extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-28 16:39:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove 'check' command

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@472 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-02-25 19:24:41 +00:00
parent 27318e6785
commit 15607eeb96
9 changed files with 6116 additions and 6081 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3851
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

196
Shorewall-docs/Install.htm
View File

@ -15,13 +15,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and <h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1> Upgrade</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -30,13 +30,13 @@
href="upgrade_issues.htm">Upgrade Issues</a></b></p> href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br> <a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br> </a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br> <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br> <a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br> </a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br> <a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p> <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p> <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
@ -48,20 +48,20 @@
attempting to start Shorewall.</b></p> attempting to start Shorewall.</b></p>
<ul> <ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br> <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm <b>Note: </b>Some SuSE users have encountered a problem whereby rpm
reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed.
installed. If this happens, simply use the --nodeps option to rpm (rpm If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps
-ivh --nodeps &lt;shorewall rpm&gt;).</li> &lt;shorewall rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match <li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE
RESTORE NETWORK CONNECTIVITY.</b></font></li> NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
@ -69,27 +69,27 @@ RESTORE NETWORK CONNECTIVITY.</b></font></li>
and install script: </p> and install script: </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li> directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type <li>If you are using <a href="http://www.suse.com">SuSe</a> then type
"./install.sh /etc/init.d"</li> "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script installs init scripts and type "./install.sh &lt;init script
directory&gt;</li> directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match <li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration.</li> your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be started <li>If the install script was unable to configure Shorewall to be started
automatically at boot, see <a automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li> href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
@ -99,122 +99,90 @@ directory&gt;</li>
disk, simply replace the "shorwall.lrp" file on the image with the file that disk, simply replace the "shorwall.lrp" file on the image with the file that
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p> Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p> and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
and you have entries in the /etc/shorewall/hosts file then please check or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain for each interface mentioned in the hosts file. Also, there are certain 1.2
1.2 rule forms that are no longer supported under 1.3 (you must use the rule forms that are no longer supported under 1.4 (you must use the new
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p>
details. You can check your rules and host file for 1.3 compatibility using
the "shorewall check" command after installing the latest version of 1.3.</p>
<ul> <ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs </b>If you are installing version 1.2.0 and have one of the 1.2.0
installed, you must use the "--oldpackage" option to rpm (e.g., "rpm Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby <p> <b>Note: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm is installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br> -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p>   </p>
</li> </li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as necessary.</li> and the new Shorewall version and correct as necessary.</li>
<li>Restart the firewall (shorewall restart).</li> <li>Restart the firewall (shorewall restart).</li>
</ul> </ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed <p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
and are upgrading to a new version using the tarball:</p> are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file.  Also, there are certain
1.2 rule forms that are no longer supported under 1.3 (you must use the
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. You can check your rules and host file for 1.3 compatibility
using the "shorewall check" command after installing the latest version
of 1.3.</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file.  Also, there are certain 1.2
rule forms that are no longer supported under 1.4 (you must use the new
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
details. </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li> directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
"./install.sh /etc/init.d"</li> "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script installs init scripts and type "./install.sh &lt;init script
directory&gt;</li> directory&gt;</li>
<li>See if there are any incompatibilities between your configuration <li>Check your configuration for incompatibility with 1.4 as described
and the new Shorewall version (type "shorewall check") and correct as above.<br>
necessary.</li> </li>
<li>Restart the firewall by typing "shorewall restart"</li> <li>Restart the firewall by typing "shorewall restart"</li>
</ul> </ul>
<a name="LRP_Upgrade"></a>If you already have a running Bering installation <a name="LRP_Upgrade"></a>If you already have a running Bering
and wish to upgrade to a later version of Shorewall:<br> installation and wish to upgrade to a later version of Shorewall:<br>
<br> <br>
    <b>UNDER CONSTRUCTION...</b><br>     <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3> <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match <p>You will need to edit some or all of the configuration files to match
your setup. In most cases, the <a your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a> QuickStart Guides</a> contain all of the information you need.</p>
contain all of the information you need.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in
packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul> </ul>
<p><font size="2">Updated 1/24/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 1/30/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br> <br>
<br>
<br> <br>
<br> <br>
</body> </body>

