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please keep in mind that you're asking for <strong>free</strong>
|
||||
technical support. Any help we offer is an act of generosity, not
|
||||
an obligation. Try to make it easy for us to help you. Follow good,
|
||||
courteous practices in writing and formatting your e-mail. Provide
|
||||
details that we need if you expect good answers. <em>Exact quoting </em>
|
||||
of error messages, log entries, command output, and other output is better
|
||||
than a paraphrase or summary.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li> Please don't describe
|
||||
your environment and then ask us to send you custom
|
||||
configuration files. We're here to answer your questions but
|
||||
we can't do your job for you.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>When reporting a problem, <strong>ALWAYS</strong> include
|
||||
this information:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
|
||||
<ul>
|
||||
<li>the exact version of Shorewall you are running.<br>
|
||||
<br>
|
||||
<b><font color="#009900">shorewall version</font><br>
|
||||
</b> <br>
|
||||
</li>
|
||||
<li>the exact version of Shorewall you are running.<br>
|
||||
<br>
|
||||
<b><font color="#009900">shorewall version</font><br>
|
||||
</b> <br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>the exact kernel version you are running<br>
|
||||
<br>
|
||||
<font color="#009900"><b>uname -a<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
<li>the exact kernel version you are running<br>
|
||||
<br>
|
||||
<font color="#009900"><b>uname -a<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip addr show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip addr show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip route show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip route show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>If your kernel is modularized, the exact output from<br>
|
||||
<br>
|
||||
<font color="#009900"><b>lsmod</b></font><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>the exact wording of any <code
|
||||
<li>If your kernel is modularized, the exact output from<br>
|
||||
<br>
|
||||
<font color="#009900"><b>lsmod</b></font><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>the exact wording of any <code
|
||||
style="color: green; font-weight: bold;">ping</code> failure responses<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>If you installed Shorewall using one of the QuickStart Guides,
|
||||
please indicate which one. <br>
|
||||
<br>
|
||||
</li>
|
||||
<li><b>If you are running Shorewall under Mandrake using the Mandrake
|
||||
installation of Shorewall, please say so.</b><br>
|
||||
<br>
|
||||
</li>
|
||||
<br>
|
||||
</li>
|
||||
<li>If you installed Shorewall using one of the QuickStart Guides,
|
||||
please indicate which one. <br>
|
||||
<br>
|
||||
</li>
|
||||
<li><b>If you are running Shorewall under Mandrake using the Mandrake
|
||||
installation of Shorewall, please say so.</b><br>
|
||||
<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li><b>NEVER </b>include the output of "<b><font
|
||||
<li><b>NEVER </b>include the output of "<b><font
|
||||
color="#009900">iptables -L</font></b>". Instead,<font
|
||||
color="#ff0000"><u><i><big> <b>if you are having connection problems of
|
||||
any kind then:</b></big></i></u></font><br>
|
||||
<br>
|
||||
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
|
||||
<br>
|
||||
2. Try the connection that is failing.<br>
|
||||
<br>
|
||||
3.<b><font color="#009900"> /sbin/shorewall status > /tmp/status.txt</font></b><br>
|
||||
<br>
|
||||
4. Post the /tmp/status.txt file as an attachment.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>As a general matter, please <strong>do not edit the diagnostic
|
||||
information</strong> in an attempt to conceal your IP address, netmask,
|
||||
nameserver addresses, domain name, etc. These aren't secrets, and concealing
|
||||
them often misleads us (and 80% of the time, a hacker could derive them
|
||||
anyway from information contained in the SMTP headers of your post).<strong></strong></li>
|
||||
any kind then:</b></big></i></u></font><br>
|
||||
<br>
|
||||
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
|
||||
<br>
|
||||
2. Try the connection that is failing.<br>
|
||||
<br>
|
||||
3.<b><font color="#009900"> /sbin/shorewall status > /tmp/status.txt</font></b><br>
|
||||
<br>
|
||||
4. Post the /tmp/status.txt file as an attachment.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>As a general matter, please <strong>do not edit the diagnostic
|
||||
information</strong> in an attempt to conceal your IP address, netmask,
|
||||
nameserver addresses, domain name, etc. These aren't secrets, and concealing
|
||||
them often misleads us (and 80% of the time, a hacker could derive
|
||||
them anyway from information contained in the SMTP headers of your post).<strong></strong></li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -289,18 +298,19 @@ any kind then:</b></big></i></u></font><br>
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li> Do you see any
