extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-04-27 12:49:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.3.14 Release

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@438 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-08 20:46:02 +00:00
parent dfc7974ea0
commit 10b51d1991
12 changed files with 4860 additions and 5259 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1955
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

2038
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

74
Shorewall-docs/blacklisting_support.htm
View File

@ -17,12 +17,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1> <h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -31,25 +31,26 @@
<h2>Static Blacklisting</h2> <h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration parameters:</p> <p>Shorewall static blacklisting support has the following configuration
parameters:</p>
<ul> <ul>
<li>You specify whether you want packets from blacklisted hosts dropped <li>You specify whether you want packets from blacklisted hosts dropped
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a> or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li> setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged <li>You specify whether you want packets from blacklisted hosts logged
and at what syslog level using the <a and at what syslog level using the <a
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
/etc/shorewall/shorewall.conf</li> /etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in <a <li>You list the IP addresses/subnets that you wish to blacklist in
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
names in the blacklist file.<br> names in the blacklist file.<br>
</li> </li>
<li>You specify the interfaces whose incoming packets you want checked <li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li> href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the <li>The black list is refreshed from /etc/shorewall/blacklist by the
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li> "<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul> </ul>
@ -57,39 +58,42 @@ against the blacklist using the "<a
<h2>Dynamic Blacklisting</h2> <h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting <p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p> /sbin/shorewall commands:</p>
<ul> <ul>
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the listed
IP addresses to be silently dropped by the firewall.</li> IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
IP addresses to be rejected by the firewall.</li> listed IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
from hosts previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li> from hosts previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
<li>save - save the dynamic blacklisting configuration so that it will <li>save - save the dynamic blacklisting configuration so that it will
be automatically restored the next time that the firewall is restarted.</li> be automatically restored the next time that the firewall is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li> <li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul> </ul>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
/etc/shorewall/interfaces.<br>
<p>Example 1:</p> <p>Example 1:</p>
<pre> shorewall drop 192.0.2.124 192.0.2.125</pre> <pre> <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p> <p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>Example 2:</p> <p>Example 2:</p>
<pre> shorewall allow 192.0.2.125</pre> <pre> <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
<p>    Reenables access from 192.0.2.125.</p> <p>    Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

279
Shorewall-docs/configuration_file_basics.htm
View File

@ -17,19 +17,20 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u> configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
@ -39,56 +40,57 @@
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set several <li>/etc/shorewall/shorewall.conf - used to set several
firewall parameters.</li> firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set shell <li>/etc/shorewall/params - use this file to set
variables that you will expand in other files.</li> shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's <li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li> view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level <li>/etc/shorewall/policy - establishes firewall
policy.</li> high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces <li>/etc/shorewall/interfaces - describes the interfaces
on the firewall system.</li> on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in <li>/etc/shorewall/hosts - allows defining zones
terms of individual hosts and subnetworks.</li> in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where <li>/etc/shorewall/masq - directs the firewall where
to use many-to-one (dynamic) Network Address Translation (a.k.a. to use many-to-one (dynamic) Network Address Translation
Masquerading) and Source Network Address Translation (SNAT).</li> (a.k.a. Masquerading) and Source Network Address Translation
<li>/etc/shorewall/modules - directs the firewall (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li> to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are <li>/etc/shorewall/rules - defines rules that are
exceptions to the overall policies established in /etc/shorewall/policy.</li> exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy <li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li> ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and <li>/etc/shorewall/routestopped (Shorewall 1.3.4
later) - defines hosts accessible when Shorewall is stopped.</li> and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets <li>/etc/shorewall/tcrules - defines marking of packets
for later use by traffic control/shaping or policy routing.</li> for later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting <li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li> the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and <li>/etc/shorewall/tunnels - defines IPSEC, GRE and
IPIP tunnels with end-points on the firewall system.</li> IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC <li>/etc/shorewall/blacklist - lists blacklisted
addresses.</li> IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the beginning <li>/etc/shorewall/init - commands that you wish to execute at the beginning
of a "shorewall start" or "shorewall restart".</li> of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the completion <li>/etc/shorewall/start - commands that you wish to execute at the
of a "shorewall start" or "shorewall restart"</li> completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning <li>/etc/shorewall/stop - commands that you wish to execute at the beginning
of a "shorewall stop".</li> of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at the <li>/etc/shorewall/stopped - commands that you wish to execute at the
completion of a "shorewall stop".<br> completion of a "shorewall stop".<br>
</li> </li>
</ul> </ul>
<h2><a name="Comments"></a>Comments</h2> <h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at character a pound sign ("#"). You may also place comments at
the end of any line, again by delimiting the comment from the rest the end of any line, again by delimiting the comment from the
of the line with a pound sign.</p> rest of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
@ -110,20 +112,20 @@ of the line with a pound sign.</p>
<p align="left"> </p> <p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u> <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names using DNS names in Shorewall configuration files. If you use DNS
and you are called out of bed at 2:00AM because Shorewall won't start names and you are called out of bed at 2:00AM because Shorewall won't
as a result of DNS problems then don't say that you were not forewarned. start as a result of DNS problems then don't say that you were not forewarned.
<br> <br>
</b></p> </b></p>
<p align="left"><b>    -Tom<br> <p align="left"><b>    -Tom<br>
</b></p> </b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall <p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS configuration files may be specified as either IP addresses or DNS
Names.<br> Names.<br>
<br> <br>
DNS names in iptables rules aren't nearly as useful as they DNS names in iptables rules aren't nearly as useful as they
first appear. When a DNS name appears in a rule, the iptables utility first appear. When a DNS name appears in a rule, the iptables utility
resolves the name to one or more IP addresses and inserts those addresses resolves the name to one or more IP addresses and inserts those addresses
into the rule. So changes in the DNS-&gt;IP address relationship that into the rule. So changes in the DNS-&gt;IP address relationship that
@ -133,20 +135,20 @@ of the line with a pound sign.</p>
<p align="left"> If your firewall rules include DNS names then:</p> <p align="left"> If your firewall rules include DNS names then:</p>
<ul> <ul>
<li>If your /etc/resolv.conf is wrong then your firewall <li>If your /etc/resolv.conf is wrong then your firewall
won't start.</li> won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall <li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li> won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall <li>If your Name Server(s) is(are) down then your firewall
won't start.</li> won't start.</li>
<li>If your startup scripts try to start your firewall before <li>If your startup scripts try to start your firewall before
starting your DNS server then your firewall won't start.<br> starting your DNS server then your firewall won't start.<br>
</li> </li>
<li>Factors totally outside your control (your ISP's router <li>Factors totally outside your control (your ISP's router
is down for example), can prevent your firewall from starting.</li> is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting <li>You must bring up your network interfaces prior to starting
your firewall.<br> your firewall.<br>
</li> </li>
</ul> </ul>
@ -154,77 +156,79 @@ won't start.</li>
of two periods (although one may be trailing). This restriction is of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing imposed by Shorewall to insure backward compatibility with existing
configuration files.<br> configuration files.<br>
<br> <br>
Examples of valid DNS names:<br> Examples of valid DNS names:<br>
</p> </p>
<ul> <ul>
<li>mail.shorewall.net</li> <li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li> <li>shorewall.net. (note the trailing period).</li>
</ul> </ul>
Examples of invalid DNS names:<br> Examples of invalid DNS names:<br>
<ul> <ul>
<li>mail (not fully qualified)</li> <li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li> <li>shorewall.net (only one period)</li>
</ul> </ul>
DNS names may not be used as:<br> DNS names may not be used as:<br>
<ul> <ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules <li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li> file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li> <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li> <li>In the /etc/shorewall/nat file.</li>
</ul> </ul>
These restrictions are not imposed by Shorewall simply for These restrictions are not imposed by Shorewall simply for
your inconvenience but are rather limitations of iptables.<br> your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2> <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can <p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must example, !192.168.1.4 means "any host but 192.168.1.4". There must be
be no white space following the "!".</p> no white space following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2> <h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the <p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p> configuration files. A comma separated list:</p>
<ul> <ul>
<li>Must not have any embedded white space.<br> <li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br> Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,     dhcp,     norfc1818</li> Invalid: routestopped,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated <li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or list, the continuation line(s) must begin in column 1 (or
there would be embedded white space)</li> there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear in <li>Entries in a comma-separated list may appear
any order.</li> in any order.</li>
</ul> </ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2> <h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use <p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p> either an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2> <h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low <p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to if you want to forward the range of tcp ports 4000 through 4100 to local
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br> host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> </p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you omit
the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2> <h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables <p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p> that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
@ -235,28 +239,28 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
</blockquote> </blockquote>
<p><br> <p><br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre> <pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
files.</p> files.</p>
@ -269,56 +273,56 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
included.</p> included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a <p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br> unique MAC address.<br>
<br> <br>
In GNU/Linux, MAC addresses are usually written as a In GNU/Linux, MAC addresses are usually written as
series of 6 hex numbers separated by colons. Example:<br> a series of 6 hex numbers separated by colons. Example:<br>
<br> <br>
     [root@gateway root]# ifconfig eth0<br>      [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>      eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255      inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br> Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0      RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br> frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0      TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br> carrier:0<br>
     collisions:30394 txqueuelen:100<br>      collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br> (1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>      Interrupt:11 Base address:0x1800<br>
<br> <br>
Because Shorewall uses colons as a separator for address Because Shorewall uses colons as a separator for address
fields, Shorewall requires MAC addresses to be written in another fields, Shorewall requires MAC addresses to be written in another
way. In Shorewall, MAC addresses begin with a tilde ("~") and consist way. In Shorewall, MAC addresses begin with a tilde ("~") and
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address consist of 6 hex numbers separated by hyphens. In Shorewall, the
in the example above would be written "~02-00-08-E3-FA-55".<br> MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p> </p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation <p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br> in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p> </p>
<h2><a name="Levels"></a>Shorewall Configurations</h2> <h2><a name="Levels"></a>Shorewall Configurations</h2>
<p> Shorewall allows you to have configuration directories other than /etc/shorewall. <p> Shorewall allows you to have configuration directories other than /etc/shorewall.
The <a href="starting_and_stopping_shorewall.htm">shorewall start The <a href="starting_and_stopping_shorewall.htm">shorewall start and
and restart</a> commands allow you to specify an alternate configuration restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate rather than the corresponding files in /etc/shorewall. The alternate directory
directory need not contain a complete configuration; those files not need not contain a complete configuration; those files not in the alternate
in the alternate directory will be read from /etc/shorewall.</p> directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration <p> This facility permits you to easily create a test or temporary configuration
by:</p> by:</p>
<ol> <ol>
<li> copying the files that need modification from <li> copying the files that need modification from
/etc/shorewall to a separate directory;</li> /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory; <li> modify those files in the separate directory;
and</li> and</li>
<li> specifying the separate directory in a shorewall <li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
restart</b></i> ).</li> restart</b></i> ).</li>
</ol> </ol>
@ -326,14 +330,15 @@ in the alternate directory will be read from /etc/shorewall.</p>
<p><font size="2"> Updated 12/29/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