2031
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

288
Shorewall-docs/configuration_file_basics.htm
View File

@ -17,20 +17,20 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1> <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u> configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a> href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p> before you use them with Shorewall.</b></p>
@ -40,56 +40,59 @@
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p> <p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set <li>/etc/shorewall/shorewall.conf - used to set
several firewall parameters.</li> several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to set <li>/etc/shorewall/params - use this file to set
shell variables that you will expand in other files.</li> shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's <li>/etc/shorewall/zones - partition the firewall's
view of the world into <i>zones.</i></li> view of the world into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall <li>/etc/shorewall/policy - establishes firewall
high-level policy.</li> high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces <li>/etc/shorewall/interfaces - describes the interfaces
on the firewall system.</li> on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones <li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li> in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where <li>/etc/shorewall/masq - directs the firewall
to use many-to-one (dynamic) Network Address Translation (a.k.a. where to use many-to-one (dynamic) Network Address Translation
Masquerading) and Source Network Address Translation (SNAT).</li> (a.k.a. Masquerading) and Source Network Address Translation
<li>/etc/shorewall/modules - directs the firewall (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li> to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are <li>/etc/shorewall/rules - defines rules that are
exceptions to the overall policies established in /etc/shorewall/policy.</li> exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy <li>/etc/shorewall/proxyarp - defines use of Proxy
ARP.</li> ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 <li>/etc/shorewall/routestopped (Shorewall 1.3.4
and later) - defines hosts accessible when Shorewall is stopped.</li> and later) - defines hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of <li>/etc/shorewall/tcrules - defines marking of
packets for later use by traffic control/shaping or policy routing.</li> packets for later use by traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting <li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li> the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE <li>/etc/shorewall/tunnels - defines IPSEC, GRE
and IPIP tunnels with end-points on the firewall system.</li> and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted <li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li> IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the <li>/etc/shorewall/init - commands that you wish to execute at the
beginning of a "shorewall start" or "shorewall restart".</li> beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at the <li>/etc/shorewall/start - commands that you wish to execute at the
completion of a "shorewall start" or "shorewall restart"</li> completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the <li>/etc/shorewall/stop - commands that you wish to execute at the
beginning of a "shorewall stop".</li> beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at the <li>/etc/shorewall/stopped - commands that you wish to execute at
completion of a "shorewall stop".<br> the completion of a "shorewall stop".</li>
</li> <li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br>
</li>
</ul> </ul>
<h2><a name="Comments"></a>Comments</h2> <h2><a name="Comments"></a>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace <p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments at character a pound sign ("#"). You may also place comments
the end of any line, again by delimiting the comment from the rest at the end of any line, again by delimiting the comment from
of the line with a pound sign.</p> the rest of the line with a pound sign.</p>
<p>Examples:</p> <p>Examples:</p>
@ -111,43 +114,43 @@ beginning of a "shorewall stop".</li>
<p align="left"> </p> <p align="left"> </p>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u> <p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS names using DNS names in Shorewall configuration files. If you use DNS
and you are called out of bed at 2:00AM because Shorewall won't start names and you are called out of bed at 2:00AM because Shorewall won't
as a result of DNS problems then don't say that you were not forewarned. start as a result of DNS problems then don't say that you were not forewarned.
<br> <br>
</b></p> </b></p>
<p align="left"><b>    -Tom<br> <p align="left"><b>    -Tom<br>
</b></p> </b></p>
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall <p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
configuration files may be specified as either IP addresses or DNS configuration files may be specified as either IP addresses or DNS
Names.<br> Names.<br>
<br> <br>
DNS names in iptables rules aren't nearly as useful as they DNS names in iptables rules aren't nearly as useful as
first appear. When a DNS name appears in a rule, the iptables utility they first appear. When a DNS name appears in a rule, the iptables
resolves the name to one or more IP addresses and inserts those utility resolves the name to one or more IP addresses and inserts
addresses into the rule. So changes in the DNS-&gt;IP address relationship those addresses into the rule. So changes in the DNS-&gt;IP address
that occur after the firewall has started have absolutely no effect relationship that occur after the firewall has started have absolutely
on the firewall's ruleset. </p> no effect on the firewall's ruleset. </p>
<p align="left"> If your firewall rules include DNS names then:</p> <p align="left"> If your firewall rules include DNS names then:</p>
<ul> <ul>
<li>If your /etc/resolv.conf is wrong then your firewall <li>If your /etc/resolv.conf is wrong then your firewall
won't start.</li> won't start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall <li>If your /etc/nsswitch.conf is wrong then your firewall
won't start.</li> won't start.</li>
<li>If your Name Server(s) is(are) down then your firewall <li>If your Name Server(s) is(are) down then your firewall
won't start.</li> won't start.</li>
<li>If your startup scripts try to start your firewall <li>If your startup scripts try to start your firewall
before starting your DNS server then your firewall won't start.<br> before starting your DNS server then your firewall won't start.<br>
</li> </li>
<li>Factors totally outside your control (your ISP's router <li>Factors totally outside your control (your ISP's router
is down for example), can prevent your firewall from starting.</li> is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to starting <li>You must bring up your network interfaces prior to
your firewall.<br> starting your firewall.<br>
</li> </li>
</ul> </ul>
@ -155,62 +158,62 @@ before starting your DNS server then your firewall won't start.<br>
of two periods (although one may be trailing). This restriction is of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing imposed by Shorewall to insure backward compatibility with existing
configuration files.<br> configuration files.<br>
<br> <br>
Examples of valid DNS names:<br> Examples of valid DNS names:<br>
</p> </p>
<ul> <ul>
<li>mail.shorewall.net</li> <li>mail.shorewall.net</li>
<li>shorewall.net. (note the trailing period).</li> <li>shorewall.net. (note the trailing period).</li>
</ul> </ul>
Examples of invalid DNS names:<br> Examples of invalid DNS names:<br>
<ul> <ul>
<li>mail (not fully qualified)</li> <li>mail (not fully qualified)</li>
<li>shorewall.net (only one period)</li> <li>shorewall.net (only one period)</li>
</ul> </ul>
DNS names may not be used as:<br> DNS names may not be used as:<br>
<ul> <ul>
<li>The server address in a DNAT rule (/etc/shorewall/rules <li>The server address in a DNAT rule (/etc/shorewall/rules
file)</li> file)</li>
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li> <li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