|
||||
"Shorewall" messages ("<b><font color="#009900">/sbin/shorewall show
|
||||
log</font></b>") when you exercise the function that is giving
|
||||
you problems? If so, include the message(s) in your post along with a
|
||||
copy of your /etc/shorewall/interfaces file.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please include any of the Shorewall configuration files
|
||||
(especially the /etc/shorewall/hosts file if you have modified
|
||||
that file) that you think are relevant. If you include /etc/shorewall/rules,
|
||||
please include /etc/shorewall/policy as well (rules are meaningless unless
|
||||
one also knows the policies). </li>
|
||||
<li> Do you see
|
||||
any "Shorewall" messages ("<b><font color="#009900">/sbin/shorewall
|
||||
show log</font></b>") when you exercise the function that
|
||||
is giving you problems? If so, include the message(s) in your post
|
||||
along with a copy of your /etc/shorewall/interfaces file.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please include any of the Shorewall configuration files
|
||||
(especially the /etc/shorewall/hosts file if you have
|
||||
modified that file) that you think are relevant. If you
|
||||
include /etc/shorewall/rules, please include /etc/shorewall/policy
|
||||
as well (rules are meaningless unless one also knows the policies).
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -313,83 +323,85 @@ copy of your /etc/shorewall/interfaces file.<br>
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li> If an error occurs
|
||||
when you try to "<font color="#009900"><b>shorewall start</b></font>",
|
||||
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
|
||||
section for instructions). </li>
|
||||
<li> If an error occurs
|
||||
when you try to "<font color="#009900"><b>shorewall start</b></font>",
|
||||
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
|
||||
section for instructions). </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<li>
|
||||
|
||||
<h3><b>The list server limits posts to 120kb so don't post GIFs of
|
||||
your network layout, etc. to the Mailing List -- your
|
||||
post will be rejected.</b></h3>
|
||||
</li>
|
||||
your network layout, etc. to the Mailing List -- your
|
||||
post will be rejected.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
The author gratefully acknowleges that the above list was heavily
|
||||
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
|
||||
found at <a
|
||||
The author gratefully acknowleges that the above list was heavily
|
||||
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
|
||||
found at <a
|
||||
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
|
||||
|
||||
<h2>Please post in plain text</h2>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
A growing number of MTAs serving list subscribers are rejecting
|
||||
all HTML traffic. At least one MTA has gone so far as to blacklist
|
||||
A growing number of MTAs serving list subscribers are rejecting
|
||||
all HTML traffic. At least one MTA has gone so far as to blacklist
|
||||
shorewall.net "for continuous abuse" because it has been my policy to
|
||||
allow HTML in list posts!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a Draconian way to control
|
||||
spam and that the ultimate losers here are not the spammers but the
|
||||
list subscribers whose MTAs are bouncing all shorewall.net mail. As
|
||||
one list subscriber wrote to me privately "These e-mail admin's need
|
||||
to get a <i>(expletive deleted)</i> life instead of trying to rid the
|
||||
planet of HTML based e-mail". Nevertheless, to allow subscribers to receive
|
||||
list posts as must as possible, I have now configured the list server
|
||||
at shorewall.net to strip all HTML from outgoing posts.<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a Draconian way to control
|
||||
spam and that the ultimate losers here are not the spammers but the
|
||||
list subscribers whose MTAs are bouncing all shorewall.net mail. As
|
||||
one list subscriber wrote to me privately "These e-mail admin's need
|
||||
to get a <i>(expletive deleted)</i> life instead of trying to rid the planet
|
||||
of HTML based e-mail". Nevertheless, to allow subscribers to receive list
|
||||
posts as must as possible, I have now configured the list server at shorewall.net
|
||||
to strip all HTML from outgoing posts.<br>
|
||||
|
||||
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
||||
|
||||
|
||||
<blockquote>
|
||||
|
||||
<h4>If you run Shorewall under Bering -- <span
|
||||
style="font-weight: 400;">please post your question or problem
|
||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
|
||||
mailing list</a>.</span></h4>
|
||||
<b>If you run Shorewall under MandrakeSoft Multi Network
|
||||
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft
|
||||
then you can post non MNF-specific Shorewall questions to the </b><a
|
||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
|
||||
mailing list</a>.</span></h4>
|
||||
<b>If you run Shorewall under MandrakeSoft Multi Network
|
||||
Firewall (MNF) and you have not purchased an MNF license from MandrakeSoft
|
||||