465
Shorewall-docs/download.htm
View File

@ -17,13 +17,14 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -31,43 +32,42 @@
<p><b>I strongly urge you to read and print a copy of the <a <p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br> for the configuration that most closely matches your own.<br>
</b></p> </b></p>
<p>The entire set of Shorewall documentation is available in PDF format <p>The entire set of Shorewall documentation is available in PDF format at:</p>
at:</p>
<p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> <p>    <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>     <a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
    <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>     <a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
</p> </p>
<p>The documentation in HTML format is included in the .rpm and in the <p>The documentation in HTML format is included in the .rpm and in the .tgz
.tgz packages below.</p> packages below.</p>
<p> Once you've done that, download <u> one</u> of the modules:</p> <p> Once you've done that, download <u> one</u> of the modules:</p>
<ul> <ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> <li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
Linux PPC</b> or <b> TurboLinux</b> distribution with <b> Linux PPC</b> or <b> TurboLinux</b> distribution
a 2.4 kernel, you can use the RPM version (note: the with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store RPM should also work with other distributions that
init scripts in /etc/init.d and that include chkconfig or store init scripts in /etc/init.d and that include chkconfig
insserv). If you find that it works in other cases, let <a or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li> Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you <li>If you are running LRP, download the .lrp file (you
might also want to download the .tgz so you will have a copy of might also want to download the .tgz so you will have a copy of
the documentation).</li> the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> <li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
and would like a .deb package, Shorewall is included in both the and would like a .deb package, Shorewall is included in both
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the <a Testing Branch</a> and the <a
href="http://packages.debian.org/unstable/net/shorewall.html">Debian href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li> Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> <li>Otherwise, download the <i>shorewall</i>
module (.tgz)</li> module (.tgz)</li>
</ul> </ul>
@ -76,14 +76,14 @@ the documentation).</li>
<p>Please verify the version that you have downloaded -- during the <p>Please verify the version that you have downloaded -- during the
release of a new version of Shorewall, the links below may release of a new version of Shorewall, the links below may
point to a newer or an older version than is shown below.</p> point to a newer or an older version than is shown below.</p>
<ul> <ul>
<li>RPM - "rpm -qip LATEST.rpm"</li> <li>RPM - "rpm -qip LATEST.rpm"</li>
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name <li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
will contain the version)</li> will contain the version)</li>
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar <li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version" -zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version"
</li> </li>
</ul> </ul>
@ -91,302 +91,301 @@ the documentation).</li>
<p>Once you have verified the version, check the <font <p>Once you have verified the version, check the <font
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
if there are updates that apply to the version that you have if there are updates that apply to the version that you have
downloaded.</p> downloaded.</p>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL <p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p> of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b>Download Latest Version</b> (<b>1.3.13</b>): <b>Remember that updates <p><b>Download Latest Version</b> (<b>1.3.14</b>): <b>Remember that updates
to the mirrors occur 1-12 hours after an update to the Washington State to the mirrors occur 1-12 hours after an update to the Washington
site.</b></p> State site.</b></p>
<blockquote> <blockquote>
<table border="2" cellspacing="3" cellpadding="3" <table border="2" cellspacing="3" cellpadding="3"
style="border-collapse: collapse;"> style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td valign="top">SourceForge<br>
<td><b>DOMAIN</b></td> </td>
<td><b>HTTP</b></td> <td valign="top">sf.net<br>
<td><b>FTP</b></td> </td>
</tr> <td valign="top"><a
<tr>
<td valign="top">SourceForge<br>
</td>
<td valign="top">sf.net<br>
</td>
<td valign="top"><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td>Slovak Republic</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"> href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"> href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Texas, USA</td> <td>Texas, USA</td>
<td>Infohiiway.com</td> <td>Infohiiway.com</td>
<td><a <td><a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"> href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
.lrp</a><br> .lrp</a><br>
<a <a
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"> href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Hamburg, Germany</td> <td>Hamburg, Germany</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a><br> .rpm</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br> .tgz</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"> href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
Download.md5sums</a></td> Download.md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Martinez (Zona Norte - GBA), Argentina</td> <td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td> <td>Correofuego.com.ar</td>
<td> <a target="_blank" <td> <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br> Download .lrp</a><br>
<a target="_blank" <a target="_blank"
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><br> Download .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td>Paris, France</td> <td>Paris, France</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br> href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://france.shorewall.net/pub/LATEST.tgz">Download href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
.tgz</a> <br> <a
<a href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
href="http://france.shorewall.net/pub/LATEST.lrp">Download <a
.lrp</a><br>
<a
href="http://france.shorewall.net/pub/LATEST.md5sums">Download href="http://france.shorewall.net/pub/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
<td> <a target="_blank" <td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
.rpm</a>  <br> .rpm</a>  <br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
.md5sums</a></td> .md5sums</a></td>
</tr> </tr>
<tr> <tr>
<td valign="middle">Washington State, USA<br> <td valign="middle">Washington State, USA<br>
</td> </td>
<td valign="middle">Shorewall.net<br> <td valign="middle">Shorewall.net<br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br> href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a <a
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><br> .lrp</a><br>
<a <a
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br> .md5sums</a><br>
</td> </td>
<td valign="top"><a <td valign="top"><a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank"> href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a> <br> Download .rpm</a> <br>
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a> <br> .tgz</a> <br>
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><br> .lrp</a><br>
<a target="_blank" <a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
.md5sums</a><br> .md5sums</a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p><b>Browse Download Sites:</b></p> <p><b>Browse Download Sites:</b></p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>SERVER LOCATION</b></td> <td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td> <td><b>DOMAIN</b></td>
<td><b>HTTP</b></td> <td><b>HTTP</b></td>
<td><b>FTP</b></td> <td><b>FTP</b></td>
</tr> </tr>
<tr> <tr>
<td>SourceForge<br> <td>SourceForge<br>
</td> </td>
<td>sf.net</td> <td>sf.net</td>
<td><a <td><a
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td> href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
<td>N/A</td> <td>N/A</td>
</tr> </tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td> <a target="_blank"
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr> <tr>
<td>Washington State, USA</td> <td>Slovak Republic</td>
<td>Shorewall.net</td> <td>Shorewall.net</td>
<td><a <td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td> href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a <td> <a target="_blank"
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td> href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr> </tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank"
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank"
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td> <a target="_blank"
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
</tr>
<tr>
<td>France</td>
<td>Shorewall.net</td>
<td><a
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
<td> <a target="_blank"
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p align="left"><b>CVS:</b></p> <p align="left"><b>CVS:</b></p>
<blockquote> <blockquote>
<p align="left">The <a target="_top" <p align="left">The <a target="_top"
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository at href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall at cvs.shorewall.net</a> contains the latest snapshots of the each
component. There's no guarantee that what you find there will work Shorewall component. There's no guarantee that what you find there
at all.<br> will work at all.<br>
</p> </p>
</blockquote> </blockquote>
<p align="left"><font size="2">Last Updated 1/13/2003 - <a <p align="left"><font size="2">Last Updated 2/7/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
</body> </body>