<li>In the /etc/shorewall/nat file.</li> <li>In the /etc/shorewall/nat file.</li>
</ul> </ul>
These restrictions are not imposed by Shorewall simply for These restrictions are not imposed by Shorewall simply
your inconvenience but are rather limitations of iptables.<br> for your inconvenience but are rather limitations of iptables.<br>
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2> <h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can <p>Where specifying an IP address, a subnet or an interface, you can
precede the item with "!" to specify the complement of the item. For precede the item with "!" to specify the complement of the item. For
example, !192.168.1.4 means "any host but 192.168.1.4". There must example, !192.168.1.4 means "any host but 192.168.1.4". There must be
be no white space following the "!".</p> no white space following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2> <h2><a name="Lists"></a>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the <p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p> configuration files. A comma separated list:</p>
<ul> <ul>
<li>Must not have any embedded white space.<br> <li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br> Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,     norfc1818</li> Invalid: routefilter,     dhcp,     norfc1818</li>
<li>If you use line continuation to break a comma-separated <li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or list, the continuation line(s) must begin in column 1 (or
there would be embedded white space)</li> there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear <li>Entries in a comma-separated list may appear
in any order.</li> in any order.</li>
</ul> </ul>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2> <h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use <p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p> either an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2> <h2><a name="Ranges"></a>Port Ranges</h2>
@ -218,16 +221,16 @@ in any order.</li>
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example, port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to if you want to forward the range of tcp ports 4000 through 4100 to
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br> local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p> </p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre> <pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you omit If you omit the low port number, a value of zero is assumed; if you omit
the high port number, a value of 65535 is assumed.<br> the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2> <h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables <p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p> that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font <p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally size="1"> </font>to distinguish them from variables used internally
@ -238,28 +241,28 @@ the high port number, a value of 65535 is assumed.<br>
<blockquote> <blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre> <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
</blockquote> </blockquote>
<p><br> <p><br>
Example (/etc/shorewall/interfaces record):</p> Example (/etc/shorewall/interfaces record):</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre> <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote> </blockquote>
</font> </font>
<p>The result will be the same as if the record had been written</p> <p>The result will be the same as if the record had been written</p>
<font <font
face="Century Gothic, Arial, Helvetica"> face="Century Gothic, Arial, Helvetica">
<blockquote> <blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre> <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
</blockquote> </blockquote>
</font> </font>
<p>Variables may be used anywhere in the other configuration <p>Variables may be used anywhere in the other configuration
@ -268,40 +271,40 @@ the high port number, a value of 65535 is assumed.<br>
<h2><a name="MAC"></a>Using MAC Addresses</h2> <h2><a name="MAC"></a>Using MAC Addresses</h2>
<p>Media Access Control (MAC) addresses can be used to specify packet <p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this source in several of the configuration files. To use this feature,
feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p> included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a <p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br> unique MAC address.<br>
<br> <br>
In GNU/Linux, MAC addresses are usually written as In GNU/Linux, MAC addresses are usually written as
a series of 6 hex numbers separated by colons. Example:<br> a series of 6 hex numbers separated by colons. Example:<br>
<br> <br>
     [root@gateway root]# ifconfig eth0<br>      [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>      eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
     inet addr:206.124.146.176 Bcast:206.124.146.255      inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br> Mask:255.255.255.0<br>
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
     RX packets:2398102 errors:0 dropped:0 overruns:0      RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br> frame:0<br>
     TX packets:3044698 errors:0 dropped:0 overruns:0      TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br> carrier:0<br>
     collisions:30394 txqueuelen:100<br>      collisions:30394 txqueuelen:100<br>
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221      RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br> (1582.8 Mb)<br>
     Interrupt:11 Base address:0x1800<br>      Interrupt:11 Base address:0x1800<br>
<br> <br>
Because Shorewall uses colons as a separator for address Because Shorewall uses colons as a separator for
fields, Shorewall requires MAC addresses to be written in another address fields, Shorewall requires MAC addresses to be written
way. In Shorewall, MAC addresses begin with a tilde ("~") and in another way. In Shorewall, MAC addresses begin with a tilde
consist of 6 hex numbers separated by hyphens. In Shorewall, the ("~") and consist of 6 hex numbers separated by hyphens. In Shorewall,
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br> the MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
</p> </p>
<p><b>Note: </b>It is not necessary to use the special Shorewall notation <p><b>Note: </b>It is not necessary to use the special Shorewall notation
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br> in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
</p> </p>
<h2><a name="Levels"></a>Shorewall Configurations</h2> <h2><a name="Levels"></a>Shorewall Configurations</h2>
@ -310,34 +313,35 @@ MAC address in the example above would be written "~02-00-08-E3-FA-55
and restart</a> commands allow you to specify an alternate configuration and restart</a> commands allow you to specify an alternate configuration
directory and Shorewall will use the files in the alternate directory directory and Shorewall will use the files in the alternate directory
rather than the corresponding files in /etc/shorewall. The alternate rather than the corresponding files in /etc/shorewall. The alternate
directory need not contain a complete configuration; those files not directory need not contain a complete configuration; those files not in
in the alternate directory will be read from /etc/shorewall.</p> the alternate directory will be read from /etc/shorewall.</p>
<p> This facility permits you to easily create a test or temporary configuration <p> This facility permits you to easily create a test or temporary configuration
by:</p> by:</p>
<ol> <ol>
<li> copying the files that need modification from <li> copying the files that need modification
/etc/shorewall to a separate directory;</li> from /etc/shorewall to a separate directory;</li>
<li> modify those files in the separate directory; <li> modify those files in the separate directory;
and</li> and</li>
<li> specifying the separate directory in a shorewall <li> specifying the separate directory in a shorewall
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig start or shorewall restart command (e.g., <i><b>shorewall -c
restart</b></i> ).</li> /etc/testconfig restart</b></i> ).</li>
</ol> </ol>
<p><font size="2"> Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 2/24/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