then you can post non MNF-specific Shorewall questions to the </b><a
|
||||
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
|
||||
list.</a> <b>Do not expect to get free MNF support on the list.</b><br>
|
||||
list</a> or to the <a
|
||||
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
|
||||
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
|
||||
|
||||
|
||||
<p>Otherwise, please post your question or problem to the <a
|
||||
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
|
||||
list.</a></p>
|
||||
</blockquote>
|
||||
list</a> or to the <a
|
||||
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
|
||||
Forum</a>.</p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>To Subscribe to the mailing list go to <a
|
||||
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
.</p>
|
||||
.</p>
|
||||
|
||||
|
||||
<p align="left"><font size="2">Last Updated 2/22/2003 - Tom Eastep</font></p>
|
||||
<p align="left"><font size="2">Last Updated 3/4/2003 - Tom Eastep</font></p>
|
||||
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -17,97 +17,99 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Shorewall has limited support for traffic shaping/control.
|
||||
In order to use traffic shaping under Shorewall, it is essential that
|
||||
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
|
||||
and Shaping HOWTO</a>, version 0.3.0 or later.</p>
|
||||
In order to use traffic shaping under Shorewall, it is essential that
|
||||
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
|
||||
and Shaping HOWTO</a>, version 0.3.0 or later.</p>
|
||||
|
||||
<p align="left">Shorewall traffic shaping support consists of the following:</p>
|
||||
|
||||
<ul>
|
||||
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
||||
Traffic Shaping also requires that you enable packet mangling.</li>
|
||||
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in
|
||||
Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the
|
||||
setting of this variable determines whether Shorewall clears the traffic
|
||||
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcrules</b> - A file where you can
|
||||
specify firewall marking of packets. The firewall mark value may
|
||||
be used to classify packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
|
||||
that is sourced by Shorewall during "shorewall start" and which
|
||||
you can use to define your traffic shaping disciplines and classes.
|
||||
I have provided a <a
|
||||
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
||||
Traffic Shaping also requires that you enable packet mangling.</li>
|
||||
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
|
||||
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
|
||||
the setting of this variable determines whether Shorewall clears the traffic
|
||||
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcrules</b> - A file where you can
|
||||
specify firewall marking of packets. The firewall mark value may
|
||||
be used to classify packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
|
||||
that is sourced by Shorewall during "shorewall start" and which
|
||||
you can use to define your traffic shaping disciplines and classes.
|
||||
I have provided a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||||
table-driven CBQ shaping but if you read the traffic shaping sections
|
||||
of the HOWTO mentioned above, you can probably code your own faster
|
||||
than you can learn how to use my sample. I personally use <a
|
||||
of the HOWTO mentioned above, you can probably code your own faster
|
||||
than you can learn how to use my sample. I personally use <a
|
||||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
|
||||
HTB support may eventually become an integral part of Shorewall
|
||||
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
|
||||
HTB is a standard part of the kernel but iproute2 must be patched in
|
||||
order to use it.<br>
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility, use
|
||||
the run_tc function supplied by shorewall if you want tc errors
|
||||
to stop the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by simply
|
||||
copying them to /etc/shorewall/tcstart. I use <a
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility, use
|
||||
the run_tc function supplied by shorewall if you want tc errors
|
||||
to stop the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by
|
||||
simply copying them to /etc/shorewall/tcstart. I use <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
|
||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
|
||||
modified it according to the Wonder Shaper README). <b>WARNING: </b>If
|
||||
you use use Masquerading or SNAT (i.e., you only have one external IP address)
|
||||
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
|
||||
script won't work. Traffic shaping occurs after SNAT has already been applied
|
||||
so when traffic shaping happens, all outbound traffic will have as a source
|
||||
address the IP addresss of your firewall's external interface.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
|
||||
that is sourced by Shorewall when it is clearing traffic shaping.