564
Shorewall-docs/errata.htm
View File

@ -21,14 +21,15 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -36,65 +37,68 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the first <p align="left"> <b>If you are installing Shorewall for the
time and plan to use the .tgz and install.sh script, you can untar first time and plan to use the .tgz and install.sh script, you can
the archive, replace the 'firewall' script in the untarred directory untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are running a Shorewall version earlier <p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected firewall than 1.3.11, when the instructions say to install a corrected firewall
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall /etc/shorewall/firewall or /var/lib/shorewall/firewall before
and /var/lib/shorewall/firewall are symbolic links that point you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
to the 'shorewall' file used by your system initialization scripts are symbolic links that point to the 'shorewall' file used by
to start Shorewall during boot. It is that file that must be your system initialization scripts to start Shorewall during
overwritten with the corrected script. Beginning with Shorewall boot. It is that file that must be overwritten with the corrected
1.3.11, you may rename the existing file before copying in the new file.</b></p> script. Beginning with Shorewall 1.3.11, you may rename the existing file
</li> before copying in the new file.</b></p>
<li> </li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br> 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems <li> <b><a href="#V1.3">Problems
in Version 1.3</a></b></li> in Version 1.3</a></b></li>
<li> <b><a <li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font <li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font <li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems <li> <b><a
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li> href="#Debug">Problems with kernels &gt;= 2.4.18 and
<li><b><a href="#SuSE">Problems installing/upgrading RedHat iptables</a></b></li>
RPM on SuSE</a></b></li> <li><b><a href="#SuSE">Problems installing/upgrading
<li><b><a href="#Multiport">Problems with iptables version RPM on SuSE</a></b></li>
1.2.7 and MULTIPORT=Yes</a></b></li> <li><b><a href="#Multiport">Problems with iptables
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and
NAT</a></b><br> NAT</a></b><br>
</li> </li>
</ul> </ul>
@ -105,104 +109,109 @@ RPM on SuSE</a></b></li>
<h3>Version 1.3.13</h3> <h3>Version 1.3.13</h3>
<ul> <ul>
<li>The 'shorewall add' command produces an error message referring to <li>The 'shorewall add' command produces an error message referring
'find_interfaces_by_maclist'.</li> to 'find_interfaces_by_maclist'.</li>
<li>The 'shorewall delete' command can leave behind undeleted rules.<br> <li>The 'shorewall delete' command can leave behind undeleted rules.</li>
</li> <li>The 'shorewall add' command can fail with "iptables: Index of insertion
too big".<br>
</li>
</ul> </ul>
Both problems are corrected by <a All three problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br> above.<br>
<ul> <ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1) <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
are not supported in this version or in 1.3.12. If you need such support, are not supported in this version or in 1.3.12. If you need such support,
post on the users list and I can provide you with a patched version.<br> post on the users list and I can provide you with a patched version.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.12</h3> <h3>Version 1.3.12</h3>
<ul> <ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is
the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem
corrected by <a is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described firewall script</a> which may be installed in /usr/lib/shorewall as described
above.</li> above.</li>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1) <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
are not supported in this version or in 1.3.13. If you need such support, are not supported in this version or in 1.3.13. If you need such support,
post on the users list and I can provide you with a patched version.<br> post on the users list and I can provide you with a patched version.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.12 LRP</h3> <h3>Version 1.3.12 LRP</h3>
<ul> <ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file -- a <li>The .lrp was missing the /etc/shorewall/routestopped file -- a
new lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br> new lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.11a</h3> <h3>Version 1.3.11a</h3>
<ul> <ul>
<li><a <li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br> copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.11</h3> <h3>Version 1.3.11</h3>
<ul> <ul>
<li>When installing/upgrading using the .rpm, you may receive the <li>When installing/upgrading using the .rpm, you may receive
following warnings:<br> the following warnings:<br>
<br>
     user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall
fails to start.<br>
<br> <br>
     user teastep does not exist - using root<br> Install <a
     group teastep does not exist - using root<br>
<br>
These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall
fails to start.<br>
<br>
Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem. corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br> Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br> <br>
This problem is corrected in version 1.3.11a.<br> This problem is corrected in version 1.3.11a.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
<ul> <ul>
<li>If you experience problems connecting to a PPTP server running <li>If you experience problems connecting to a PPTP server running
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases where version of the firewall script</a> may help. Please report any cases
installing this script in /usr/lib/shorewall/firewall solved your connection where installing this script in /usr/lib/shorewall/firewall solved your
problems. Beginning with version 1.3.10, it is safe to save the old version connection problems. Beginning with version 1.3.10, it is safe to save
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall the old version of /usr/lib/shorewall/firewall before copying in the
is the real script now and not just a symbolic link to the real script.<br> new one since /usr/lib/shorewall/firewall is the real script now and
</li> not just a symbolic link to the real script.<br>
</li>
</ul> </ul>
<h3>Version 1.3.9a</h3> <h3>Version 1.3.9a</h3>
<ul> <ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li> then the following message appears during "shorewall [re]start":</li>
</ul> </ul>
@ -214,286 +223,290 @@ as the .rpm you will get from there has been corrected.</li>
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall corrects this problem.Copy the script to /usr/lib/shorewall/firewall
as described above.<br> as described above.<br>
</blockquote> </blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br> to 'recalculate_interface'. <br>
</blockquote> </blockquote>
<ul> <ul>
<li>The installer (install.sh) issues a misleading message "Common <li>The installer (install.sh) issues a misleading message
functions installed in /var/lib/shorewall/functions" whereas the file "Common functions installed in /var/lib/shorewall/functions" whereas
is installed in /usr/lib/shorewall/functions. The installer also performs the file is installed in /usr/lib/shorewall/functions. The installer
incorrectly when updating old configurations that had the file /etc/shorewall/functions. also performs incorrectly when updating old configurations that had the
<a file /etc/shorewall/functions. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br> is an updated version that corrects these problems.<br>
</a></li> </a></li>
</ul> </ul>
<h3>Version 1.3.9</h3> <h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall
script at <a script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br> -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br> <br>
Version 1.3.8 Version 1.3.8
<ul> <ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS <li> Use of shell variables in the LOG LEVEL or SYNPARMS
columns of the policy file doesn't work.</li> columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses <li>A DNAT rule with the same original and new IP addresses
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br> tcp 25 - 10.1.1.1")<br>
</li> </li>
</ul> </ul>
Installing <a Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these problems. as described above corrects these
problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) <p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing result in an error message. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this
problem.</p>
<h3>Version 1.3.7a</h3> <h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper <p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward "shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing icmp echo-request (ping) packets. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this
problem.</p>
<h3>Version &lt;= 1.3.7a</h3> <h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as <p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918 options on a given interface then RFC 1918
checking is occurring before DHCP checking. This checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This reject the broadcast (usually logging it). This
has two problems:</p> has two problems:</p>
<ol> <ol>
<li>If the firewall is <li>If the firewall is
running a DHCP server, the client running a DHCP server, the client
won't be able to obtain an IP address won't be able to obtain an IP address
lease from that server.</li> lease from that server.</li>
<li>With this order of <li>With this order of
checking, the "dhcp" option cannot checking, the "dhcp" option cannot
be used as a noise-reduction measure be used as a noise-reduction measure
where there are both dynamic and static where there are both dynamic and static
clients on a LAN segment.</li> clients on a LAN segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed corrects the problem. It must be installed
in /var/lib/shorewall as described in /var/lib/shorewall as described
above.</p> above.</p>
<h3>Version 1.3.7</h3> <h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use <p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against version 1.3.7a and check your version against
these md5sums -- if there's a difference, please these md5sums -- if there's a difference, please
download again.</p> download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt; <p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
and compare the result with what you see above.</p> and compare the result with what you see above.</p>
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the <p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
.7 version in each sequence from now on.</p> .7 version in each sequence from now on.</p>
<h3 align="left">Version 1.3.6</h3> <h3 align="left">Version 1.3.6</h3>
<ul> <ul>
<li> <li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an error occurs when the firewall script attempts to
an SNAT alias. </p> add an SNAT alias. </p>
</li> </li>
<li> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables cause errors during startup when Shorewall is run with iptables
1.2.7. </p> 1.2.7. </p>
</li> </li>
</ul> </ul>
<p align="left">These problems are fixed in <a <p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also /var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p> corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3> <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces <p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you file" -- this line should be added back in if the version that you
downloaded is missing it:</p> downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p> <p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above <p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p> line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3> <h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-( <p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p> /var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3> <h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the <p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p> following were allowed:</p>
<div align="left"> <div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre> <pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only <p align="left">That capability was lost in version 1.3.4 so that it is only
possible to  include a single host specification on each line. possible to  include a single host specification on each line.
This problem is corrected by <a This problem is corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p> as instructed above.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p> <p align="left">This problem is corrected in version 1.3.5b.</p>
</div> </div>
<h3 align="left">Version 1.3.5</h3> <h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <p align="left">REDIRECT rules are broken in this version. Install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version as instructed above. This problem is corrected in version
1.3.5a.</p> 1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3> <h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands <p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy file to not verify that the zones named in the /etc/shorewall/policy
have been previously defined in the /etc/shorewall/zones file. file have been previously defined in the /etc/shorewall/zones
The "shorewall check" command does perform this verification so file. The "shorewall check" command does perform this verification
it's a good idea to run that command after you have made configuration so it's a good idea to run that command after you have made configuration
changes.</p> changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3> <h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match "Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in that specifies an interface that you didn't include in
/etc/shorewall/interfaces. To correct this problem, you /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
later versions produce a clearer error message in this case.</p> and later versions produce a clearer error message in this
case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the <p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version file can be identified by its size (56284 bytes). The correct
has a size of 38126 bytes.</p> version has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface <li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that entry in /etc/shorewall/interfaces contained a typo that prevented
prevented it from working correctly. </li> it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved <li>"NAT_BEFORE_RULES=No" was broken; it behaved
just like "NAT_BEFORE_RULES=Yes".</li> just like "NAT_BEFORE_RULES=Yes".</li>
</ul> </ul>
<p align="left">Both problems are corrected in <a <p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p> as described above.</p>
<ul> <ul>
<li> <li>
<p align="left">The IANA have just announced the allocation of subnet <p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a 221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p> updated rfc1918</a> file reflects that allocation.</p>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.3.1</h3> <h3 align="left">Version 1.3.1</h3>
<ul> <ul>
<li>TCP SYN packets may be double counted when <li>TCP SYN packets may be double counted
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., when LIMIT:BURST is included in a CONTINUE or ACCEPT policy
each packet is sent through the limit chain twice).</li> (i.e., each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain <li>An unnecessary jump to the policy chain
is sometimes generated for a CONTINUE policy.</li> is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than one <li>When an option is given for more than
interface in /etc/shorewall/interfaces then depending one interface in /etc/shorewall/interfaces then depending
on the option, Shorewall may ignore all but the first appearence on the option, Shorewall may ignore all but the first
of the option. For example:<br> appearence of the option. For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described <li>Update 17 June 2002 - The bug described
in the prior bullet affects the following options: dhcp, in the prior bullet affects the following options: dhcp,
dropunclean, logunclean, norfc1918, routefilter, multi, dropunclean, logunclean, norfc1918, routefilter, multi,
filterping and noping. An additional bug has been found filterping and noping. An additional bug has been found
that affects only the 'routestopped' option.<br> that affects only the 'routestopped' option.<br>
<br> <br>
Users who downloaded the corrected script prior Users who downloaded the corrected script
to 1850 GMT today should download and install the corrected prior to 1850 GMT today should download and install
script again to ensure that this second problem is corrected.</li> the corrected script again to ensure that this second
problem is corrected.</li>
</ul> </ul>
<p align="left">These problems are corrected in <a <p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p> as described above.</p>
<h3 align="left">Version 1.3.0</h3> <h3 align="left">Version 1.3.0</h3>
<ul> <ul>
<li>Folks who downloaded 1.3.0 from the links <li>Folks who downloaded 1.3.0 from the links
on the download page before 23:40 GMT, 29 May 2002 may on the download page before 23:40 GMT, 29 May 2002 may
have downloaded 1.2.13 rather than 1.3.0. The "shorewall have downloaded 1.2.13 rather than 1.3.0. The "shorewall
version" command will tell you which version that you version" command will tell you which version that you
have installed.</li> have installed.</li>
<li>The documentation NAT.htm file uses non-existent <li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li> corrected version is here</a>.</li>
</ul> </ul>
@ -505,7 +518,7 @@ have installed.</li>
<hr> <hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with <h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3> iptables version 1.2.3</font></h3>
<blockquote> <blockquote>
@ -519,24 +532,24 @@ have installed.</li>
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download has released an iptables-1.2.4 RPM of their own which you can
from<font color="#ff6633"> <a download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it works
fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level specification
while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
@ -545,91 +558,94 @@ fine.</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p> may experience the following:</p>
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing the Netfilter 'mangle' table. You can correct the problem by
<a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to of iptables, you will need to specify the --oldpackage option to
rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to installed, simply use the "--nodeps" option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No in <li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li> /etc/shorewall/shorewall.conf; or </li>
<li>if you are running <li>if you are running
Shorewall 1.3.6 you may install Shorewall 1.3.6 you may install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result /etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br> in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support The solution is to put "no" in the LOCAL column. Kernel support
for LOCAL=yes has never worked properly and 2.4.18-10 has disabled for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it.
it. The 2.4.19 kernel contains corrected support under a new kernel The 2.4.19 kernel contains corrected support under a new kernel configuraiton
configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 1/25/2003 - <p><font size="2"> Last updated 2/8/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