205
Shorewall-docs/mailing_list.htm
View File

@ -25,9 +25,9 @@
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle" align="left"> <td width="33%" valign="middle" align="left">
@ -35,99 +35,103 @@
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a <a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p> <p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td> </td>
<td valign="middle" width="34%" align="center"> <td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <a <td valign="middle" width="33%"> <a
href="http://www.postfix.org/"> <img href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/small-picture.gif" align="right" border="0" width="115"
height="45" alt="(Postfix Logo)"> height="45" alt="(Postfix Logo)">
</a><br> </a><br>
<div align="left"><a href="http://www.spamassassin.org"><img <div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right" src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0"> border="0">
</a> </div> </a> </div>
<br> <br>
<div align="right"><br> <div align="right"><br>
<b><font color="#ffffff"><br> <b><font color="#ffffff"><br>
Powered by Postfix    </font></b><br> Powered by Postfix    </font></b><br>
</div> </div>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="http://www.shorewall.net/support.htm">Shorewall Support
Guide</a>.<br>
</h1>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep <p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p> at hp dot com.</p>
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a <h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a> <li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX <li>to verify that the sender's domain has an A or MX
record in DNS.</li> record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command <li>to ensure that the host name in the HELO/EHLO command
is a valid fully-qualified DNS name that resolves.</li> is a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in "for continuous abuse" because it has been my policy to allow HTML in
list posts!!<br> list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control spam I think that blocking all HTML is a Draconian way to control
and that the ultimate losers here are not the spammers but the list spam and that the ultimate losers here are not the spammers but the
subscribers whose MTAs are bouncing all shorewall.net mail. As one list list subscribers whose MTAs are bouncing all shorewall.net mail. As
subscriber wrote to me privately "These e-mail admin's need to get a <i>(explitive one list subscriber wrote to me privately "These e-mail admin's need to
deleted)</i> life instead of trying to rid the planet of HTML based e-mail". get a <i>(explitive deleted)</i> life instead of trying to rid the planet
Nevertheless, to allow subscribers to receive list posts as must as possible, of HTML based e-mail". Nevertheless, to allow subscribers to receive list
I have now configured the list server at shorewall.net to strip all HTML posts as must as possible, I have now configured the list server at shorewall.net
from outgoing posts. This means that HTML-only posts will be bounced by to strip all HTML from outgoing posts. This means that HTML-only posts
the list server.<br> will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your e-mail If you find that you are missing an occasional list post, your
admin may be blocking mail whose <i>Received:</i> headers contain the e-mail admin may be blocking mail whose <i>Received:</i> headers contain
names of certain ISPs. Again, I believe that such policies hurt more than the names of certain ISPs. Again, I believe that such policies hurt more
they help but I'm not prepared to go so far as to start stripping <i>Received:</i> than they help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
@ -140,13 +144,13 @@ they help but I'm not prepared to go so far as to start stripping <i>Received:<
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
@ -156,47 +160,47 @@ they help but I'm not prepared to go so far as to start stripping <i>Received:<
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" </font> <input type="hidden" name="config"
value="htdig"> <input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the <h2 align="left"><font color="#ff0000">Please do not try to download the entire
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
won't stand the traffic. If I catch you, you will be blacklisted.<br> stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline If you want to trust X.509 certificates issued by Shoreline
Firewall (such as the one used on my web site), you may <a Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then in your browser. If you don't wish to trust my certificates then
you can either use unencrypted access when subscribing to Shorewall you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the server's mailing lists or you can use secure access (SSL) and accept the server's
certificate when prompted by your browser.<br> certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2> <h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users <p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted of general interest to the Shorewall user community is also posted
to this list.</p> to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see <p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem reporting the <a href="http://www.shorewall.net/support.htm">problem reporting
guidelines</a>.</b></p> guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
@ -208,45 +212,45 @@ to this list.</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <p align="left">Note that prior to 1/1/2002, the mailing list was hosted
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
may be found at <a list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br> Shorewall community. To subscribe:<br>
</p> </p>
<p align="left"></p> <p align="left"></p>
<ul> <ul>
<li><b>Insecure:</b> <a <li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a <li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul> </ul>
<p align="left"><br> <p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for <p align="left">The Shorewall Development Mailing list provides a forum for
the exchange of ideas about the future of Shorewall and for coordinating the exchange of ideas about the future of Shorewall and for coordinating
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel" href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
@ -259,33 +263,33 @@ may be found at <a
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of <h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
the Mailing Lists</h2> the Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing <p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists although Mailman 2.1 has attempted to from Mailman-managed lists although Mailman 2.1 has attempted
make this less confusing. To unsubscribe:</p> to make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a
reminder, or change your subscription options enter your subscription password reminder, or change your subscription options enter
email address:". Enter your email address in the box and your subscription email address:". Enter your email address
click on the "<b>Unsubscribe</b> or edit options" button.</p> in the box and click on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be emailed
to you.</p> to you.</p>
</li> </li>
</ul> </ul>
@ -294,12 +298,13 @@ click on the "<b>Unsubscribe</b> or edit options" button.</p>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p> <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 2/18/2003 - <a <p align="left"><font size="2">Last updated 2/24/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p> href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
</body> </body>