|
||||
This file is normally not required as Shorewall's method of clearing
|
||||
qdisc and filter definitions is pretty general.</li>
|
||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
|
||||
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
|
||||
you use use Masquerading or SNAT (i.e., you only have one external IP address)
|
||||
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
|
||||
script won't work. Traffic shaping occurs after SNAT has already been
|
||||
applied so when traffic shaping happens, all outbound traffic will have
|
||||
as a source address the IP addresss of your firewall's external interface.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
|
||||
that is sourced by Shorewall when it is clearing traffic shaping.
|
||||
This file is normally not required as Shorewall's method of clearing
|
||||
qdisc and filter definitions is pretty general.</li>
|
||||
|
||||
</ul>
|
||||
Shorewall allows you to start traffic shaping when Shorewall itself starts
|
||||
or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
|
||||
<br>
|
||||
To start traffic shaping when Shorewall starts:<br>
|
||||
Shorewall allows you to start traffic shaping when Shorewall itself
|
||||
starts or it allows you to bring up traffic shaping when you bring up your
|
||||
interfaces.<br>
|
||||
<br>
|
||||
To start traffic shaping when Shorewall starts:<br>
|
||||
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
||||
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
|
||||
shaping rules.</li>
|
||||
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
|
||||
shaping. That is usually unnecessary.</li>
|
||||
<li>If your tcstart script uses the 'fwmark' classifier, you can mark
|
||||
packets using entries in /etc/shorewall/tcrules.</li>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
||||
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
|
||||
shaping rules.</li>
|
||||
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
|
||||
shaping. That is usually unnecessary.</li>
|
||||
<li>If your tcstart script uses the 'fwmark' classifier, you can
|
||||
mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
|
||||
</ol>
|
||||
To start traffic shaping when you bring up your network interfaces, you
|
||||
will have to arrange for your traffic shaping configuration script to be
|
||||
run at that time. How you do that is distribution dependent and will not be
|
||||
covered here. You then should:<br>
|
||||
To start traffic shaping when you bring up your network interfaces,
|
||||
you will have to arrange for your traffic shaping configuration script to
|
||||
be run at that time. How you do that is distribution dependent and will not
|
||||
be covered here. You then should:<br>
|
||||
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
||||
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
|
||||
scripts.</li>
|
||||
<li value="4">If your tcstart script uses the 'fwmark' classifier,
|
||||
you can mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
||||
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
|
||||
scripts.</li>
|
||||
<li value="4">If your tcstart script uses the 'fwmark' classifier,
|
||||
you can mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
@ -117,179 +119,179 @@ you can mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
|
||||
<p align="center"><img border="0" src="images/QoS.png" width="590"
|
||||
height="764">
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||
|
||||
<p align="left">The fwmark classifier provides a convenient way to classify
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides
|
||||
a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides
|
||||
a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
|
||||
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
|
||||
any address rewriting takes place. This makes it impossible to mark inbound
|
||||
packets based on their destination address when SNAT or Masquerading are
|
||||
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
|
||||
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
|
||||
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
any address rewriting takes place. This makes it impossible to mark inbound
|
||||
packets based on their destination address when SNAT or Masquerading
|
||||
are being used. Beginning with Shorewall 1.3.12, you can cause packet
|
||||
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
|
||||
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
|
||||
<p align="left">Columns in the file are as follows:</p>
|
||||
|
||||
<ul>
|
||||
<li>MARK - Specifies the mark value is to be assigned in
|
||||
case of a match. This is an integer in the range 1-255. Beginning
|
||||
<li>MARK - Specifies the mark value is to be assigned in
|
||||
case of a match. This is an integer in the range 1-255. Beginning
|
||||
with Shorewall version 1.3.14, this value may be optionally followed by
|
||||
":" and either 'F' or 'P' to designate that the marking will occur in the
|
||||
FORWARD or PREROUTING chains respectively. If this additional specification
|
||||
is omitted, the chain used to mark packets will be determined by the setting
|
||||
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet originates