204
Shorewall-docs/mailing_list.htm
View File

@ -24,47 +24,48 @@
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" align="left"> <td width="33%" valign="middle" align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a <a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/small-picture.gif" align="right" border="0" width="115"
height="45" alt="(Postfix Logo)"> height="45" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0">
</a> </div> </a> </div>
<br> <br>
<div align="right"><br> <div align="right"><br>
<b><font color="#ffffff"><br> <b><font color="#ffffff"><br>
Powered by Postfix    </font></b><br> Powered by Postfix    </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -79,54 +80,54 @@
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p> at hp dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a> <li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record <li>to verify that the sender's domain has an A or MX record
in DNS.</li> in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command <li>to ensure that the host name in the HELO/EHLO command
is a valid fully-qualified DNS name that resolves.</li> is a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in "for continuous abuse" because it has been my policy to allow HTML in list
list posts!!<br> posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control spam I think that blocking all HTML is a Draconian way to control spam
and that the ultimate losers here are not the spammers but the list subscribers and that the ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber whose MTAs are bouncing all shorewall.net mail. As one list subscriber
wrote to me privately "These e-mail admin's need to get a <i>(explitive wrote to me privately "These e-mail admin's need to get a <i>(explitive
deleted)</i> life instead of trying to rid the planet of HTML based e-mail". deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
Nevertheless, to allow subscribers to receive list posts as must as possible, Nevertheless, to allow subscribers to receive list posts as must as possible,
I have now configured the list server at shorewall.net to strip all HTML I have now configured the list server at shorewall.net to strip all HTML
from outgoing posts. This means that HTML-only posts will be bounced by the from outgoing posts. This means that HTML-only posts will be bounced by
list server.<br> the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your e-mail If you find that you are missing an occasional list post, your e-mail
admin may be blocking mail whose <i>Received:</i> headers contain the admin may be blocking mail whose <i>Received:</i> headers contain the names
names of certain ISPs. Again, I believe that such policies hurt more than of certain ISPs. Again, I believe that such policies hurt more than they
they help but I'm not prepared to go so far as to start stripping <i>Received:</i> help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
@ -139,13 +140,13 @@ they help but I'm not prepared to go so far as to start stripping <i>Received:<
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -155,46 +156,46 @@ they help but I'm not prepared to go so far as to start stripping <i>Received:<
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the <h2 align="left"><font color="#ff0000">Please do not try to download the entire
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
won't stand the traffic. If I catch you, you will be blacklisted.<br> stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline If you want to trust X.509 certificates issued by Shoreline
Firewall (such as the one used on my web site), you may <a Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you in your browser. If you don't wish to trust my certificates then
can either use unencrypted access when subscribing to Shorewall mailing you can either use unencrypted access when subscribing to Shorewall
lists or you can use secure access (SSL) and accept the server's certificate mailing lists or you can use secure access (SSL) and accept the server's
when prompted by your browser.<br> certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information of to get answers to questions and to report problems. Information
general interest to the Shorewall user community is also posted to of general interest to the Shorewall user community is also posted
this list.</p> to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem reporting the <a href="http://www.shorewall.net/support.htm">problem reporting
guidelines</a>.</b></p> guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
@ -206,45 +207,45 @@ guidelines</a>.</b></p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <p align="left">Note that prior to 1/1/2002, the mailing list was hosted
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
may be found at <a list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br> Shorewall community. To subscribe:<br>
</p> </p>
<p align="left"></p> <p align="left"></p>
<ul> <ul>
<li><b>Insecure:</b> <a <li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a <li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul> </ul>
<p align="left"><br> <p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel" href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
@ -257,33 +258,33 @@ may be found at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted to from Mailman-managed lists although Mailman 2.1 has attempted
make this less confusing. To unsubscribe:</p> to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
reminder, or change your subscription options enter your subscription reminder, or change your subscription options enter your subscription
email address:". Enter your email address in the box and click email address:". Enter your email address in the box and click
on the "<b>Unsubscribe</b> or edit options" button.</p> on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be emailed
to you.</p> to you.</p>
</li> </li>
</ul> </ul>
@ -293,10 +294,11 @@ may be found at <a
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 2/3/2003 - <a <p align="left"><font size="2">Last updated 2/3/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
</body> </body>
</html> </html>

119
Shorewall-docs/ports.htm
View File

@ -15,13 +15,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Ports required for Various <h1 align="center"><font color="#ffffff">Ports required for Various
Services/Applications</font></h1> Services/Applications</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -35,43 +35,43 @@ firewall to accommodate.</p>
<blockquote> <blockquote>
<p>UDP Port 123</p> <p>UDP Port 123</p>
</blockquote> </blockquote>
<p>rdate</p> <p>rdate</p>
<blockquote> <blockquote>
<p>TCP Port 37</p> <p>TCP Port 37</p>
</blockquote> </blockquote>
<p>UseNet (NNTP)</p> <p>UseNet (NNTP)</p>
<blockquote> <blockquote>
<p>TCP Port 119</p> <p>TCP Port 119</p>
</blockquote> </blockquote>
<p>DNS</p> <p>DNS</p>
<blockquote> <blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably <p>UDP Port 53. If you are configuring a DNS client, you will probably want
want to open TCP Port 53 as well.<br> to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will return If you are configuring a server, only open TCP Port 53 if you will
long replies to queries or if you need to enable ZONE transfers. In the return long replies to queries or if you need to enable ZONE transfers. In
latter case, be sure that your server is properly configured.</p> the latter case, be sure that your server is properly configured.</p>
</blockquote> </blockquote>
<p>ICQ   </p> <p>ICQ   </p>
<blockquote> <blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which <p>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</p> you can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote> </blockquote>
<p>PPTP</p> <p>PPTP</p>
<blockquote> <blockquote>
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a <p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
href="PPTP.htm">Lots more information here</a>).</p> href="PPTP.htm">Lots more information here</a>).</p>
</blockquote> </blockquote>
<p>IPSEC</p> <p>IPSEC</p>
@ -79,43 +79,43 @@ want to open TCP Port 53 as well.<br>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port <p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
500. These should be opened in both directions (Lots more information 500. These should be opened in both directions (Lots more information
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p> <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
</blockquote> </blockquote>
<p>SMTP</p> <p>SMTP</p>
<blockquote> <blockquote>
<p> TCP Port 25.</p> <p> TCP Port 25.</p>
</blockquote> </blockquote>
<p>POP3</p> <p>POP3</p>
<blockquote> <blockquote>
<p>TCP Port 110.</p> <p>TCP Port 110.</p>
</blockquote> </blockquote>
<p>TELNET</p> <p>TELNET</p>
<blockquote> <blockquote>
<p>TCP Port 23.</p> <p>TCP Port 23.</p>
</blockquote> </blockquote>
<p>SSH</p> <p>SSH</p>
<blockquote> <blockquote>
<p>TCP Port 22.</p> <p>TCP Port 22.</p>
</blockquote> </blockquote>
<p>Auth (identd)</p> <p>Auth (identd)</p>
<blockquote> <blockquote>
<p>TCP Port 113</p> <p>TCP Port 113</p>
</blockquote> </blockquote>
<p>Web Access</p> <p>Web Access</p>
<blockquote> <blockquote>
<p>TCP Ports 80 and 443.</p> <p>TCP Ports 80 and 443.</p>
</blockquote> </blockquote>
<p>FTP</p> <p>FTP</p>
@ -124,36 +124,36 @@ want to open TCP Port 53 as well.<br>
href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p> href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
<p>For a client, you must open outbound TCP port 21 and be sure that your <p>For a client, you must open outbound TCP port 21 and be sure that your
kernel is compiled to support FTP connection tracking. If you build this kernel is compiled to support FTP connection tracking. If you build this
support as a module, Shorewall will automatically load the module from support as a module, Shorewall will automatically load the module from
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br> /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
</p> </p>
<p>If you run an FTP server on a nonstandard port or you need to access <p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules. such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you would For example, if you run an FTP server that listens on port 49 then you would
have:<br> have:<br>
</p> </p>
<blockquote> <blockquote>
<p>loadmodule ip_conntrack_ftp ports=21,49<br> <p>loadmodule ip_conntrack_ftp ports=21,49<br>
loadmodule ip_nat_ftp ports=21,49<br> loadmodule ip_nat_ftp ports=21,49<br>
</p> </p>
</blockquote> </blockquote>
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may <p>Note that you MUST include port 21 in the <i>ports</i> list or you may
have problems accessing regular FTP servers.</p> have problems accessing regular FTP servers.</p>
<p>If there is a possibility that these modules might be loaded before <p>If there is a possibility that these modules might be loaded before Shorewall
Shorewall starts, then you should include the port list in /etc/modules.conf:<br> starts, then you should include the port list in /etc/modules.conf:<br>
</p> </p>
<blockquote> <blockquote>
<p>options ip_conntrack_ftp ports=21,49<br> <p>options ip_conntrack_ftp ports=21,49<br>
options ip_nat_ftp ports=21,49<br> options ip_nat_ftp ports=21,49<br>
</p> </p>
</blockquote> </blockquote>
</blockquote> </blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p> <p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
@ -161,34 +161,43 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
<blockquote> <blockquote>
<p>TCP Ports 137, 139 and 445.<br> <p>TCP Ports 137, 139 and 445.<br>
UDP Ports 137-139.<br> UDP Ports 137-139.<br>
<br> <br>
Also, <a href="samba.htm">see this page</a>.</p> Also, <a href="samba.htm">see this page</a>.</p>
</blockquote> </blockquote>
<p>Traceroute</p> <p>Traceroute</p>
<blockquote> <blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p> <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
</blockquote> </blockquote>
<p>NFS</p> <p>NFS<br>
</p>
<blockquote>
<p>I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2:<br>
</p>
<pre>ACCEPT z1 z2:a.b.c.d udp 111<br>ACCEPT z1 z2:a.b.c.d udp 2049<br>ACCEPT z1 z2:a.b.c.d udp 32700:<br></pre>
</blockquote>
<blockquote> <blockquote>
<p>There's some good information at  <a <p>Note that my rules only cover NFS using UDP (the normal case). There
is lots of additional information at  <a
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p> href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote> </blockquote>
<p>Didn't find what you are looking for -- have you looked in your own <p>Didn't find what you are looking for -- have you looked in your own /etc/services
/etc/services file? </p> file? </p>
<p>Still looking? Try <a <p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p> href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a <p><font size="2">Last updated 2/7/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> <a href="copyright.htm"><font size="2">Copyright</font> © <font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br> <br>
<br> <br>
</body> </body>