251
Shorewall-docs/seattlefirewall_index.htm
View File

@ -15,8 +15,8 @@
<base target="_self"> <base
target="_self">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
@ -28,11 +28,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
@ -48,9 +48,10 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall </a></i></font><font
1.4 - <font size="4">"<i>iptables made color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
easy"</i></font></font></h1> made easy"</i></font></font></h1>
@ -65,13 +66,13 @@
href="http://shorewall.sf.net/1.3/index.html" target="_top"><font href="http://shorewall.sf.net/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a><br> color="#ffffff">Shorewall 1.3 Site here</font></a><br>
</div> </div>
<br> <br>
</td> </td>
</tr> </tr>
@ -92,11 +93,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -137,25 +138,25 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms it under the terms
of <a href="http://www.gnu.org/licenses/gpl.html">Version 2 of <a href="http://www.gnu.org/licenses/gpl.html">Version
of the GNU General Public License</a> as published by the Free Software 2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty WITHOUT ANY WARRANTY; without even the implied
of MERCHANTABILITY or FITNESS FOR A PARTICULAR warranty of MERCHANTABILITY or FITNESS FOR A
PURPOSE. See the GNU General Public License PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received a You should have received
copy of the GNU General Public License a copy of the GNU General Public License
along with this program; if not, write to the along with this program; if not, write to the
Free Software Foundation, Inc., 675 Mass Free Software Foundation, Inc., 675 Mass
Ave, Cambridge, MA 02139, USA</p> Ave, Cambridge, MA 02139, USA</p>
@ -186,17 +187,17 @@ Ave, Cambridge, MA 02139, USA</p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and </a>Jacques Nilo and
Eric Wolzak have a LEAF (router/firewall/gateway Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution called on a floppy, CD or compact flash) distribution called
<i>Bering</i> that features Shorewall-1.3.14 <i>Bering</i> that features Shorewall-1.3.14
and Kernel-2.4.20. You can find their work at: and Kernel-2.4.20. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering <p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.1!!!</b><br> 1.1!!!</b><br>
</p> </p>
@ -248,95 +249,100 @@ Ave, Cambridge, MA 02139, USA</p>
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img <p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p></p> <p></p>
Shorewall 1.4 represents the next step in the evolution of Shorewall. Shorewall 1.4 represents the next step in the evolution of Shorewall.
The main thrust of the initial release is simply to remove the cruft that The main thrust of the initial release is simply to remove the cruft that
has accumulated in Shorewall over time. <br> has accumulated in Shorewall over time. <br>
<b>IMPORTANT: Shorewall 1.4.0 <u>REQUIRES</u></b> <b>the iproute package <b>IMPORTANT: Shorewall 1.4.0 <u>REQUIRES</u></b> <b>the iproute
('ip' utility).</b><br> package ('ip' utility).</b><br>
<br> <br>
Function from 1.3 that has been omitted from this version include:<br> Function from 1.3 that has been omitted from this version include:<br>
<ol> <ol>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported. <li>The "check" command is no longer supported.<br>
<br>
</li>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br> Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br>
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
no longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br> <br>
</li> </li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; <li>The icmp.def file has been removed.<br>
in /etc/shorewall/interfaces now generate an error.<br> <br>
<br> </li>
</li> <li value="8">The 'multi' interface option is no longer supported.
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.  Shorewall will generate rules for sending packets back out the same interface
OLD_PING_HANDLING=Yes will generate an error at startup as will specification that they arrived on in two cases:</li>
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
<br>
</li>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same interface
that they arrived on in two cases:</li>
</ol> </ol>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to or <li>There is an <u>explicit</u> policy for the source zone to
from the destination zone. An explicit policy names both zones and does not or from the destination zone. An explicit policy names both zones and does
use the 'all' reserved word.</li> not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone <li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and DESTINATION the rule must be explicit - it must name the zone in both the SOURCE and
columns.<br> DESTINATION columns.<br>
</li> </li>
</ul> </ul>
<ol> <ol>
</ol> </ol>
Changes for 1.4 include:<br> Changes for 1.4 include:<br>
<ol> <ol>
<li>The /etc/shorewall/shorewall.conf file has been completely <li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br> reorganized into logical sections.<br>
<br> <br>
</li> </li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br> <li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br> <br>
</li> </li>
<li>The firewall script and version file are now installed in <li>The firewall script and version file are now installed
/usr/share/shorewall.<br> in /usr/share/shorewall.<br>
<br> <br>
</li> </li>
<li>Late arriving DNS replies are now silently dropped in the <li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br> common chain by default.<br>
<br> <br>
</li> </li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want 1.4 no longer unconditionally accepts outbound ICMP packets. So if you
to 'ping' from the firewall, you will need the appropriate rule or policy.<br> want to 'ping' from the firewall, you will need the appropriate rule or
<br> policy.<br>
</li> <br>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> </li>
now support the 'maclist' option.<br> <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
</li> now support the 'maclist' option.<br>
</li>
</ol> </ol>
@ -347,6 +353,7 @@ now support the 'maclist' option.<br>
</ul> </ul>
@ -371,13 +378,13 @@ now support the 'maclist' option.<br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td> href="http://sourceforge.net">M</a></td>
</tr> </tr>
@ -388,9 +395,9 @@ now support the 'maclist' option.<br>
</table> </table>
</center> </center>
</div> </div>
@ -399,11 +406,11 @@ now support the 'maclist' option.<br>
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -418,7 +425,7 @@ now support the 'maclist' option.<br>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
  </a></p>   </a></p>
@ -432,13 +439,13 @@ now support the 'maclist' option.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -454,8 +461,10 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