|
||||
on the firewall, place "fw" in this column. Otherwise, this is a
|
||||
comma-separated list of interface names, IP addresses, MAC addresses
|
||||
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated list
|
||||
of IP addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from
|
||||
/etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list of
|
||||
Port names (from /etc/services), port numbers or port ranges (e.g.,
|
||||
21:22); if the protocol is "icmp", this column is interpreted as
|
||||
the destination icmp type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
|
||||
If omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet originates
|
||||
on the firewall, place "fw" in this column. Otherwise, this is a
|
||||
comma-separated list of interface names, IP addresses, MAC addresses
|
||||
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated
|
||||
list of IP addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from
|
||||
/etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list
|
||||
of Port names (from /etc/services), port numbers or port ranges (e.g.,
|
||||
21:22); if the protocol is "icmp", this column is interpreted
|
||||
as the destination icmp type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
|
||||
If omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">Example 1 - All packets arriving on eth1 should be marked
|
||||
with 1. All packets arriving on eth2 and eth3 should be marked with
|
||||
2. All packets originating on the firewall itself should be marked with
|
||||
3.</p>
|
||||
with 1. All packets arriving on eth2 and eth3 should be marked with
|
||||
2. All packets originating on the firewall itself should be marked with
|
||||
3.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>1</td>
|
||||
<td>eth1</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>2</td>
|
||||
<td>eth2</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>1</td>
|
||||
<td>eth1</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>2</td>
|
||||
<td>eth2</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
|
||||
on the firewall and destined for 155.186.235.151 should be marked with
|
||||
12.</p>
|
||||
on the firewall and destined for 155.186.235.151 should be marked with
|
||||
12.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>12</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>47</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>12</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>47</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>22</td>
|
||||
<td>192.168.1.0/24</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>22</td>
|
||||
<td>192.168.1.0/24</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3>My Setup<br>
|
||||
</h3>
|
||||
</h3>
|
||||
|
||||
<p>While I am currently using the HTB version of <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
|
||||
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
|
||||
in the Wondershaper README), I have also run with the following set of
|
||||
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
|
||||
in the Wondershaper README), I have also run with the following set of
|
||||
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
@ -305,28 +307,32 @@ hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
|
||||
<pre>echo " Defined fwmark filters"<br></pre>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p>My tcrules file that went with this tcstart file is shown in Example 1
|
||||
above.<br>
|
||||
</p>
|
||||
above. You can look at <a href="myfiles.htm">my configuration</a> to
|
||||
see why I wanted shaping of this type.<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound
|
||||
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound
|
||||
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
|
||||
can use all available bandwidth if there is no traffic from the local
|
||||
systems or from my laptop or firewall).</li>
|
||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.<br>
|
||||
</li>
|
||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.</li>
|
||||
|
||||
</ol>
|
||||
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
|
||||
to see how this fit in. <br>
|
||||
|
||||
<p><font size="2">Last Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font size="2">Last Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -18,13 +18,13 @@
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
@ -35,37 +35,37 @@
|
||||
<h3> </h3>
|
||||
|
||||
<h3>Version >= 1.4.0</h3>
|
||||
<b>IMPORTANT: Shorewall >=1.4.0 <u>REQUIRES</u></b> <b>the iproute package
|
||||
<b>IMPORTANT: Shorewall >=1.4.0 <u>REQUIRES</u></b> <b>the iproute package
|
||||
('ip' utility).</b><br>
|
||||
<br>
|
||||
If you are upgrading from a version < 1.4.0, then:<br>
|
||||
<br>
|
||||
If you are upgrading from a version < 1.4.0, then:<br>
|
||||
|
||||
<ul>
|
||||
<li>The <b>noping </b>and <b>forwardping</b> interface options are no
|
||||
longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
|
||||
<li>The <b>noping </b>and <b>forwardping</b> interface options are
|
||||
no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
|
||||
ICMP echo-request (ping) packets are treated just like any other connection