625
Shorewall-docs/seattlefirewall_index.htm
View File

@ -6,6 +6,7 @@
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
@ -13,22 +14,23 @@
<base
target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
@ -43,9 +45,9 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall </a></i></font><font color="#ffffff">Shorewall
1.3 - <font size="4">"<i>iptables 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font></h1> made easy"</i></font></font></h1>
@ -59,13 +61,13 @@ made easy"</i></font></font></h1>
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br> color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div> </div>
<br> <br>
</td> </td>
</tr> </tr>
@ -77,6 +79,7 @@ made easy"</i></font></font></h1>
<div align="center"> <div align="center">
<center> <center>
@ -84,11 +87,11 @@ made easy"</i></font></font></h1>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -109,10 +112,12 @@ made easy"</i></font></font></h1>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall <p>The Shoreline Firewall, more commonly known as "Shorewall", is
that can be used on a dedicated firewall system, a multi-function a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
gateway/router/server or on a standalone GNU/Linux system.</p> firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
@ -124,25 +129,27 @@ made easy"</i></font></font></h1>
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General <a href="http://www.gnu.org/licenses/gpl.html">Version 2 of
Public License</a> as published by the Free Software Foundation.<br> the GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br> <br>
This program is distributed in the This program is distributed in the
hope that it will be useful, but WITHOUT ANY hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br> GNU General Public License for more details.<br>
<br> <br>
You should have received a copy of
the GNU General Public License along
with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA
02139, USA</p>
You should have received a copy of
the GNU General Public License along with
this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
@ -168,26 +175,26 @@ the GNU General Public License along with
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway on a floppy, CD have a LEAF (router/firewall/gateway on a floppy,
or compact flash) distribution called <i>Bering</i> CD or compact flash) distribution called <i>Bering</i>
that features Shorewall-1.3.10 and Kernel-2.4.18. that features Shorewall-1.3.10 and Kernel-2.4.18.
You can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering <p><b>Congratulations to Jacques and Eric on the recent release of
1.0 Final!!! </b><br> Bering 1.0 Final!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a <h2>This is a mirror of the main Shorewall web site at SourceForge
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -212,6 +219,7 @@ the GNU General Public License along with
<h2></h2> <h2></h2>
@ -220,444 +228,105 @@ the GNU General Public License along with
<p><b>2/4/2003 - Shorewall 1.3.14-RC1</b><b> </b><b><img
<p><b>2/8/2003 - Shoreawll 1.3.14</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>Includes the Beta 2 content plus support for OpenVPN tunnels.</p> <p>New features include</p>
<p> The release candidate may be downloaded from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Includes the Beta 1 content plus restores VLAN device names of the
form $dev.$vid (e.g., eth0.1)</p>
<p> The beta may be downloaded from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><br>
</p>
<p>The Beta includes the following changes:<br>
</p>
<ol> <ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf. <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br> When set to Yes, Shorewall ping handling is as it has always been (see
<br> http://www.shorewall.net/ping.html).<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and <br>
policies just like any other connection request. The FORWARDPING=Yes option When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces policies just like any other connection request. The FORWARDPING=Yes option
will all generate an error.<br> in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces
<br> will all generate an error.<br>
</li> <br>
<li>It is now possible to direct Shorewall to create a "label" </li>
such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes <li>It is now possible to direct Shorewall to create a "label" such
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
just the interface name:<br> and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
 <br> of just the interface name:<br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>  <br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>    a) In the INTERFACE column of /etc/shorewall/masq<br>
 </li>    b) In the INTERFACE column of /etc/shorewall/nat<br>
<li>When an interface name is entered in the SUBNET column of  </li>
the /etc/shorewall/masq file, Shorewall previously masqueraded traffic <li>Support for OpenVPN Tunnels.<br>
from only the first subnet defined on that interface. It did not masquerade <br>
traffic from:<br> </li>
 <br> <li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
   a) The subnets associated with other addresses on the interface.<br> eth0.0)<br>
   b) Subnets accessed through local routers.<br> <br>
 <br> </li>
Beginning with Shorewall 1.3.14, if you enter an interface name in <li>When an interface name is entered in the SUBNET column of the
the SUBNET column, shorewall will use the firewall's routing table to /etc/shorewall/masq file, Shorewall previously masqueraded traffic from
construct the masquerading/SNAT rules.<br> only the first subnet defined on that interface. It did not masquerade
 <br> traffic from:<br>
Example 1 -- This is how it works in 1.3.14.<br>  <br>
   <br>    a) The subnets associated with other addresses on the interface.<br>
   b) Subnets accessed through local routers.<br>
 <br>
Beginning with Shorewall 1.3.14, if you enter an interface name in the
SUBNET column, shorewall will use the firewall's routing table to construct
the masquerading/SNAT rules.<br>
 <br>
Example 1 -- This is how it works in 1.3.14.<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre> <pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos... <br></pre> <pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
When upgrading to Shorewall 1.3.14, if you have multiple local subnets  <br>
connected to an interface that is specified in the SUBNET column of an When upgrading to Shorewall 1.3.14, if you have multiple local subnets
/etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing. connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
In most cases, you will simply be able to remove redundant entries. In some entry, your /etc/shorewall/masq file will need changing. In most cases,
cases though, you might want to change from using the interface name to you will simply be able to remove redundant entries. In some cases though,
listing specific subnetworks if the change described above will cause masquerading you might want to change from using the interface name to listing specific
to occur on subnetworks that you don't wish to masquerade.<br> subnetworks if the change described above will cause masquerading to occur
 <br> on subnetworks that you don't wish to masquerade.<br>
Example 2 -- Suppose that your current config is as follows:<br>  <br>
Example 2 -- Suppose that your current config is as follows:<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#<br></pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
   In this case, the second entry in /etc/shorewall/masq is no longer  <br>
   In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
 <br>  <br>
Example 3 -- What if your current configuration is like this?<br> Example 3 -- What if your current configuration is like this?<br>
 <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#<br></pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
   In this case, you would want to change the entry in  /etc/shorewall/masq  <br>
   In this case, you would want to change the entry in  /etc/shorewall/masq
to:<br> to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li> </li>
</ol> </ol>
The beta may be downloaded from:<br> <br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
documenation. the PDF may be downloaded from</p>
    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
<p><b>1/17/2003 - shorewall.net has MOVED</b><b></b></p>
<p>Thanks to the generosity of Alex Martin and <a
href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net and
ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
big thanks to Alex for making this happen.<br>
</p>
<p><b>1/13/2003 - Shorewall 1.3.13</b><br>
</p>
<p>Just includes a few things that I had on the burner:<br>
</p>
<ol>
<li>A new 'DNAT-' action has been added for entries in the
/etc/shorewall/rules file. DNAT- is intended for advanced users who wish
to minimize the number of rules that connection requests must traverse.<br>
<br>
A Shorewall DNAT rule actually generates two iptables rules: a
header rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter'
table. A DNAT- rule only generates the first of these rules. This is handy
when you have several DNAT rules that would generate the same ACCEPT rule.<br>
<br>
   Here are three rules from my previous rules file:<br>
<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
<br>
   These three rules ended up generating _three_ copies of<br>
<br>
         ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
<br>
   By writing the rules this way, I end up with only one copy of
the ACCEPT rule.<br>
<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
<br>
</li>
<li>The 'shorewall check' command now prints out the applicable
policy between each pair of zones.<br>
<br>
</li>
<li>A new CLEAR_TC option has been added to shorewall.conf.
If this option is set to 'No' then Shorewall won't clear the current
traffic control rules during [re]start. This setting is intended for
use by people that prefer to configure traffic shaping when the network
interfaces come up rather than when the firewall is started. If that
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not
supply an /etc/shorewall/tcstart file. That way, your traffic shaping
rules can still use the 'fwmark' classifier based on packet marking defined
in /etc/shorewall/tcrules.<br>
<br>
</li>
<li>A new SHARED_DIR variable has been added that allows
distribution packagers to easily move the shared directory (default /usr/lib/shorewall).
Users should never have a need to change the value of this shorewall.conf
setting.<br>
</li>
</ol>
<p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
</b></p>
<p><b>Until further notice, I will not be involved in either Shorewall
Development or Shorewall Support</b></p>
<p><b>-Tom Eastep</b><br>
</p>
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
</b></p>
<p> Features include:<br>
</p>
<ol>
<li>"shorewall refresh" now reloads the traffic
shaping rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging
after an error occurs. This places the point of the failure near
the end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by
more than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been
added which shows the current packet classification filters. The
output from this command is also added as a separate page in "shorewall
monitor"</li>
<li>ULOG (must be all caps) is now accepted as a
valid syslog level and causes the subject packets to be logged using
the ULOG target rather than the LOG target. This allows you to run
ulogd (available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="shorewall_logging.html">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD
chain in the mangle table ("shorewall show mangle" will show you
the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for
marking input packets based on their destination even when you are
using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory
with empty 'init', 'start', 'stop' and 'stopped' files. If you already
have a file with one of these names, don't worry -- the upgrade process
won't overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable
to <a href="Documentation.htm#Conf">shorewall.conf</a>. This
variable specifies the syslog level at which packets are logged as
a result of entries in the /etc/shorewall/rfc1918 file. Previously,
these packets were always logged at the 'info' level.<br>
</li>
</ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p>
This version corrects a problem with Blacklist logging.
In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the
firewall would fail to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p>
The first public Beta version of Shorewall 1.3.12 is
now available (Beta 1 was made available to a limited audience).
<br>
<br>
Features include:<br>
<br>
<ol>
<li>"shorewall refresh" now reloads the traffic
shaping rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off
debugging after an error occurs. This places the point of the failure
near the end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded
up by more than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command
has been added which shows the current packet classification filters.
The output from this command is also added as a separate page in
"shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted
as a valid syslog level and causes the subject packets to be logged
using the ULOG target rather than the LOG target. This allows you to
run ulogd (available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="shorewall_logging.html">to a separate log file</a>.</li>
<li>If you are running a kernel that has a
FORWARD chain in the mangle table ("shorewall show mangle" will
show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
in shorewall.conf. This allows for marking input packets based on
their destination even when you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall
directory with empty 'init', 'start', 'stop' and 'stopped' files.
If you already have a file with one of these names, don't worry
-- the upgrade process won't overwrite your file.</li>
</ol>
You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="21" border="0">
</a></b></p>
Shorewall is at the center of MandrakeSoft's recently-announced
<a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am
now in a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
users who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p>
<p>In this version:</p>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
Webmin version 1.060 now has Shorewall support included as standard. See
<a href="http://www.webmin.com">http://www.webmin.com</a>.<b> </b>
<p><b></b></p>
<p><b></b></p>
<ul> <ul>
<li>A 'tcpflags' option has been
added to entries in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP
packet header flags.</li>
<li>It is now allowed to use 'all'
in the SOURCE or DEST column in a <a
href="Documentation.htm#Rules">rule</a>. When used, 'all' must appear
by itself (in may not be qualified) and it does not enable intra-zone
traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc'
to 'loc'.</li>
<li>Shorewall's use of the 'echo'
command is now compatible with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate
a startup error. fw-&gt;fw rules generate a warning and are
ignored</li>
@ -683,13 +352,13 @@ command is now compatible with bash clones such as ash and dash.</
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" <td width="88" bgcolor="#4b017c"
valign="top" align="center"> <a valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td> href="http://sourceforge.net">M</a></td>
</tr> </tr>
@ -699,9 +368,9 @@ command is now compatible with bash clones such as ash and dash.</
</table> </table>
</center> </center>
</div> </div>
@ -709,11 +378,11 @@ command is now compatible with bash clones such as ash and dash.</
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
@ -727,7 +396,7 @@ command is now compatible with bash clones such as ash and dash.</
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p>   </a></p>
@ -738,15 +407,15 @@ command is now compatible with bash clones such as ash and dash.</
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -758,13 +427,9 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