89
Shorewall-docs/shoreline.htm
View File

@ -18,50 +18,50 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/TomNTarry.png" <p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392"> alt="Tom on the PCT - 1991" width="316" height="392">
</p> </p>
<p align="center">Tarry &amp; Tom -- August 2002<br> <p align="center">Tarry &amp; Tom -- August 2002<br>
<br> <br>
</p> </p>
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li> State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - (now part of the <a href="http://www.hp.com">The New HP</a>) 1980
present</li> - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation <p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p> operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known ipchains and developed the scripts which are now collectively known as
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
Expanding on what I learned from Seattle Firewall, I then designed on what I learned from Seattle Firewall, I then designed and
and wrote Shorewall. </p> wrote Shorewall. </p>
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline, <p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
Washington</a> where I live with my wife Tarry. </p> Washington</a> where I live with my wife Tarry. </p>
@ -69,27 +69,27 @@ and wrote Shorewall. </p>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp;
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
Serves as a PPTP server for Road Warrior access. Dual boots <a Serves as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li> href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as NIC - My personal Linux System which runs Samba configured as a
a WINS server. This system also has <a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run href="http://www.vmware.com/">VMware</a> installed and can run both
both <a href="http://www.debian.org">Debian Woody</a> and <a <a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li> href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
DNS server (Bind 9).</li> DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 <li>PII/233, RH8.0, Kernel 2.4.20, 256MB MB RAM, 2GB SCSI
LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0 HD - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
Alpha 2  and a DHCP server.</li> 1.4.0 and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC
My wife's personal system.</li> - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My
work system.</li> main work system.</li>
</ul> </ul>
@ -100,25 +100,26 @@ My wife's personal system.</li>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0" </a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31"> src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img </a><font size="4"><a href="http://www.apache.org"><img
border="0" src="images/apache_pb1.gif" hspace="2" width="170" border="0" src="images/apache_pb1.gif" hspace="2" width="170"
height="20"> height="20">
</a><a href="http://www.mandrakelinux.com"><img </a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90" src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32"> height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall" </a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4"> width="125" height="40" hspace="4">
</font></p> </font></p>
<p><font size="2">Last updated 2/18/2003 - </font><font size="2"> <a <p><font size="2">Last updated 2/23/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font <font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
M. Eastep.</font></a></font><br> M. Eastep.</font></a></font><br>
<br>
<br> <br>
<br> <br>
</body> </body>

254
Shorewall-docs/sourceforge_index.htm
View File

@ -15,8 +15,8 @@
<base
target="_self"> <base target="_self">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
@ -28,11 +28,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
@ -49,7 +49,7 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><font
color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables color="#ffffff">Shorewall 1.4 - <font size="4">"<i>iptables
made easy"</i></font></font><a made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1> href="http://www.sf.net"> </a></h1>
@ -67,8 +67,8 @@
<div align="center"><a href="/1.3/index.html" target="_top"><font <div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div> color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</td> </td>
</tr> </tr>
@ -87,11 +87,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -116,11 +116,12 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is <p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system, based firewall that can be used on a dedicated firewall system,
a multi-function gateway/router/server or on a standalone GNU/Linux a multi-function gateway/router/server or on a standalone
system.</p> GNU/Linux system.</p>
@ -134,27 +135,27 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms it under the terms
of <a href="http://www.gnu.org/licenses/gpl.html">Version of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software 2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A warranty of MERCHANTABILITY or FITNESS FOR
PARTICULAR PURPOSE. See the GNU General Public License A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received You should have received
a copy of the GNU General Public License a copy of the GNU General Public License
along with this program; if not, write to along with this program; if not, write to
the Free Software Foundation, Inc., 675 the Free Software Foundation, Inc., 675 Mass
Mass Ave, Cambridge, MA 02139, USA</p> Ave, Cambridge, MA 02139, USA</p>