|
||||
request and are subject to rules and policies.</li>
|
||||
<li>Interface names of the form <device>:<integer> in /etc/shorewall/interfaces
|
||||
now generate a Shorewall error at startup (they always have produced warnings
|
||||
in iptables).</li>
|
||||
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. Shorewall
|
||||
1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents are
|
||||
determined by BOTH the interfaces and hosts files when there are entries for
|
||||
the zone in both files.</li>
|
||||
<li>The <b>routestopped</b> option in the interfaces and hosts file
|
||||
<li>Interface names of the form <device>:<integer> in
|
||||
/etc/shorewall/interfaces now generate a Shorewall error at startup (they
|
||||
always have produced warnings in iptables).</li>
|
||||
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
|
||||
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
|
||||
are determined by BOTH the interfaces and hosts files when there are entries
|
||||
for the zone in both files.</li>
|
||||
<li>The <b>routestopped</b> option in the interfaces and hosts file
|
||||
has been eliminated; use entries in the routestopped file instead.</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
|
||||
accepted; you must convert to using the new syntax.</li>
|
||||
<li value="6">The ALLOWRELATED variable in shorewall.conf is no longer
|
||||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
|
||||
<li value="6">Late-arriving DNS replies are not dropped by default;
|
||||
<li value="6">The ALLOWRELATED variable in shorewall.conf is no longer
|
||||
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
|
||||
<li value="6">Late-arriving DNS replies are not dropped by default;
|
||||
there is no need for your own /etc/shorewall/common file simply to avoid
|
||||
logging these packets.</li>
|
||||
<li value="6">The 'firewall', 'functions' and 'version' file have been
|
||||
moved to /usr/share/shorewall.</li>
|
||||
<li value="6">The icmp.def file has been removed. If you include it from
|
||||
/etc/shorewall/icmpdef, you will need to modify that file.</li>
|
||||
<li value="8">The 'multi' interface option is no longer supported. Shorewall
|
||||
<li value="6">The 'firewall', 'functions' and 'version' file have been
|
||||
moved to /usr/share/shorewall.</li>
|
||||
<li value="6">The icmp.def file has been removed. If you include it
|
||||
from /etc/shorewall/icmpdef, you will need to modify that file.</li>
|
||||
<li value="8">The 'multi' interface option is no longer supported. Shorewall
|
||||
will generate rules for sending packets back out the same interface that
|
||||
they arrived on in two cases:</li>
|
||||
|
||||
@ -74,20 +74,23 @@ they arrived on in two cases:</li>
|
||||
<ul>
|
||||
|
||||
<ul>
|
||||
<li>There is an <u>explicit</u> policy for the source zone to or from
|
||||
the destination zone. An explicit policy names both zones and does not use
|
||||
the 'all' reserved word.</li>
|
||||
<li>There is an <u>explicit</u> policy for the source zone to or from
|
||||
the destination zone. An explicit policy names both zones and does not use
|
||||
the 'all' reserved word.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>There are one or more rules for traffic for the source zone to or
|
||||
from the destination zone including rules that use the 'all' reserved word.
|
||||
Exception: if the source zone and destination zone are the same then the
|
||||
rule must be explicit - it must name the zone in both the SOURCE and DESTINATION
|
||||
columns.</li>
|
||||
<li>There are one or more rules for traffic for the source zone to
|
||||
or from the destination zone including rules that use the 'all' reserved
|
||||
word. Exception: if the source zone and destination zone are the same then
|
||||
the rule must be explicit - it must name the zone in both the SOURCE and
|
||||
DESTINATION columns.</li>
|
||||
|
||||
</ul>
|
||||
<li>If you followed the advice in FAQ #2 and call find_interface_address
|
||||
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
@ -96,52 +99,53 @@ rule must be explicit - it must name the zone in both the SOURCE and DESTINATION
|
||||
</ul>
|
||||
|
||||
<h3>Version >= 1.3.14</h3>
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Beginning in version 1.3.14, Shorewall treats entries in <a
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Beginning in version 1.3.14, Shorewall treats entries in <a
|
||||
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
|
||||
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
|
||||
<b>column</b>:<br>
|
||||
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
|
||||
<b>column</b>:<br>
|
||||
|
||||
<ul>
|
||||
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
|
||||
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
|
||||
interface (as shown by "ip addr show <i>interface</i>") and would masquerade
|
||||
traffic from that subnet. Any other subnets that routed through eth1 needed
|
||||
their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT
|
||||
applied.</li>
|
||||
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
|
||||
routing table to determine ALL subnets routed through the named interface.