100
Shorewall-docs/shorewall_features.htm
View File

@ -17,98 +17,102 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<ul> <ul>
<li>Uses Netfilter's connection tracking facilities for stateful packet <li>Uses Netfilter's connection tracking facilities for stateful packet
filtering.</li> filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>. <li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
<ul> <ul>
<li>Completely customizable using configuration files.</li> <li>Completely customizable using configuration files.</li>
<li>No limit on the number of network interfaces.</li> <li>No limit on the number of network interfaces.</li>
<li>Allows you to partitions the network into <i><a <li>Allows you to partitions the network into <i><a
href="Documentation.htm#Zones">zones</a></i> and gives you complete href="Documentation.htm#Zones">zones</a></i> and gives you complete
control over the connections permitted between each pair of zones.</li> control over the connections permitted between each pair of zones.</li>
<li>Multiple interfaces per zone and multiple zones per interface <li>Multiple interfaces per zone and multiple zones per interface
permitted.</li> permitted.</li>
<li>Supports nested and overlapping zones.</li> <li>Supports nested and overlapping zones.</li>
</ul> </ul>
</li> </li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a> <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a>
to help get your first firewall up and running quickly</li> to help get your first firewall up and running quickly</li>
<li>Extensive <b> <a <li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
href="http://www.webmin.com">http://www.webmin.com</a>)<br>
</li>
<li>Extensive <b> <a
href="shorewall_quickstart_guide.htm#Documentation">documentation</a> href="shorewall_quickstart_guide.htm#Documentation">documentation</a>
</b> included in the .tgz and .rpm downloads.</li> </b> included in the .tgz and .rpm downloads.</li>
<li><b>Flexible address management/routing support</b> (and you can <li><b>Flexible address management/routing support</b> (and you can
use all types in the same firewall): use all types in the same firewall):
<ul> <ul>
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li> <li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li> <li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li> <li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li> <li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
<li>Simple host/subnet Routing</li> <li>Simple host/subnet Routing</li>
</ul> </ul>
</li> </li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
IP addresses and subnetworks is supported.</li> IP addresses and subnetworks is supported.</li>
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>: <li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<ul> <ul>
<li>Commands to start, stop and clear the firewall</li> <li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring with an audible alarm <li>Supports status monitoring with an audible alarm
when an "interesting" packet is detected.</li> when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li> <li>Wide variety of informational commands.</li>
</ul> </ul>
</li> </li>
<li><b>VPN Support</b> <li><b>VPN Support</b>
<ul> <ul>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP and <li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP and
OpenVPN Tunnels</a>.</li> OpenVPN Tunnels</a>.</li>
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li> <li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
</ul> </ul>
</li> </li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a> <li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
integration.</li> integration.</li>
<li>Wide support for different <b>GNU/Linux Distributions</b>. <li>Wide support for different <b>GNU/Linux Distributions</b>.
<ul> <ul>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a <li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
packages available.</li> packages available.</li>
<li>Includes <a href="Install.htm"><b>automated install, upgrade, <li>Includes <a href="Install.htm"><b>automated install, upgrade,
fallback and uninstall facilities</b></a> for users who can't use fallback and uninstall facilities</b></a> for users who can't use
or choose not to use the RPM or Debian packages.</li> or choose not to use the RPM or Debian packages.</li>
<li>Included as a standard part of<b> <a <li>Included as a standard part of<b> <a
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
on a floppy, CD or compact flash).</li> on a floppy, CD or compact flash).</li>
</ul> </ul>
</li>
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) Address
<b>Verification</b><br>
</a><br>
</li> </li>
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
Address <b>Verification</b><br>
</a><br>
</li>
</ul> </ul>
<p><font size="2">Last updated 1/31/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br> <br>
</body> </body>
</html> </html>

