diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index 974ab11e3..7c77dc632 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2005-01-19 + 2005-02-19 2001-2005 @@ -447,6 +447,11 @@ url="shorewall_prerequisites.htm">Requirements + + Routing and + Shorewall + + Routing on One Interface @@ -663,4 +668,4 @@ Creation - + \ No newline at end of file diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml index 1adb54f49..f2b1e9d20 100644 --- a/Shorewall-docs2/IPSEC-2.6.xml +++ b/Shorewall-docs2/IPSEC-2.6.xml @@ -15,7 +15,7 @@ - 2005-02-17 + 2005-02-19 2004 @@ -42,7 +42,8 @@ and you must be running Shorewall 2.1.5 or later (with Shorewall 2.2.0 Beta 1 or later recommended). The Netfilter patches are available from Netfilter Patch-O-Matic-NG and are also included in some commercial - distributions (most notably SuSE 9.1). + distributions (most notably SuSE 9.1 and + 9.2). diff --git a/Shorewall-docs2/OPENVPN.xml b/Shorewall-docs2/OPENVPN.xml index fb8953cfb..6013d9247 100644 --- a/Shorewall-docs2/OPENVPN.xml +++ b/Shorewall-docs2/OPENVPN.xml @@ -21,7 +21,7 @@ - 2005-01-29 + 2005-02-08 2003 @@ -52,7 +52,7 @@ Source project and is licensed under the GPL. OpenVPN can be downloaded from http://openvpn.sourceforge.net/. + url="http://openvpn.net/">http://openvpn.net/. OpenVPN support was added to Shorewall in version 1.3.14. diff --git a/Shorewall-docs2/Shorewall_Doesnt.xml b/Shorewall-docs2/Shorewall_Doesnt.xml index 52f35bc87..02ca7745f 100644 --- a/Shorewall-docs2/Shorewall_Doesnt.xml +++ b/Shorewall-docs2/Shorewall_Doesnt.xml @@ -13,13 +13,15 @@ Eastep - 2004-11-14 + 2005-02-20 2003 2004 + 2005 + Thomas M Eastep @@ -48,6 +50,11 @@ 2.4.0) + + Act as a Proxy (although it can be used with a separate proxy + such as Squid or Socks). + + Do content filtering: diff --git a/Shorewall-docs2/Shorewall_and_Routing.xml b/Shorewall-docs2/Shorewall_and_Routing.xml new file mode 100644 index 000000000..1b9713679 --- /dev/null +++ b/Shorewall-docs2/Shorewall_and_Routing.xml @@ -0,0 +1,170 @@ + + +
+ + + + Shorewall and Routing + + + + Tom + + Eastep + + + + 2005-02-19 + + + 2005 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Routing vs. Firewalling. + + One of the most misunderstood aspects of Shorewall is its + releationship with routing. This article attempts to clear some of the fog + that surrounds this issue. + + As a general principle: + + + + Routing determines where packets are to be sent. + + + + Once routing determines where the packet is to go, the firewall + (Shorewall) determines if the packet is allowed to go there. + + + + There are ways that Shorewall can affect routing which are described + in the following sections. +
+ +
+ Routing and Netfilter + + The following diagram shows the relationship between routing + decisions and Netfilter. + + + + The light blue boxes indicate where routing decisions are made. The + green boxes show where Netfilter processing takes place (as directed by + Shorewall). You will notice that there are two different paths through + this maze, depending on where the packet originates. We will look at each + of these separately. + +
+ Packets Entering the Firewall from Outside + + When a packet arrives from outside, it first undergoes Netfilter + PREROUTING processing. In Shorewall terms: + + + + Packets may be marked using entries in the /etc/shorewall/tcrules file. Entries in that file + containing ":P" in the mark column are applied here as are rules + that default to the MARK_IN_FORWARD_CHAIN=No setting in + /etc/shorewall/shorewall.conf. These marks may + be used to specify that the packet should be routed using an + alternate routing table; see the Shorewall Squid + documentation for examples. + + + + The destination IP address may be rewritten as a consequence + of: + + + + DNAT[-] rules. + + + + REDIRECT[-] rules. + + + + Entries in /etc/shorewall/nat. + + + + + + So the only influence that Shorewall has over where these packets + go is via NAT or by marking them so that they may be routed using an + alternate routing table. +
+ +
+ Packets Originating on the Firewall + + Processing of packets that originate on the firewall itself are + initially routed using the default routing table then passed through the + OUTPUT chains. Shorewall can influence what happens here: + + + + Packets may be marked using entries in the /etc/shorewall/tcrules file (rules with "$FW" in + the SOURCE column). These marks may be used to specify that the + packet should be re-routed using an alternate routing table. + + + + The destination IP address may be rewritten as a consequence + of: + + + + DNAT[-] rules that specify $FW as the SOURCE. + + + + Entries in /etc/shorewall/nat that + have "Yes" in LOCAL column. + + + + + + So again in this case, the only influence that Shorewall has over + the packet destination is NAT or marking. +
+
+ +
+ Alternate Routing Table Configuration + + The Shorewall Squid + documentation shows how alternate routing tables can be created + and used. That documentation shows how you can use logic in + /etc/shorewall/init to create and populate an + alternate table and to add a routing rule for its use. It is fine to use + that technique so long as you understand that you are basically just using + the Shorewall init script (/etc/init.d/shorewall) to + configure your alternate routing table at boot time and that other than as described in the previous section, there is no + connection between Shorewall and routing. +
+
\ No newline at end of file diff --git a/Shorewall-docs2/images/Thumbs.db b/Shorewall-docs2/images/Thumbs.db index d602faef9..d8abb6f19 100644 Binary files a/Shorewall-docs2/images/Thumbs.db and b/Shorewall-docs2/images/Thumbs.db differ diff --git a/Shorewall-docs2/support.xml b/Shorewall-docs2/support.xml index 80b4184df..f28e39bf4 100644 --- a/Shorewall-docs2/support.xml +++ b/Shorewall-docs2/support.xml @@ -15,7 +15,7 @@ - 2005-01-24 + 2005-02-20 2001-2005 @@ -123,9 +123,9 @@ - If Shorewall isn't started then - /sbin/shorewall/start. Otherwise - /sbin/shorewall reset. + If Shorewall isn't started then /sbin/shorewall + start. Otherwise /sbin/shorewall + reset.