|
||||
Traffic originating in ANY of those subnets is masqueraded or has SNAT applied.</li>
|
||||
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
|
||||
routing table to determine ALL subnets routed through the named interface.
|
||||
Traffic originating in ANY of those subnets is masqueraded or has SNAT
|
||||
applied.</li>
|
||||
|
||||
</ul>
|
||||
You will need to make a change to your configuration if:<br>
|
||||
You will need to make a change to your configuration if:<br>
|
||||
|
||||
<ol>
|
||||
<li>You have one or more entries in /etc/shorewall/masq with an interface
|
||||
name in the SUBNET (second) column; and</li>
|
||||
<li>That interface connects to more than one subnetwork.</li>
|
||||
<li>You have one or more entries in /etc/shorewall/masq with an interface
|
||||
name in the SUBNET (second) column; and</li>
|
||||
<li>That interface connects to more than one subnetwork.</li>
|
||||
|
||||
</ol>
|
||||
Two examples:<br>
|
||||
<br>
|
||||
<b>Example 1</b> -- Suppose that your current config is as follows:<br>
|
||||
<br>
|
||||
Two examples:<br>
|
||||
<br>
|
||||
<b>Example 1</b> -- Suppose that your current config is as follows:<br>
|
||||
<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
|
||||
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
|
||||
required.<br>
|
||||
</blockquote>
|
||||
<b>Example 2</b>-- What if your current configuration is like this?<br>
|
||||
required.<br>
|
||||
</blockquote>
|
||||
<b>Example 2</b>-- What if your current configuration is like this?<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE SUBNET ADDRESS <br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254 <br> [root@gateway test]#</pre>
|
||||
|
||||
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
|
||||
to:<br>
|
||||
</blockquote>
|
||||
to:<br>
|
||||
</blockquote>
|
||||
|
||||
<pre> #INTERFACE SUBNET ADDRESS <br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Version 1.3.14 also introduced simplified ICMP echo-request (ping)
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Version 1.3.14 also introduced simplified ICMP echo-request (ping)
|
||||
handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
|
||||
is used to specify that the old (pre-1.3.14) ping handling is to be used
|
||||
(If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
|
||||
@ -150,27 +154,27 @@ Traffic originating in ANY of those subnets is masqueraded or has SNAT applied
|
||||
See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
|
||||
|
||||
<h3>Version 1.3.10</h3>
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to
|
||||
version 1.3.10, you will need to use the '--force' option:<br>
|
||||
<br>
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
|
||||
to version 1.3.10, you will need to use the '--force' option:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<h3>Version >= 1.3.9</h3>
|
||||
The 'functions' file has moved to /usr/lib/shorewall/functions. If
|
||||
you have an application that uses functions from that file, your application
|
||||
The 'functions' file has moved to /usr/lib/shorewall/functions.