590
Shorewall-docs/sourceforge_index.htm
View File

@ -15,7 +15,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -26,11 +26,12 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90">
<td width="100%" height="90">
@ -45,10 +46,10 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall </a></i></font><font color="#ffffff">Shorewall
1.3 - <font size="4">"<i>iptables 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font><a href="http://www.sf.net"> made easy"</i></font></font><a href="http://www.sf.net">
</a></h1> </a></h1>
@ -61,8 +62,8 @@
<div align="center"><a href="/1.2/index.html" target="_top"><font <div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div> color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td> </td>
</tr> </tr>
@ -81,11 +82,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -108,10 +109,12 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is <p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -124,27 +127,28 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of it under the terms of
<a href="http://www.gnu.org/licenses/gpl.html">Version 2 of <a href="http://www.gnu.org/licenses/gpl.html">Version 2 of
the GNU General Public License</a> as published by the Free Software the GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed in This program is distributed
the hope that it will be useful, but WITHOUT in the hope that it will be useful, but
ANY WARRANTY; without even the implied warranty WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for PURPOSE. See the GNU General Public License
more details.<br> for more details.<br>
<br> <br>
You should have received a copy
of the GNU General Public License
along with this program; if not, write to the Free
Software Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p>
You should have received a copy
of the GNU General Public License along
with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge,
MA 02139, USA</p>
@ -168,18 +172,20 @@ MA 02139, USA</p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric </a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway on a floppy, Wolzak have a LEAF (router/firewall/gateway on
CD or compact flash) distribution called <i>Bering</i> a floppy, CD or compact flash) distribution called
that features Shorewall-1.3.10 and Kernel-2.4.18. <i>Bering</i> that features Shorewall-1.3.10
You can find their work at: <a and Kernel-2.4.18. You can find their work at:
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and <b>Congratulations to Jacques and
Eric on the recent release of Bering 1.0 Final!!! <br> Eric on the recent release of Bering 1.0 Final!!! <br>
</b> </b>
@ -197,45 +203,16 @@ Eric on the recent release of Bering 1.0 Final!!! <br>
<p><b>2/4/2003 - Shorewall 1.3.14-RC1</b><b> </b><b><img
<p><b>2/8/2003 - Shoreawll 1.3.14</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>Includes the Beta 2 content plus support for OpenVPN tunnels.<br> <p>New features include</p>
</p>
<p> The release candidate may be downloaded from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"><br>
ftp://ftp.shorewall.net/pub/shorewall/Beta</a></blockquote>
<p></p>
<p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>Includes the Beta 1 content plus restores VLAN device names of the
form $dev.$vid (e.g., eth0.1)</p>
<p> The beta may be downloaded from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><br>
</p>
<p>The Beta includes the following changes:<br>
</p>
<ol> <ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf. <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been (see When set to Yes, Shorewall ping handling is as it has always been (see
http://www.shorewall.net/ping.html).<br> http://www.shorewall.net/ping.html).<br>
<br> <br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
@ -244,18 +221,25 @@ in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/
will all generate an error.<br> will all generate an error.<br>
<br> <br>
</li> </li>
<li>It is now possible to direct Shorewall to create a "label" <li>It is now possible to direct Shorewall to create a "label" such
such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
of just the interface name:<br> of just the interface name:<br>
 <br>  <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>    a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>    b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>  </li>
<li>When an interface name is entered in the SUBNET column of <li>Support for OpenVPN Tunnels.<br>
the /etc/shorewall/masq file, Shorewall previously masqueraded traffic from <br>
only the first subnet defined on that interface. It did not masquerade </li>
traffic from:<br> <li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
eth0.0)<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET column of the
/etc/shorewall/masq file, Shorewall previously masqueraded traffic from
only the first subnet defined on that interface. It did not masquerade
traffic from:<br>
 <br>  <br>
   a) The subnets associated with other addresses on the interface.<br>    a) The subnets associated with other addresses on the interface.<br>
   b) Subnets accessed through local routers.<br>    b) Subnets accessed through local routers.<br>
@ -286,7 +270,8 @@ on subnetworks that you don't wish to masquerade.<br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#<br></pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, the second entry in /etc/shorewall/masq is no longer    In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
 <br>  <br>
@ -295,381 +280,31 @@ on subnetworks that you don't wish to masquerade.<br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]# <br></pre> <pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, you would want to change the entry in  /etc/shorewall/masq    In this case, you would want to change the entry in  /etc/shorewall/masq
to:<br> to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li> </li>
</ol>
The beta may be downloaded from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
documenation. the PDF may be downloaded from</p>
    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
<p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b>  </b></p>
<p>Thanks to the generosity of Alex Martin and <a
href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net and ftp.shorewall.net
are now hosted on a system in Bellevue, Washington. A big thanks to Alex
for making this happen.<br>
</p>
<p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p>Just includes a few things that I had on the burner:<br>
</p>
<ol>
<li>A new 'DNAT-' action has been added for entries in the
/etc/shorewall/rules file. DNAT- is intended for advanced users who wish
to minimize the number of rules that connection requests must traverse.<br>
<br>
A Shorewall DNAT rule actually generates two iptables rules: a header
rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter'
table. A DNAT- rule only generates the first of these rules. This is
handy when you have several DNAT rules that would generate the same ACCEPT
rule.<br>
<br>
   Here are three rules from my previous rules file:<br>
<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
<br>
   These three rules ended up generating _three_ copies of<br>
<br>
         ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
<br>
   By writing the rules this way, I end up with only one copy of
the ACCEPT rule.<br>
<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
<br>
</li>
<li>The 'shorewall check' command now prints out the applicable
policy between each pair of zones.<br>
<br>
</li>
<li>A new CLEAR_TC option has been added to shorewall.conf.
If this option is set to 'No' then Shorewall won't clear the current traffic
control rules during [re]start. This setting is intended for use by people
that prefer to configure traffic shaping when the network interfaces
come up rather than when the firewall is started. If that is what you
want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
file. That way, your traffic shaping rules can still use the 'fwmark'
classifier based on packet marking defined in /etc/shorewall/tcrules.<br>
<br>
</li>
<li>A new SHARED_DIR variable has been added that allows
distribution packagers to easily move the shared directory (default /usr/lib/shorewall).
Users should never have a need to change the value of this shorewall.conf
setting.</li>
</ol> </ol>
<p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> <p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
</b></p> </b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p>
<p><b>Until further notice, I will not be involved in either Shorewall Webmin version 1.060 now has Shorewall support included as standard.
Development or Shorewall Support</b></p> See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
</b>
<p><b>-Tom Eastep</b><br>
</p>
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
</b></p>
<p> Features include:<br>
</p>
<ol>
<li>"shorewall refresh" now reloads the traffic shaping
rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging
after an error occurs. This places the point of the failure near
the end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by
more than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been
added which shows the current packet classification filters. The
output from this command is also added as a separate page in "shorewall
monitor"</li>
<li>ULOG (must be all caps) is now accepted as a
valid syslog level and causes the subject packets to be logged using
the ULOG target rather than the LOG target. This allows you to run
ulogd (available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="shorewall_logging.html">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD
chain in the mangle table ("shorewall show mangle" will show you
the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for
marking input packets based on their destination even when you are
using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory
with empty 'init', 'start', 'stop' and 'stopped' files. If you
already have a file with one of these names, don't worry -- the upgrade
process won't overwrite your file.</li>
<li>I have added a new RFC1918_LOG_LEVEL variable
to <a href="Documentation.htm#Conf">shorewall.conf</a>. This variable
specifies the syslog level at which packets are logged as a result
of entries in the /etc/shorewall/rfc1918 file. Previously, these packets
were always logged at the 'info' level.</li>
</ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p>
This version corrects a problem with Blacklist logging.
In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the
firewall would fail to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p>
The first public Beta version of Shorewall 1.3.12 is
now available (Beta 1 was made available only to a limited audience).
<br>
<br>
Features include:<br>
<br>
<ol>
<li>"shorewall refresh" now reloads the traffic
shaping rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off
debugging after an error occurs. This places the point of the failure
near the end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up
by more than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has
been added which shows the current packet classification filters.
The output from this command is also added as a separate page in
"shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted
as a valid syslog level and causes the subject packets to be logged
using the ULOG target rather than the LOG target. This allows you to
run ulogd (available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a
href="shorewall_logging.html">to a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD
chain in the mangle table ("shorewall show mangle" will show you
the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
in shorewall.conf. This allows for marking input packets based on
their destination even when you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory
with empty 'init', 'start', 'stop' and 'stopped' files. If you already
have a file with one of these names, don't worry -- the upgrade process
won't overwrite your file.</li>
</ol>
You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a
href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="23" border="0">
</a></b></p>
Shorewall is at the center of MandrakeSofts's recently-announced
<a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am
now in a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
</p>
<p>Apt-get sources listed at <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
users who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b>
</b></p>
<p>In this version:</p>
<ul>
<li>A 'tcpflags' option has been
added to entries in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP
packet header flags.</li>
<li>It is now allowed to use 'all'
in the SOURCE or DEST column in a <a
href="Documentation.htm#Rules">rule</a>. When used, 'all' must appear
by itself (in may not be qualified) and it does not enable intra-zone
traffic. For example, the rule <br>
<br>
    ACCEPT loc all tcp 80<br>
<br>
does not enable http traffic from 'loc'
to 'loc'.</li>
<li>Shorewall's use of the 'echo'
command is now compatible with bash clones such as ash and dash.</li>
<li>fw-&gt;fw policies now generate
a startup error. fw-&gt;fw rules generate a warning and are
ignored</li>
</ul>
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p>
<p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p>
<p><b></b></p> <p><b></b></p>
<ul> <ul>
@ -686,7 +321,8 @@ command is now compatible with bash clones such as ash and dash.</
<p><b></b><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
@ -707,7 +343,7 @@ command is now compatible with bash clones such as ash and dash.</
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1> </a></h1>
@ -726,16 +362,17 @@ command is now compatible with bash clones such as ash and dash.</
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" <td width="88"
valign="top" align="center"> <br> bgcolor="#4b017c" valign="top" align="center"> <br>
</td> </td>
</tr> </tr>
@ -746,9 +383,9 @@ command is now compatible with bash clones such as ash and dash.</
</table> </table>
</center> </center>
</div> </div>
@ -757,11 +394,12 @@ command is now compatible with bash clones such as ash and dash.</
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%"
style="margin-top: 1px;">
@ -775,7 +413,7 @@ command is now compatible with bash clones such as ash and dash.</
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -787,15 +425,15 @@ command is now compatible with bash clones such as ash and dash.</
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free but
but if you try it and find it useful, please consider making a donation if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -808,12 +446,10 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<br> <br>
<br> </p>
<br>
</body> </body>
</html> </html>