@ -184,20 +185,20 @@ Mass Ave, Cambridge, MA 02139, USA</p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo </a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b> <b>
</b> </b>
<b>Congratulations to Jacques and Eric <b>Congratulations to Jacques and Eric
on the recent release of Bering 1.1!!!</b><br> on the recent release of Bering 1.1!!!</b><br>
<h2>News</h2> <h2>News</h2>
@ -217,99 +218,102 @@ on the recent release of Bering 1.1!!!</b><br>
<p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img <p><b>3/14/2003 - Shorewall 1.4.0</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
Shorewall 1.4 represents the Shorewall 1.4 represents the
next step in the evolution of Shorewall. The main thrust of the initial release next step in the evolution of Shorewall. The main thrust of the initial
is simply to remove the cruft that has accumulated in Shorewall over time. release is simply to remove the cruft that has accumulated in Shorewall
<br> over time. <br>
<b>IMPORTANT: Shorewall 1.4.0 <u>REQUIRES</u></b> <b>the iproute package <b>IMPORTANT: Shorewall 1.4.0 <u>REQUIRES</u></b> <b>the iproute package
('ip' utility).</b><br> ('ip' utility).</b><br>
<br> <br>
Function from 1.3 that has been omitted from this version include:<br> Function from 1.3 that has been omitted from this version include:<br>
<ol> <ol>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported. <li>The "check" command is no longer supported.<br>
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br> <br>
<br> </li>
</li> <li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br> in /etc/shorewall/interfaces now generate an error.<br>
<br> <br>
</li> </li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. <li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br> of the 'noping' or 'filterping' interface options.<br>
<br> <br>
</li> </li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces <li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br> an error at startup if specified.<br>
<br> <br>
</li> </li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is
longer accepted.<br> no longer accepted.<br>
<br> <br>
</li> </li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer <li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br> supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
<br> <br>
</li> </li>
<li>The icmp.def file has been removed.<br> <li value="8">The 'multi' interface option is no longer supported.
<br>  Shorewall will generate rules for sending packets back out the same interface
</li> that they arrived on in two cases:</li>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same interface
that they arrived on in two cases:</li>
</ol> </ol>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to or <li>There is an <u>explicit</u> policy for the source zone to or
from the destination zone. An explicit policy names both zones and does not from the destination zone. An explicit policy names both zones and does
use the 'all' reserved word.</li> not use the 'all' reserved word.</li>
<li>There are one or more rules for traffic for the source zone <li>There are one or more rules for traffic for the source zone
to or from the destination zone including rules that use the 'all' reserved to or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and DESTINATION the rule must be explicit - it must name the zone in both the SOURCE and
columns.</li> DESTINATION columns.</li>
</ul> </ul>
<ul> <ul>
</ul> </ul>
Changes for 1.4 include:<br> Changes for 1.4 include:<br>
<ol> <ol>
<li>The /etc/shorewall/shorewall.conf file has been completely <li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br> reorganized into logical sections.<br>
<br> <br>
</li> </li>
<li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br> <li>LOG and CONTINUE are now a valid actions for a rule (/etc/shorewall/rules).<br>
<br> <br>
</li> </li>
<li>The firewall script and version file are now installed in <li>The firewall script and version file are now installed in
/usr/share/shorewall.<br> /usr/share/shorewall.<br>
<br> <br>
</li> </li>
<li>Late arriving DNS replies are now silently dropped in the <li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br> common chain by default.<br>
<br> <br>
</li> </li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall <li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you want 1.4 no longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or policy.<br> to 'ping' from the firewall, you will need the appropriate rule or policy.<br>
<br> <br>
</li> </li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i> <li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br> now support the 'maclist' option.<br>
<br> <br>
</li> </li>
</ol> </ol>
<p></p> <p></p>
<b> </b> <b> </b>
@ -361,7 +365,7 @@ now support the 'maclist' option.<br>
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1> </a></h1>
@ -383,16 +387,17 @@ now support the 'maclist' option.<br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br> bgcolor="#4b017c" valign="top" align="center"> <br>
</td> </td>
</tr> </tr>
@ -403,9 +408,9 @@ now support the 'maclist' option.<br>
</table> </table>
</center> </center>
</div> </div>
@ -414,11 +419,11 @@ now support the 'maclist' option.<br>
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -434,7 +439,7 @@ now support the 'maclist' option.<br>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -447,15 +452,15 @@ now support the 'maclist' option.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -469,10 +474,9 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 2/24/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
</body> </body>
</html> </html>