|
||||
If you have an application that uses functions from that file, your application
|
||||
will need to be changed to reflect this change of location.<br>
|
||||
|
||||
<h3>Version >= 1.3.8</h3>
|
||||
|
||||
<p>If you have a pair of firewall systems configured for failover
|
||||
or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall
|
||||
versions >= 1.3.8. Beginning with version 1.3.8,
|
||||
your firewall setup slightly under Shorewall
|
||||
versions >= 1.3.8. Beginning with version 1.3.8,
|
||||
you must set NEWNOTSYN=Yes in your
|
||||
/etc/shorewall/shorewall.conf file.</p>
|
||||
/etc/shorewall/shorewall.conf file.</p>
|
||||
|
||||
<h3>Version >= 1.3.7</h3>
|
||||
|
||||
@ -185,22 +189,22 @@ Traffic originating in ANY of those subnets is masqueraded or has SNAT applied
|
||||
command from that file since the icmp.def file is now empty.</p>
|
||||
|
||||
<h3><b><a name="Bering">Upgrading </a>Bering to
|
||||
Shorewall >= 1.3.3</b></h3>
|
||||
Shorewall >= 1.3.3</b></h3>
|
||||
|
||||
<p>To properly upgrade with Shorewall version
|
||||
1.3.3 and later:</p>
|
||||
1.3.3 and later:</p>
|
||||
|
||||
<ol>
|
||||
<li>Be sure you have a backup
|
||||
<li>Be sure you have a backup
|
||||
-- you will need to transcribe any Shorewall
|
||||
configuration changes that you have made
|
||||
to the new configuration.</li>
|
||||
<li>Replace the shorwall.lrp package
|
||||
provided on the Bering floppy with the
|
||||
later one. If you did not obtain the later
|
||||
version from Jacques's site, see additional
|
||||
instructions below.</li>
|
||||
<li>Edit the /var/lib/lrpkg/root.exclude.list
|
||||
configuration changes that you have
|
||||
made to the new configuration.</li>
|
||||
<li>Replace the shorwall.lrp
|
||||
package provided on the Bering floppy
|
||||
with the later one. If you did not obtain
|
||||
the later version from Jacques's site,
|
||||
see additional instructions below.</li>
|
||||
<li>Edit the /var/lib/lrpkg/root.exclude.list
|
||||
file and remove the /var/lib/shorewall
|
||||
entry if present. Then do not forget
|
||||
to backup root.lrp !</li>
|
||||
@ -209,92 +213,94 @@ to backup root.lrp !</li>
|
||||
|
||||
<p>The .lrp that I release isn't set up for a two-interface firewall like
|
||||
Jacques's. You need to follow the <a href="two-interface.htm">instructions
|
||||
for setting up a two-interface firewall</a> plus you also need to
|
||||
add the following two Bering-specific rules to /etc/shorewall/rules:</p>
|
||||
for setting up a two-interface firewall</a> plus you also need to add
|
||||
the following two Bering-specific rules to /etc/shorewall/rules:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
|
||||
|
||||
<p align="left">If you have a pair of firewall systems configured for
|
||||
failover or if you have asymmetric routing, you will need to modify
|
||||
failover or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall versions 1.3.6
|
||||
and 1.3.7</p>
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
<li>
|
||||
|
||||
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
|
||||
the following rule<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A newnotsyn -j RETURN
|
||||
# So that the connection tracking table can be rebuilt<br>
|
||||
# from non-SYN
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A newnotsyn -j RETURN
|
||||
# So that the connection tracking table can be rebuilt<br>
|
||||
# from non-SYN
|
||||
packets after takeover.<br>
|
||||
</font> </p>
|
||||
</li>
|
||||
<li>
|
||||
</font> </p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left">Create /etc/shorewall/common (if you don't already
|
||||
have that file) and include the following:<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
|
||||
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
|
||||
|
||||
have that file) and include the following:<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A common -p tcp
|
||||
--tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild
|
||||
connection<br>
|
||||
|
||||
#tracking table. <br>
|
||||
. /etc/shorewall/common.def</font> </p>
|
||||
</li>
|
||||
. /etc/shorewall/common.def</font> </p>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<h3 align="left">Versions >= 1.3.5</h3>
|
||||
|
||||
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
|
||||
longer supported. </p>
|
||||
longer supported. </p>
|
||||
|
||||
<p align="left">Example 1:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<p align="left">Must be replaced with:</p>
|
||||
|
||||
<div align="left">
|
||||
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Example 2:</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Must be replaced with:</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> REDIRECT loc 3128 tcp 80</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<h3 align="left">Version >= 1.3.2</h3>
|
||||
|
||||
<p align="left">The functions and versions files together with the
|
||||
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
|
||||
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
|
||||
If you have applications that access these files, those applications
|
||||
should be modified accordingly.</p>
|
||||
|
||||
<p><font size="2"> Last updated 2/14/2003 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
<p><font size="2"> Last updated 3/6/2003 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
Loading…
Reference in New Issue
Block a user