334
Shorewall-docs/support.htm
View File

@ -26,61 +26,68 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support<img <h1 align="center"><font color="#ffffff">Shorewall Support<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions <p> <b><big><big><font color="#ff0000">While I don't answer Shorewall  questions
emailed directly to me, I try to spend some time each day answering questions emailed directly to me, I try to spend some time each day answering questions
on the Shorewall Users Mailing List.</font></big><span on the Shorewall Users Mailing List.</font></big><span
style="font-weight: 400;"></span></big></b></p> style="font-weight: 400;"></span></big></b></p>
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2> <h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
<h1>Before Reporting a Problem</h1> <h1>Before Reporting a Problem</h1>
There are a number of sources for problem <i>"Well at least you tried to read the documentation, which is a lot more
solution information. Please try these before you post. than some people on this list appear to do.</i>"<br>
<br>
<div align="center">- Wietse Venema - On the Postfix mailing list<br>
</div>
<br>
There are a number of sources for
problem solution information. Please try these before you post.
<h3> </h3> <h3> </h3>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>More than half of the questions posted on the support <li>More than half of the questions posted on the support
list have answers directly accessible from the <a list have answers directly accessible from the <a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
<br> <br>
</li> </li>
<li> The <a href="FAQ.htm">FAQ</a> <li> The <a href="FAQ.htm">FAQ</a>
has solutions to more than 20 common problems. </li> has solutions to more than 20 common problems. </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> The <a <li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. </li> a number of tips to help you solve common problems. </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> The <a <li> The <a
href="errata.htm"> Errata</a> has links to download updated href="errata.htm"> Errata</a> has links to download updated
components. </li> components. </li>
@ -89,9 +96,9 @@ list have answers directly accessible from the <a
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> The Mailing List Archives <li> The Mailing List
search facility can locate posts about similar problems: Archives search facility can locate posts about similar problems:
</li> </li>
</ul> </ul>
@ -109,13 +116,13 @@ list have answers directly accessible from the <a
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -125,132 +132,141 @@ list have answers directly accessible from the <a
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden"
value="htdig"> <input type="hidden" name="restrict" name="config" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" Search: <input type="text" size="30"
name="words" value=""> <input type="submit" value="Search"> </p> name="words" value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2>Problem Reporting Guidelines </h2> <h2>Problem Reporting Guidelines </h2>
<i>"Let me see if I can translate your message into a real-world <i>"Let me see if I can translate your message into a real-world
example. It would be like saying that you have three rooms at home, example. It would be like saying that you have three rooms at home,
and when you walk into one of the rooms, you detect this strange smell. and when you walk into one of the rooms, you detect this strange smell.
Can anyone tell you what that strange smell is?<br> Can anyone tell you what that strange smell is?<br>
<br> <br>
Now, all of us could do some wonderful guessing as to the smell Now, all of us could do some wonderful guessing as to the
and even what's causing it. You would be absolutely amazed at the smell and even what's causing it. You would be absolutely amazed
range and variety of smells we could come up with. Even more amazing at the range and variety of smells we could come up with. Even more
is that all of the explanations for the smells would be completely amazing is that all of the explanations for the smells would be completely
plausible."<br> plausible."<br>
</i><br> </i><br>
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br> <div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
</div> </div>
<br> <br>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li>Please remember we only know what is posted in your message. <li>Please remember we only know what is posted in your message.
Do not leave out any information that appears to be correct, or was mentioned Do not leave out any information that appears to be correct, or was mentioned
in a previous post. There have been countless posts by people who were in a previous post. There have been countless posts by people who were
sure that some part of their configuration was correct when it actually sure that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail is lacking.<br> contained a small error. We tend to be skeptics where detail is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're asking for <strong>free</strong> <li>Please keep in mind that you're asking for <strong>free</strong>
technical support. Any help we offer is an act of generosity, not an obligation. technical support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous practices Try to make it easy for us to help you. Follow good, courteous practices
in writing and formatting your e-mail. Provide details that we need if in writing and formatting your e-mail. Provide details that we need if
you expect good answers. <em>Exact quoting </em> of error messages, log you expect good answers. <em>Exact quoting </em> of error messages, log
entries, command output, and other output is better than a paraphrase or entries, command output, and other output is better than a paraphrase or
summary.<br> summary.<br>
<br> <br>
</li> </li>
<li> Please don't describe your <li> Please don't describe your
environment and then ask us to send you custom configuration environment and then ask us to send you custom configuration
files. We're here to answer your questions but we can't files. We're here to answer your questions but we can't
do your job for you.<br> do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> include this <li>When reporting a problem, <strong>ALWAYS</strong> include
information:</li> this information:</li>
</ul> </ul>
<ul> <ul>
<ul> <ul>
<li>the exact version of Shorewall you are running.<br> <li>the exact version of Shorewall you are running.<br>
<br> <br>
<b><font color="#009900">shorewall version</font><br> <b><font color="#009900">shorewall version</font><br>
</b> <br> </b> <br>
</li> </li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are running<br>
<br> <br>
<font color="#009900"><b>uname -a<br> <font color="#009900"><b>uname -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr show<br> <font color="#009900"><b>ip addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route show<br> <font color="#009900"><b>ip route show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, the exact output from<br> <li>If your kernel is modularized, the exact output from<br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
<br> <br>
</li> </li>
<li>the exact wording of any <code <li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses.<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart Guides, please
indicate which one. <br>
<br>
</li>
<li><b>If you are running Shorewall under Mandrake using the Mandrake
installation of Shorewall, please say so.</b><br>
<br>
</li>
</ul> </ul>
</ul> </ul>
<ul> <ul>
<li><b>NEVER </b>include the output of "<b><font <li><b>NEVER </b>include the output of "<b><font
color="#009900">iptables -L</font></b>". Instead, if you are having connection color="#009900">iptables -L</font></b>". Instead, if you are having connection
problems please post the exact output of<br> problems of any kind, post the exact output of<br>
<br> <br>
<b><font color="#009900">/sbin/shorewall status<br> <b><font color="#009900">/sbin/shorewall status<br>
<br> <br>
</font></b>Since that command generates a lot of output, we suggest </font></b>Since that command generates a lot of output, we
that you redirect the output to a file and attach the file to your post<br> suggest that you redirect the output to a file and attach the file to
<br> your post<br>
<b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br> <br>
<br> <b><font color="#009900">/sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
</li> <br>
<li>As a general matter, please <strong>do not edit the diagnostic </li>
information</strong> in an attempt to conceal your IP address, netmask, <li>As a general matter, please <strong>do not edit the diagnostic
nameserver addresses, domain name, etc. These aren't secrets, and concealing information</strong> in an attempt to conceal your IP address, netmask,
them often misleads us (and 80% of the time, a hacker could derive them nameserver addresses, domain name, etc. These aren't secrets, and concealing
anyway from information contained in the SMTP headers of your post).<strong></strong></li> them often misleads us (and 80% of the time, a hacker could derive them
anyway from information contained in the SMTP headers of your post).<strong></strong></li>
</ul> </ul>
@ -267,18 +283,18 @@ anyway from information contained in the SMTP headers of your post).<strong></s
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> Do you see any "Shorewall" <li> Do you see any "Shorewall"
messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>") messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>")
when you exercise the function that is giving you problems? If when you exercise the function that is giving you problems? If
so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br> file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have modified (especially the /etc/shorewall/hosts file if you have modified
that file) that you think are relevant. If you include /etc/shorewall/rules, that file) that you think are relevant. If you include /etc/shorewall/rules,
please include /etc/shorewall/policy as well (rules are meaningless unless please include /etc/shorewall/policy as well (rules are meaningless unless
one also knows the policies). </li> one also knows the policies). </li>
</ul> </ul>
@ -291,79 +307,81 @@ so, include the message(s) in your post along with a copy of your /etc/shorewa
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> If an error occurs when <li> If an error occurs
you try to "<font color="#009900"><b>shorewall start</b></font>", when you try to "<font color="#009900"><b>shorewall start</b></font>",
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions). </li> section for instructions). </li>
</ul> </ul>
<h3> </h3> <h3> </h3>
<ul> <ul>
<li> <li>
<h3><b>The list server limits posts to 120kb so don't post GIFs of <h3><b>The list server limits posts to 120kb so don't post GIFs of
your network layout, etc. to the Mailing List -- your your network layout, etc. to the Mailing List -- your
post will be rejected.</b></h3> post will be rejected.</b></h3>
</li> </li>
</ul> </ul>
The author gratefully acknowleges that the above list was heavily The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
<blockquote> </blockquote> <blockquote> </blockquote>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in list "for continuous abuse" because it has been my policy to allow HTML in
posts!!<br> list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control I think that blocking all HTML is a Draconian way to control
spam and that the ultimate losers here are not the spammers but the list spam and that the ultimate losers here are not the spammers but the
subscribers whose MTAs are bouncing all shorewall.net mail. As one list list subscribers whose MTAs are bouncing all shorewall.net mail. As
subscriber wrote to me privately "These e-mail admin's need to get a <i>(expletive one list subscriber wrote to me privately "These e-mail admin's need
deleted)</i> life instead of trying to rid the planet of HTML based e-mail". to get a <i>(expletive deleted)</i> life instead of trying to rid the
Nevertheless, to allow subscribers to receive list posts as must as possible, planet of HTML based e-mail". Nevertheless, to allow subscribers to receive
I have now configured the list server at shorewall.net to strip all HTML list posts as must as possible, I have now configured the list server
from outgoing posts.<br> at shorewall.net to strip all HTML from outgoing posts.<br>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
<blockquote> <blockquote>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
mailing list</a>.</span></h4> mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall <b>If you run Shorewall under MandrakeSoft Multi Network Firewall
(MNF) and you have not purchased an MNF license from MandrakeSoft then (MNF) and you have not purchased an MNF license from MandrakeSoft then
you can post non MNF-specific Shorewall questions to the </b><a you can post non MNF-specific Shorewall questions to the </b><a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a> <b>Do not expect to get free MNF support on the list.</b><br> list.</a> <b>Do not expect to get free MNF support on the list.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list.</a></p> list.</a></p>
</blockquote> </blockquote>
<p>To Subscribe to the mailing list go to <a <p>To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p> .</p>
<p align="left"><font size="2">Last Updated 2/3/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 2/4/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>
</body> </body>
</html> </html>