328
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -20,18 +20,18 @@
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1> the Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -41,13 +41,13 @@
<p> If you have a permanent internet connection such as DSL or Cable, <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once I recommend that you start the firewall automatically at boot.
you have installed "firewall" in your init.d directory, simply type Once you have installed "firewall" in your init.d directory, simply
"chkconfig --add firewall". This will start the firewall in run type "chkconfig --add firewall". This will start the firewall
levels 2-5 and stop it in run levels 1 and 6. If you want to configure in run levels 2-5 and stop it in run levels 1 and 6. If you want
your firewall differently from this default, you can use the "--level" to configure your firewall differently from this default, you can
option in chkconfig (see "man chkconfig") or using your favorite use the "--level" option in chkconfig (see "man chkconfig") or using
graphical run-level editor.</p> your favorite graphical run-level editor.</p>
@ -57,17 +57,17 @@
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p> </p>
<ol> <ol>
<li>Shorewall startup is disabled by default. Once you have configured <li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and Note: Users of the .deb package must edit /etc/default/shorewall and
set 'startup=1'.<br> set 'startup=1'.<br>
</li> </li>
<li>If you use dialup, you may want to start the firewall in <li>If you use dialup, you may want to start the firewall
your /etc/ppp/ip-up.local script. I recommend just placing "shorewall in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
restart" in that script.</li> restart" in that script.</li>
</ol> </ol>
@ -78,24 +78,27 @@ set 'startup=1'.<br>
<p> You can manually start and stop Shoreline Firewall using the "shorewall" <p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p> shell program: </p>
<ul> <ul>
<li>shorewall start - starts the firewall</li> <li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li> <li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's <li>shorewall restart - stops the firewall (if it's
running) and then starts it again</li> running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters <li>shorewall reset - reset the packet and byte counters
in the firewall</li> in the firewall</li>
<li>shorewall clear - remove all rules and chains <li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall</li> installed by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast <li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li> addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a
href="traffic_shaping.htm">traffic control rules</a> and <a
href="ECN.html">ECN control rules</a>.</li>
</ul> </ul>
If you include the keyword <i>debug</i> as the first argument, then a If you include the keyword <i>debug</i> as the first argument, then
shell trace of the command is produced as in:<br> a shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre> <pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
@ -104,127 +107,120 @@ shell trace of the command is produced as in:<br>
<p>The above command would trace the 'start' command and place the trace <p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace<br> information in the file /tmp/trace<br>
</p> </p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the <p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
bottom of this page.<br> bottom of this page.<br>
</p> </p>
<p>The "shorewall" program may also be used to monitor the firewall.</p> <p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about the firewall <li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li> (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <li>shorewall show <i>chain</i> - produce a verbose report
<i>chain </i>(iptables -L <i>chain</i> -n -v)</li> about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat <li>shorewall show nat - produce a verbose report about the
table (iptables -t nat -L -n -v)</li> nat table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle <li>shorewall show tos - produce a verbose report about the
table (iptables -t mangle -L -n -v)</li> mangle table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li> <li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections <li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li> currently being tracked by the firewall.</li>
<li>shorewall <li>shorewall
show show
tc - displays information tc - displays
about the traffic control/shaping configuration.</li> information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall <li>shorewall monitor [ delay ] - Continuously display the
status, last 20 log entries and nat. When the log entry display firewall status, last 20 log entries and nat. When the log
changes, an audible alarm is sounded.</li> entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall <li>shorewall hits - Produces several reports about the Shorewall
packet log messages in the current /var/log/messages file.</li> packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li> <li>shorewall version - Displays the installed version
<li>shorewall check - Performs a <u>cursory</u> validation number.</li>
of the zones, interfaces, hosts, rules and policy files. <font <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
size="4" color="#ff6666"><b>The "check" command does not parse and validate ] - Restart shorewall using the specified configuration and if an
the generated iptables commands so even though the "check" command error occurs or if the<i> timeout </i> option is given and the new configuration
completes successfully, the configuration may fail to start. See the
recommended way to make configuration changes described below. </b></font>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if an
error occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using has been up for that many seconds then shorewall is restarted using
the standard configuration.</li> the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall <li>shorewall deny, shorewall reject, shorewall accept and
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li> shorewall save implement <a href="blacklisting_support.htm">dynamic
<li>shorewall logwatch (added in version 1.3.2) - Monitors the blacklisting</a>.</li>
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new <li>shorewall logwatch (added in version 1.3.2) - Monitors
Shorewall messages are logged.</li> the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
new Shorewall messages are logged.</li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter the Finally, the "shorewall" program may be used to dynamically alter
contents of a zone.<br> the contents of a zone.<br>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
the specified interface (and host if included) to the specified zone.</li> Adds the specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
Deletes the specified interface (and host if included) from the specified Deletes the specified interface (and host if included) from the specified
zone.</li> zone.</li>
</ul> </ul>
<blockquote>Examples:<br> <blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font> <font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
</blockquote>
</blockquote> </blockquote>
</blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and <p> The <b>shorewall start</b>, <b>shorewall restart, </b>and <b>shorewall
<b>shorewall try </b>commands allow you to specify which <a try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a> href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p> to use:</p>
<blockquote> <blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> <p> shorewall [ -c <i>configuration-directory</i> ] {start|restart}<br>
shorewall try <i>configuration-directory</i></p> shorewall try <i>configuration-directory</i></p>
</blockquote> </blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i> is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that . If the file is present in the <i>configuration-directory</i>, that
file will be used; otherwise, the file in /etc/shorewall will be used.</p> file will be used; otherwise, the file in /etc/shorewall will be used.</p>
<p> When changing the configuration of a production firewall, I recommend <p> When changing the configuration of a production firewall, I recommend
the following:</p> the following:</p>
<ul> <ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li> <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li> <li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from /etc/shorewall <li>&lt;copy any files that you need to change from
to . and change them here&gt;</li> /etc/shorewall to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li><font color="#009900"><b>/sbin/shorewall
try .</b></font></li>
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall restart" <p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to to restore the old configuration. If the new configuration fails to
start, the "try" command will automatically start the old one for you.</p> start, the "try" command will automatically start the old one for you.</p>
@ -236,11 +232,11 @@ start, the "try" command will automatically start the old one for you.</p>
<ul> <ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li> <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li> <li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li> <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul> </ul>
@ -248,82 +244,84 @@ start, the "try" command will automatically start the old one for you.</p>
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br> <p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</p> </p>
<div align="center"><img src="images/State_Diagram.png" <div align="center"><img src="images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle"> alt="(State Diagram)" width="747" height="714" align="middle">
<br> <br>
</div> </div>
<p>  <br> <p>  <br>
</p> </p>
You will note that the commands that result in state transitions use You will note that the commands that result in state transitions use
the word "firewall" rather than "shorewall". That is because the actual transitions the word "firewall" rather than "shorewall". That is because the actual
are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall on transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
Debian); /sbin/shorewall runs 'firewall" according to the following table:<br> on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
<br> <br>
<table cellpadding="2" cellspacing="2" border="1"> <table cellpadding="2" cellspacing="2" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top">shorewall start<br> <td valign="top">shorewall start<br>
</td> </td>
<td valign="top">firewall start<br> <td valign="top">firewall start<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall stop<br> <td valign="top">shorewall stop<br>
</td> </td>
<td valign="top">firewall stop<br> <td valign="top">firewall stop<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall restart<br> <td valign="top">shorewall restart<br>
</td> </td>
<td valign="top">firewall restart<br> <td valign="top">firewall restart<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall add<br> <td valign="top">shorewall add<br>
</td> </td>
<td valign="top">firewall add<br> <td valign="top">firewall add<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall delete<br> <td valign="top">shorewall delete<br>
</td> </td>
<td valign="top">firewall delete<br> <td valign="top">firewall delete<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall refresh<br> <td valign="top">shorewall refresh<br>
</td> </td>
<td valign="top">firewall refresh<br> <td valign="top">firewall refresh<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">shorewall try<br> <td valign="top">shorewall try<br>
</td> </td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br> <td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br> If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br> If timeout then firewall restart (standard configuration)<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
<p><font size="2"> Updated 2/10/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2"> Updated 2/10/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>